[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?

akuster808 akuster808 at gmail.com
Wed Mar 4 20:26:29 UTC 2020


Adrian,


On 3/4/20 9:24 AM, Adrian Bunk wrote:
> On Wed, Mar 04, 2020 at 05:00:44PM +0100, Alexander Kanavin wrote:
>> Taking offense or getting angry at the yocto project is entirely
>> misdirected.
> I am not angry if YP does not provide security support.
>
> I am angry when YP is telling lies that it would provide security 
> support, but does not actually provide it.

 I am sure its not the intent of the Yocto Project to miss lead folks.

>
>> The liability for insecure millions of devices does not lie
>> with the yocto project, it lies with the OEMs.
>> ...
> The liability for insecure millions of devices lies 100% with the Yocto 
> Project if it claims to provide security support but does not actually 
> provide it.
>
> If a user has to decide today whether an upcoming product will run
> Ubuntu 20.04 LTS or Yocto 3.1 LTS, then it should be clear to the
> user whether or not choosing Yocto will provide upstream security 
> support the same way as Ubuntu.
>
> A user reading the YP LTS announcement expects security support similar 
> to what Ubuntu is offering, and might only notice that this isn't true 
> after a known vulnerability gets exploited on millions of devices.
I didn't get that out of the announcement. It only reference in the LTS
announcement  regarding Security was in context to Community support.

The new new LTS / Stable process wiki does not claim such claims either.

https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS

>
> If security support for YP stable and LTS releases is only on a
> community support basis and usually incomplete, then it is on YP
> to make that clear to all users instead of claiming the opposite - in 
> other projects LTS does include security support, sometimes only 
> security fixes are permitted.

Can point out where those statements are made? Again, I am sure the
Yocto Project would like to know.

>
> This could be combined with a call for help for security support,
> an advantage of being honest would be that it becomes visible for
> users that there is a resource shortage.
There are weekly status reports  and minutes from various meeting that
include the attendees list.  The attendees list has not grown. The build
swat team was shut down as no one stepped up to help. That was an
opportunity for the community to step up.

There is request for help regarding defects sent out every week and if
it wasn't for WindRiver, Intel, Joshua Watt and Richard the open defects
would go uncheck.

So the resource issue has been floating around on the various mailing
lists for some time. What do you think needs to be done to make it even
more visible?

regards,
armin
>
>> Alex
> cu
> Adrian
> _______________________________________________
> Openembedded-architecture mailing list
> Openembedded-architecture at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-architecture




More information about the Openembedded-core mailing list