[oe] samba-essential upgrade or remove?
Holger Hans Peter Freyther
holger+oe at freyther.de
Mon Mar 15 07:46:33 UTC 2010
On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote:
> Do we feel we have that responsibility?
>
> I didn't feel that sentiment when it came to removing other legacy
> recipes (some of which definitely also will have security issues).
> E.g. for openssl we have
> openssl_0.9.7e.bb
> openssl_0.9.7g.bb
> openssl_0.9.7m.bb
> openssl_0.9.8g.bb
> openssl_0.9.8m.bb
> I'm pretty certain the last one will fix some vulnerabilities present
> in the first one.
Well you are comparing two different things here. One is having the _default_
of a recipe with known security issues, and one is keeping old non default
recipes with security issues.
If a distro maker decides to use an ancient version of OpenSSL it was his
choice, if he just typed bitbake foo-image and he has a vulnerable daemon
waiting to be owned in his default image... the story is a bit different.
I think we have at least three options on how to deal with it:
1.) Put a big fat warning on Openembedded.org saying it should not be used for
users that have network connectivity or might put a SDcard/Storage with
content on a device as we don't care about fixing vulnerable software.
2.) Adopt a policy of addressing vulnerabilities in our defaults right away..
3.) Remove recipes for vulnerable software when no one is updating them in
time... This can be combined with option 2...
z.
More information about the Openembedded-devel
mailing list