[OE-core] [PATCH RFC CFH][sumo 00/47] CVE check backport
Mikko.Rapeli at bmw.de
Mikko.Rapeli at bmw.de
Thu Nov 7 12:13:51 UTC 2019
Hi,
On Thu, Nov 07, 2019 at 01:13:32PM +0200, Adrian Bunk wrote:
> On Wed, Nov 06, 2019 at 05:37:15PM +0200, Mikko Rapeli wrote:
> > Hi,
>
> Hi Mikko,
>
> >...
> > I use sumo and due to various reasons like BSP layers, binary
> > compatibility, contracts etc can't update to newer release
> > or to master branch. I suspect I'm not alone.
>
> I might end up with similar reasons, but for warrior.
> And might end up doing similar longer term updates for warrior.
> (not yet 100% certain)
I'm skipping warrior but going to zeus in addition to sumo. After
insipiration from Yocto Project Summit I hope to run master branch
in some projects with regular updates, and eventually aligning to
some stable release again. Hopefully an LTS one :)
> >...
> > The tooling will expose that sumo is severely lacking in security
> > patches, but the tooling is a start for anyone interested, like me,
> > to fill the gaps and publish patches for bitbake recipes we care
> > about.
> >...
>
> Thud is officially still community maintained, as long as this is true
> the point could be made that everything that gets fixed in sumo should
> also get fixed in thud.
So to keep sumo alive, we should the also keep zeus, warrior and thud, and
of course master branch first. For some issues this actually works when
the exact same CVE patch applies, but the open question then is testing.
How should a developer test a patch before submitting it, or multiple versions
of it?
I'm testing in project tree with CI and target tests, then compile testing on
master. qemu ptest runs would be nice but not sure how to get a stable or useful
test set for various branches.
To make things more complicated, the project trees sadly contain more backports, fixes
and workarounds which are not suitable for upstreaming into stable or even master
branches.
-Mikko
More information about the Openembedded-core
mailing list