[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?

Mon Mar 9 09:53:07 UTC 2020

The intent is to say that security patches are eligible for inclusion into
stable release updates (while e.g. version updates are not). If the wording
is vague, it can be improved. I tend to agree that there has to be a more
clear message that users must set up their own security process or pay
someone to do it (especially considering that most products involve a lot
more 3rd party layers and not just oe-core). Some of the fixing work can be
reused from upstream but there is no promise that it covers everything.

Alex

On Mon 9. Mar 2020 at 8.45, Ayoub Zaki <ayoub.zaki at embexus.com> wrote:

> Hello,
>
> On 09.03.20 01:23, Adrian Bunk wrote:
> > On Sun, Mar 08, 2020 at 11:08:08PM +0100, Alexander Kanavin wrote:
> >> On Sun, 8 Mar 2020 at 22:46, Adrian Bunk <bunk at stusta.de> wrote:
> >>
> >>> It is on YP to make it clear to users whether or not Yocto comes with
> >>> the same set of security guarantees as distributions like Ubuntu or
> >>> Debian.
> >>> If it is the duty of every user of Yocto to track and fix CVEs,
> >>> then this has to be stated clearly instead of implying the opposite.
> >>> This gives users the opportunity to mitigate, instead of unknowingly
> >>> shipping insecure products.
> >>>
> >> Do you have any actual evidence for actual users shipping insecure
> products
> >> because they mistakenly believe Yocto takes care of security for them?
> > Nothing to discuss in public.
> >
> >> This
> >> has been the situation from the start of the project, certainly this was
> >> the case 5 years ago when I joined it, and the only person ever to make
> an
> >> issue out of it is you. Everyone else seems to understand the deal
> they're
> >> getting by using Yocto without a commercial support contract.
> >> ...
> > You are saying that 'track and fix CVEs' is on users.
> > Let's check what YP is telling users.
> >
> > Click on the "Is Yocto Project for you?" link on the YP frontpage:
> >
> > https://www.yoctoproject.org/is-yocto-project-for-you/
> > 13. Yocto Project follows a strict release schedule incorporating
> > security patches in all supported releases. This predictability is
> > crucial for projects that are based on Yocto Project and allows the
> > development teams to plan their activities. Developers can choose which
> > Yocto Project branch on which to base their activities as a function of
> > their needs. The development branch will ensure access to the latest
> > features while the stable branches will reduce the pace of changes. CVEs
> > (common vulnerabilities and exposures) issues are supported for the
> > latest 2 releases.
>
>
> Adrian is making a point here, The Yocto Project by claiming that it
> supports security patches for Stable releases is misleading the Users!
>
> I work with different customers and some of them think that by using and
> pulling the latest releases they will get the CVEs automatically fixed!
>
> YP should state that CLEARLY! Of course it will impact the choice of
> going with Yocto or Not ( probably NOT in this case).
>
> >
> >
> >> Alex
> > cu
> > Adrian
>
> Mit freundlichen Grüßen / Kind regards
>
> --
> Ayoub Zaki
> Embedded Systems Consultant
>
> Vaihinger Straße 2/1
> D-71634 Ludwigsburg
>
>
> Mobile   : +4917662901545
> Email    : ayoub.zaki at embexus.com
> Homepage : https://embexus.com
> VAT No.  : DE313902634
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200309/424ef01a/attachment.html>