[OE-core] [PATCH 6/7] webkitgtk: update to 2.10.7
Alexander Kanavin
alexander.kanavin at linux.intel.com
Thu Feb 25 13:55:32 UTC 2016
On 02/24/2016 07:19 PM, akuster808 wrote:
> Many vulnerability notifications will make the same statements.
>
> Updating a package that other packages depend on can cause a cascading
> set of failures. Now you have a bigger set of problems to contend with.
I don't think the possibility of failures is a bigger problem than the
certainty of having to backport a huge number of CVE fixes within a
codebase that you don't understand.
Many of those are not a matter of cherry-picking the right patch; they
require actual webkit expertise, because the code has changed too much
in the meantime. Also, each webkit build takes hours, which slows things
down even more. Do you have the resources for all of that?
> From the commercial side you just can't move your install base to the
> latest package versions for every security issue. The Yocto maintenance
> policy operates very close to this too.
I think you need to make an exception for webkit, and explain this to
your customers.
Alex
More information about the Openembedded-core
mailing list