[OE-core] [PATCH RFC CFH][sumo 00/47] CVE check backport

Adrian Bunk bunk at stusta.de
Thu Nov 7 14:47:52 UTC 2019 

On Thu, Nov 07, 2019 at 12:13:51PM +0000, Mikko.Rapeli at bmw.de wrote:
> Hi,

Hi Mikko,

> On Thu, Nov 07, 2019 at 01:13:32PM +0200, Adrian Bunk wrote:
> > On Wed, Nov 06, 2019 at 05:37:15PM +0200, Mikko Rapeli wrote:
> > > Hi,
> > 
> > Hi Mikko,
> > 
> > >...
> > > I use sumo and due to various reasons like BSP layers, binary
> > > compatibility, contracts etc can't update to newer release
> > > or to master branch. I suspect I'm not alone.
> > 
> > I might end up with similar reasons, but for warrior.
> > And might end up doing similar longer term updates for warrior.
> > (not yet 100% certain)
> 
> I'm skipping warrior but going to zeus in addition to sumo. After
> insipiration from Yocto Project Summit I hope to run master branch
> in some projects with regular updates, and eventually aligning to
> some stable release again. Hopefully an LTS one :)

everyone is currently running projects on different releases.

Let's hope LTS will happen, and that with a properly communicated LTS 
schedule most distributions and users will switch to the LTS releases
just like what happened with Ubuntu.

> > >...
> > > The tooling will expose that sumo is severely lacking in security
> > > patches, but the tooling is a start for anyone interested, like me,
> > > to fill the gaps and publish patches for bitbake recipes we care
> > > about.
> > >...
> > 
> > Thud is officially still community maintained, as long as this is true
> > the point could be made that everything that gets fixed in sumo should
> > also get fixed in thud.
> 
> So to keep sumo alive, we should the also keep zeus, warrior and thud, and
> of course master branch first. For some issues this actually works when
> the exact same CVE patch applies, but the open question then is testing.
>...

When a branch is EOL it is documented to be dead.

But upgrading to a more recent non-EOL branch, e.g. sumo to thud,
should not result in losing (security) fixes.

The root problem is that "community support" for a stable branch in 
practice often means "no support".

If sumo is supported but thud is not, this should at least be made 
visible to users.

> -Mikko

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Openembedded-core mailing list