[OE-core] [RFC][PATCH 1/2] nss: Move to meta-oe

Adrian Bunk bunk at stusta.de
Wed Mar 4 09:05:07 UTC 2020


On Thu, Feb 27, 2020 at 03:03:18PM +0100, Alexander Kanavin wrote:
> On Thu, 27 Feb 2020 at 14:28, Adrian Bunk <bunk at stusta.de> wrote:
> 
> > >...
> >
> > It is a crypto library with a history of unfixed CVEs in supported
> > stable Yocto releases.
> >
> 
> If the issue is unfixed CVEs, then I do not think it's particularly
> relevant which layer the recipe is in. Stable release maintainers are not
> expected to 'track and fix CVEs', that one is on users.

Yesterdays LTS announcement makes it clear that the Yocto project does 
provide regular security updates for supported stable branches:

<--  snip  -->

Yocto Project releases are usually maintained for one year.
Beyond this period, releases move to community support, which means
they only receive occasional patches for critical defects and updates,
and no regular defect fixes and security updates.

<--  snip  -->


> Alex

cu
Adrian


More information about the Openembedded-core mailing list