[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?

Rich Persaud persaur at gmail.com
Mon Mar 9 10:01:21 UTC 2020



On Mar 9, 2020, at 03:45, Ayoub Zaki <ayoub.zaki at embexus.com> wrote:
>> Nothing to discuss in public.
>> 
>>> This
>>> has been the situation from the start of the project, certainly this was
>>> the case 5 years ago when I joined it, and the only person ever to make an
>>> issue out of it is you. Everyone else seems to understand the deal they're
>>> getting by using Yocto without a commercial support contract.
>>> ...
>> You are saying that 'track and fix CVEs' is on users.
>> Let's check what YP is telling users.
>> 
>> Click on the "Is Yocto Project for you?" link on the YP frontpage:
>> 
>> https://www.yoctoproject.org/is-yocto-project-for-you/
>> 13. Yocto Project follows a strict release schedule incorporating
>> security patches in all supported releases. This predictability is
>> crucial for projects that are based on Yocto Project and allows the
>> development teams to plan their activities. Developers can choose which
>> Yocto Project branch on which to base their activities as a function of
>> their needs. The development branch will ensure access to the latest
>> features while the stable branches will reduce the pace of changes. CVEs
>> (common vulnerabilities and exposures) issues are supported for the
>> latest 2 releases.
> 
> 
> Adrian is making a point here, The Yocto Project by claiming that it supports security patches for Stable releases is misleading the Users!
> 
> I work with different customers and some of them think that by using and pulling the latest releases they will get the CVEs automatically fixed!
> 
> YP should state that CLEARLY! Of course it will impact the choice of going with Yocto or Not ( probably NOT in this case).

Would the Yocto mailing list [1] be a good venue to reach the maintainers of the Yocto website? There are now a handful of OE-arch / OE-core threads on this topic, which could be consolidated into a single thread on the Yocto list, where participants can act on recommendations.

Rich

[1] https://lists.yoctoproject.org/g/yocto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200309/175a0bd6/attachment.html>


More information about the Openembedded-core mailing list