[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Paul Eggleton
paul.eggleton at linux.intel.com
Tue Jun 20 09:30:43 UTC 2017
On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote:
> On 2017-06-19 09:05 AM, Mark Hatle wrote:
> > It would be reasonable to write up a 'best practices' type document.
> > Explaining that simply due to the nature of building many of these things
> > will be 'leaked' and where some of them are leaked through. (Package
> > generation, compilation, etc for instance.)
>
> That sounds reasonable, although, TBH, if someone is adding credentials
> to their SRC_URIs, I would expect that a best practice would be ignored.
> Perhaps adding a detection routine that emitted a warning during
> parsing for credentials in the SRC_URI might be warranted? Thoughts?
This might be useful yes. I think the stumbling block is that at the moment we
would have to have it off by default and then the user is almost certainly not
going to know to turn it on. Perhaps this is another thing that we might check
in a "production" vs. "development" mode where the user can easily switch to
the former to enable a set of more stringent checks.
FWIW it's not quite the same thing but some of what you might want to do when
moving to production is described in this section of the manual (which, full
disclosure, I had a hand in writing):
http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list