[OE-core] [RFC] [PATCH] Provide users with project support status

Adrian Bunk bunk at stusta.de
Sat Nov 2 21:10:30 UTC 2019 

On Sat, Nov 02, 2019 at 04:54:37PM +0100, Alexander Kanavin wrote:
> On Sat, 2 Nov 2019 at 16:30, Adrian Bunk <bunk at stusta.de> wrote:
> 
> > The easiest way to get long-term security support in such a situation
> > is often to take the required parts from the BSP layer, and use them
> > to build the product on top of Ubuntu LTS (or Debian).
> 
> There is an alternative: engineer the product in such a way that it can be
> updated from one Yocto release to a newer Yocto release.
> This is what I will be pushing for where I work (Daimler).

This is surely desirable but it can only reduce the pain when upgrading,
not make upgrading painless.

Don't let anyone use the gpsd client libraries directly or use the gpsd
functionality to send data over the network - these often bring breaking
changes in new Yocto versions.

"async" becoming a keyword in Python 3.7 broke plenty existing code and
similar breakages might happen in the future, so Python cannot be made
available in such a product.

Do not use glibc in your product, it can happen that some obscure 
cornercase was made more standards-compliant - and one of your
users was relying on exactly the old behaviour.

These are just some of the real-life examples I have seen in the
past 12 months, and these are only cases of intentional upstream
changes - there is also some amount of regressions that are just bugs.

> > The core question should really be how to increase the time of upstream
> > support that is usually left when a Yocto-based distibution reaches the
> > user, not just how to tell users that they are screwed.
> 
> I'd say information about YP support windows should be more widely known,
> both because it is useful in itself, and because maybe the users will talk
> with their company management and with the project, and figure out 
> ways to improve the situation.

What is actually the minimum investment for that?

Six digit sums are small change for companies like Daimler,
but that's a huge amount of money for all the small companies
with a two digit number of employees making embedded products
that just happen to use Yocto.

Yocto lacks a setup where small companies could contribute with
four digit amounts to shared efforts like 5 years of LTS support.

Otherwise the only improvement available is often "don't use Yocto".

> Alex

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Openembedded-core mailing list