[oe] samba-essential upgrade or remove?
Frans Meulenbroeks
fransmeulenbroeks at gmail.com
Mon Mar 15 09:51:33 UTC 2010
2010/3/15 Koen Kooi <k.kooi at student.utwente.nl>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15-03-10 08:46, Holger Hans Peter Freyther wrote:
>>
>> I think we have at least three options on how to deal with it:
>>
>> 1.) Put a big fat warning on Openembedded.org saying it should not be used for
>> users that have network connectivity or might put a SDcard/Storage with
>> content on a device as we don't care about fixing vulnerable software.
>>
>> 2.) Adopt a policy of addressing vulnerabilities in our defaults right away..
>>
>> 3.) Remove recipes for vulnerable software when no one is updating them in
>> time... This can be combined with option 2...
>
> I don't think 1) is a realistic option, if we go with that, we should
> just redirect oe.org to buildroot.org and go home.
Why is it not realistic.
Lots of driver code I get from commercial vendors, contain statements like
"this is sample code only, not intended for use in products, proceed
at own risk, bla bla bla".
And frankly speaking I doubt that we have the resources to actually
make sure that we fix all known security vulnerabilities shortly after
a fix becomes available.
So a +1 for having a warning on the OE website. Actually I would
suggest repeating the message on the getting started page
(http://wiki.openembedded.net/index.php/Getting_Started)
(and of course each distro can decide on their own whether they want
to have such a warning on their website or not).
Frans
>
> I my vote goes to 2) and I like 3) as well.
>
> regards,
>
> Koen
More information about the Openembedded-devel
mailing list