[OE-core] [RFC][PATCH 1/2] nss: Move to meta-oe
Alexander Kanavin
alex.kanavin at gmail.com
Wed Mar 4 09:36:52 UTC 2020
You are misinterpreting the announcement. The security updates are provided
by users as patches to the mailing list, maintainers merely collect and
integrate them. There is no promise from the project to do anything else,
and LTS doesn’t change that, it only extends the maintainer duty from one
year to two. Moving a recipe in or out of core does not fundamentally
change how much attention it gets w.r.t. security fixes.
Alex
On Wed 4. Mar 2020 at 10.05, Adrian Bunk <bunk at stusta.de> wrote:
> On Thu, Feb 27, 2020 at 03:03:18PM +0100, Alexander Kanavin wrote:
> > On Thu, 27 Feb 2020 at 14:28, Adrian Bunk <bunk at stusta.de> wrote:
> >
> > > >...
> > >
> > > It is a crypto library with a history of unfixed CVEs in supported
> > > stable Yocto releases.
> > >
> >
> > If the issue is unfixed CVEs, then I do not think it's particularly
> > relevant which layer the recipe is in. Stable release maintainers are not
> > expected to 'track and fix CVEs', that one is on users.
>
> Yesterdays LTS announcement makes it clear that the Yocto project does
> provide regular security updates for supported stable branches:
>
> <-- snip -->
>
> Yocto Project releases are usually maintained for one year.
> Beyond this period, releases move to community support, which means
> they only receive occasional patches for critical defects and updates,
> and no regular defect fixes and security updates.
>
> <-- snip -->
>
>
> > Alex
>
> cu
> Adrian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200304/eea3767d/attachment-0001.html>
More information about the Openembedded-core
mailing list