[oe] samba-essential upgrade or remove?
Koen Kooi
k.kooi at student.utwente.nl
Mon Mar 15 09:30:32 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15-03-10 08:46, Holger Hans Peter Freyther wrote:
> On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote:
>
>> Do we feel we have that responsibility?
>>
>> I didn't feel that sentiment when it came to removing other legacy
>> recipes (some of which definitely also will have security issues).
>> E.g. for openssl we have
>> openssl_0.9.7e.bb
>> openssl_0.9.7g.bb
>> openssl_0.9.7m.bb
>> openssl_0.9.8g.bb
>> openssl_0.9.8m.bb
>> I'm pretty certain the last one will fix some vulnerabilities present
>> in the first one.
>
> Well you are comparing two different things here. One is having the _default_
> of a recipe with known security issues, and one is keeping old non default
> recipes with security issues.
>
> If a distro maker decides to use an ancient version of OpenSSL it was his
> choice, if he just typed bitbake foo-image and he has a vulnerable daemon
> waiting to be owned in his default image... the story is a bit different.
>
> I think we have at least three options on how to deal with it:
>
> 1.) Put a big fat warning on Openembedded.org saying it should not be used for
> users that have network connectivity or might put a SDcard/Storage with
> content on a device as we don't care about fixing vulnerable software.
>
> 2.) Adopt a policy of addressing vulnerabilities in our defaults right away..
>
> 3.) Remove recipes for vulnerable software when no one is updating them in
> time... This can be combined with option 2...
I don't think 1) is a realistic option, if we go with that, we should
just redirect oe.org to buildroot.org and go home.
I my vote goes to 2) and I like 3) as well.
regards,
Koen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFLnf44MkyGM64RGpERAmzaAKCp0hTPChpWBSA+ZNOu4EONro5SdACggdvk
i1RVEm4+eqwaPItxFiYzE9Q=
=2RGA
-----END PGP SIGNATURE-----
More information about the Openembedded-devel
mailing list