[OE-core] [RFC][PATCH 1/2] nss: Move to meta-oe
Adrian Bunk
bunk at stusta.de
Wed Mar 4 09:05:07 UTC 2020
On Thu, Feb 27, 2020 at 03:03:18PM +0100, Alexander Kanavin wrote:
> On Thu, 27 Feb 2020 at 14:28, Adrian Bunk <bunk at stusta.de> wrote:
>
> > >...
> >
> > It is a crypto library with a history of unfixed CVEs in supported
> > stable Yocto releases.
> >
>
> If the issue is unfixed CVEs, then I do not think it's particularly
> relevant which layer the recipe is in. Stable release maintainers are not
> expected to 'track and fix CVEs', that one is on users.
Yesterdays LTS announcement makes it clear that the Yocto project does
provide regular security updates for supported stable branches:
<-- snip -->
Yocto Project releases are usually maintained for one year.
Beyond this period, releases move to community support, which means
they only receive occasional patches for critical defects and updates,
and no regular defect fixes and security updates.
<-- snip -->
> Alex
cu
Adrian
More information about the Openembedded-core
mailing list