[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?
Richard Purdie
richard.purdie at linuxfoundation.org
Mon Mar 9 12:45:36 UTC 2020
On Mon, 2020-03-09 at 08:29 +0100, Ayoub Zaki wrote:
> On 09.03.20 01:23, Adrian Bunk wrote:
> > On Sun, Mar 08, 2020 at 11:08:08PM +0100, Alexander Kanavin wrote:
> > > On Sun, 8 Mar 2020 at 22:46, Adrian Bunk <bunk at stusta.de> wrote:
> > https://www.yoctoproject.org/is-yocto-project-for-you/
> > 13. Yocto Project follows a strict release schedule incorporating
> > security patches in all supported releases. This predictability is
> > crucial for projects that are based on Yocto Project and allows the
> > development teams to plan their activities. Developers can choose
> > which
> > Yocto Project branch on which to base their activities as a
> > function of
> > their needs. The development branch will ensure access to the
> > latest
> > features while the stable branches will reduce the pace of changes.
> > CVEs
> > (common vulnerabilities and exposures) issues are supported for the
> > latest 2 releases.
>
> Adrian is making a point here, The Yocto Project by claiming that it
> supports security patches for Stable releases is misleading the
> Users!
>
> I work with different customers and some of them think that by using
> and pulling the latest releases they will get the CVEs automatically
> fixed!
If you use our latest codebase then you get the latest usptream
versions and hence, yes, you get the fixes. It does depend what
"latest" means in the contents of your comments above.
For the stable series we're putting in a commitment to review and
include CVE fixes which are submitted to us. We have a pretty good
track record of having them submitted and included.
That said, we cannot write a guarantee than all CVE fixes will be
included, we're an open source project, not a company with an
engineering team or a project with the scale of say Debian.
> YP should state that CLEARLY! Of course it will impact the choice of
> going with Yocto or Not ( probably NOT in this case).
I agree we have to set realistic expectations, not entirely sure how to
do that but hope the above clarifies whilst we try and update the
docs/web pages and so on.
Cheers,
Richard
More information about the Openembedded-core
mailing list