[OE-core] Does YP provide security support for stable and LTS branches?

[Alexander Kanavin]

Taking offense or getting angry at the yocto project is entirely
misdirected. The liability for insecure millions of devices does not lie
with the yocto project, it lies with the OEMs. If the OEMs are unwilling to
allocate manpower to work on security, there’s very little the yocto
project can do. We are already struggling to find people to work on actual
bugs, and there’s simply no manpower to do security properly. Still, stable
releases *are* much better than community supported ones, they do get a lot
of CVEs and bugs fixed, all I wanted to say is that the exhaustive process
to fix everything that could be insecure is not there.

Alex

On Wed 4. Mar 2020 at 15.01, Adrian Bunk <bunk at stusta.de> wrote:

> On Wed, Mar 04, 2020 at 01:13:19PM +0100, Alexander Kanavin wrote:
> > On Wed, 4 Mar 2020 at 12:32, Adrian Bunk <bunk at stusta.de> wrote:
> >
> > > I am sure there will be an update to the announcement if this doesn't
> > > reflect current reality.
> >
> > Who is expected to do the actual work of tracking CVEs, making action
> > points and performing the actions? The current reality is this: the
> > security update work is done ad hoc by community, even for stable
> branches.
> > There is no rigorous security process like in Debian, and no roles to
> > follow in that process. This means that if no one bothers to make a
> patch,
> > the security issue will remain unfixed, and this does happen often. If
> you
> > are expecting anything else (e.g. that listed recipe maintainers should
> do
> > something), you're setting yourself up to be disappointed.
>
> All I am expecting is honesty.
>
> If YP does not provide security support for supported stable branches,
> then public statements that community support would be worse than stable
> branches due to lack of security support are dishonest and offensive.
>
> It also puts all users of Yocto stable and LTS releases and billions of
> devices at danger if the Yocto project announces security support but
> does not deliver.
>
> The normal user expects that that the announced "usual defect fixes and
> updates for the extended period of two years" in LTS include the regular
> security updates that were claimed for stable branches earlier in the
> same announcement.
>
> For cases where I am the user the only benefit of going through the pain
> of upgrading existing products from older releases to Yocto 3.1 would be
> 2 years of security support from upstream. Doing the upgrade and only
> discovering afterwards that it doesn't bring the benefit that was
> promised would make me <unprintable>.
>
> Let me repeat that the only thing I am expecting is honesty,
> and all I am asking for is that if YP does not provide security
> support for stable and LTS branches this should be communicated
> clearly so that all users are aware.
>
> > Alex
>
> cu
> Adrian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200304/517a2d5b/attachment.html>