[OE-core] [Openembedded-architecture] Does YP provide security support for stable and LTS branches?
Rich Persaud
persaur at gmail.com
Mon Mar 9 10:01:21 UTC 2020
On Mar 9, 2020, at 03:45, Ayoub Zaki <ayoub.zaki at embexus.com> wrote:
>> Nothing to discuss in public.
>>
>>> This
>>> has been the situation from the start of the project, certainly this was
>>> the case 5 years ago when I joined it, and the only person ever to make an
>>> issue out of it is you. Everyone else seems to understand the deal they're
>>> getting by using Yocto without a commercial support contract.
>>> ...
>> You are saying that 'track and fix CVEs' is on users.
>> Let's check what YP is telling users.
>>
>> Click on the "Is Yocto Project for you?" link on the YP frontpage:
>>
>> https://www.yoctoproject.org/is-yocto-project-for-you/
>> 13. Yocto Project follows a strict release schedule incorporating
>> security patches in all supported releases. This predictability is
>> crucial for projects that are based on Yocto Project and allows the
>> development teams to plan their activities. Developers can choose which
>> Yocto Project branch on which to base their activities as a function of
>> their needs. The development branch will ensure access to the latest
>> features while the stable branches will reduce the pace of changes. CVEs
>> (common vulnerabilities and exposures) issues are supported for the
>> latest 2 releases.
>
>
> Adrian is making a point here, The Yocto Project by claiming that it supports security patches for Stable releases is misleading the Users!
>
> I work with different customers and some of them think that by using and pulling the latest releases they will get the CVEs automatically fixed!
>
> YP should state that CLEARLY! Of course it will impact the choice of going with Yocto or Not ( probably NOT in this case).
Would the Yocto mailing list [1] be a good venue to reach the maintainers of the Yocto website? There are now a handful of OE-arch / OE-core threads on this topic, which could be consolidated into a single thread on the Yocto list, where participants can act on recommendations.
Rich
[1] https://lists.yoctoproject.org/g/yocto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200309/175a0bd6/attachment.html>
More information about the Openembedded-core
mailing list