[OE-core] Does YP provide security support for stable and LTS branches?

Adrian Bunk bunk at stusta.de
Wed Mar 4 14:01:09 UTC 2020


On Wed, Mar 04, 2020 at 01:13:19PM +0100, Alexander Kanavin wrote:
> On Wed, 4 Mar 2020 at 12:32, Adrian Bunk <bunk at stusta.de> wrote:
> 
> > I am sure there will be an update to the announcement if this doesn't
> > reflect current reality.
> 
> Who is expected to do the actual work of tracking CVEs, making action
> points and performing the actions? The current reality is this: the
> security update work is done ad hoc by community, even for stable branches.
> There is no rigorous security process like in Debian, and no roles to
> follow in that process. This means that if no one bothers to make a patch,
> the security issue will remain unfixed, and this does happen often. If you
> are expecting anything else (e.g. that listed recipe maintainers should do
> something), you're setting yourself up to be disappointed.

All I am expecting is honesty.

If YP does not provide security support for supported stable branches, 
then public statements that community support would be worse than stable 
branches due to lack of security support are dishonest and offensive.

It also puts all users of Yocto stable and LTS releases and billions of 
devices at danger if the Yocto project announces security support but 
does not deliver.

The normal user expects that that the announced "usual defect fixes and 
updates for the extended period of two years" in LTS include the regular 
security updates that were claimed for stable branches earlier in the 
same announcement.

For cases where I am the user the only benefit of going through the pain 
of upgrading existing products from older releases to Yocto 3.1 would be 
2 years of security support from upstream. Doing the upgrade and only 
discovering afterwards that it doesn't bring the benefit that was 
promised would make me <unprintable>.

Let me repeat that the only thing I am expecting is honesty,
and all I am asking for is that if YP does not provide security
support for stable and LTS branches this should be communicated
clearly so that all users are aware.

> Alex

cu
Adrian


More information about the Openembedded-core mailing list