[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?
Alexander Kanavin
alex.kanavin at gmail.com
Sun Mar 8 22:08:08 UTC 2020
On Sun, 8 Mar 2020 at 22:46, Adrian Bunk <bunk at stusta.de> wrote:
> It is on YP to make it clear to users whether or not Yocto comes with
> the same set of security guarantees as distributions like Ubuntu or
> Debian.
> If it is the duty of every user of Yocto to track and fix CVEs,
> then this has to be stated clearly instead of implying the opposite.
> This gives users the opportunity to mitigate, instead of unknowingly
> shipping insecure products.
>
Do you have any actual evidence for actual users shipping insecure products
because they mistakenly believe Yocto takes care of security for them? This
has been the situation from the start of the project, certainly this was
the case 5 years ago when I joined it, and the only person ever to make an
issue out of it is you. Everyone else seems to understand the deal they're
getting by using Yocto without a commercial support contract.
Yes, there are millions of insecure yocto-based devices out there, but
there reasons they are insecure have nothing to do with what you say.
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200308/c7a6bce4/attachment.html>
More information about the Openembedded-core
mailing list