[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?

Adrian Bunk bunk at stusta.de
Fri Mar 6 10:04:22 UTC 2020 

On Wed, Mar 04, 2020 at 12:26:29PM -0800, akuster808 wrote:
...
> On 3/4/20 9:24 AM, Adrian Bunk wrote:
...
> > This could be combined with a call for help for security support,
> > an advantage of being honest would be that it becomes visible for
> > users that there is a resource shortage.
> There are weekly status reports  and minutes from various meeting that
> include the attendees list.  The attendees list has not grown. The build
> swat team was shut down as no one stepped up to help. That was an
> opportunity for the community to step up.

Yocto is setup as a B2B project providing a basis for embedded products,
your "community" are mainly companies.

The "build everything yourself" niche for non-embedded is already
occupied by Gentoo.

For most community companies there is no clear Return on Investment
if they would use the opportunity to invest in upstream involvement.

> There is request for help regarding defects sent out every week and if
> it wasn't for WindRiver, Intel, Joshua Watt and Richard the open defects
> would go uncheck.
>
> So the resource issue has been floating around on the various mailing
> lists for some time. What do you think needs to be done to make it even
> more visible?
>...

You are confusing developers with users.

Developers are following development discussions.

Users who are being paid for building a product based on Yocto
read the user information at https://www.yoctoproject.org/
especially the great manuals written by Scott.

Development discussions are mostly irrelevant for users.

To make a non-Yocto example:
I am using Ubuntu LTS on my laptop.
The security support provided by Canonical is essential for me,
and as part of the community I am using their bugtracker in rare
cases where I have problems.
I have neither time nor interest in following upstream discussions
regarding development of future Ubuntu releases.

>...
> >> The liability for insecure millions of devices does not lie
> >> with the yocto project, it lies with the OEMs.
> >> ...
> > The liability for insecure millions of devices lies 100% with the Yocto 
> > Project if it claims to provide security support but does not actually 
> > provide it.
> >
> > If a user has to decide today whether an upcoming product will run
> > Ubuntu 20.04 LTS or Yocto 3.1 LTS, then it should be clear to the
> > user whether or not choosing Yocto will provide upstream security 
> > support the same way as Ubuntu.
> >
> > A user reading the YP LTS announcement expects security support similar 
> > to what Ubuntu is offering, and might only notice that this isn't true 
> > after a known vulnerability gets exploited on millions of devices.
> I didn't get that out of the announcement. It only reference in the LTS
> announcement  regarding Security was in context to Community support.
>...

The wording is "releases move to community support, which means they 
only receive occasional patches for critical defects and updates,
and no regular defect fixes and security updates".

When the move to community support means no regular security updates,
this is a clear claim from YP that before the move there are regular
security updates.

YP then claims for LTS that "These components will now receive the usual 
defect fixes and updates for the extended period of two years."

When YP states "A very important criterion for evaluating and adopting
a software platform is support." the one kind of support that really 
matters for users of long term support releases is security support.
This is the baseline users expect from anything called LTS,
and the main reason why users want to use LTS releases.

If YP does not want to be responsible for insecure millions of devices,
it is up to YP to not make incorrect claims and make it clear in
announcements and user documentation if security support is not
provided by YP.

This allows users to mitigate by allocating resources for security
support of their products, instead of unknowingly shipping millions
of insecure devices.

It would also allow YP to develop offers for community companies to pool 
smaller contributions together - 50 companies each paying 2k per year 
for pooled security support is cheaper for them than each of them 
locally providing the same security support.

cu
Adrian

More information about the Openembedded-core mailing list