On Thu, Oct 24, 2019 at 11:52:13PM +0100, Richard Purdie wrote:
>...
> The Yocto Project TSC believes one of the things needed for YP and for
> OE is more information being pulled together about how an LTS release
> could work.
>...
Did anyone already bring up the idea of piggy-backing security support
from a different distribution?
The currently suggested schedule would have Yocto LTS releases perfectly
aligned with Ubuntu LTS releases, and for many security-relevant
packages like kernel/glibc/bind/systemd/openssl/... 5 years of security
support are provided in Ubuntu.[1]
Feature freeze for Ubuntu 20.04 is at the end of February.
Giving preference to "same version as in Ubuntu" over "latest upstream
version" when upgrading packages for Yocto 3.1 would make it easier to
take security fixes directly from Ubuntu.
Note that this might not make sense for all recipes, e.g. Ubuntu tends
to use non-LTS kernels in its LTS releases so what kernel to ship in
Yocto LTS releases would still have to be discussed.
It might not be popular when someones upgrade submission gets rejected
when the package in Debian (and therefore in Ubuntu) has not yet been
updated, but that might be required in some cases.
Piggy-backing security support from Ubuntu would require to define right
now a list of recipes that have frequent CVEs, have 5 years support in
Ubuntu, and where Yocto 3.1 should provide the same upstream version as
Ubuntu 20.04. And then run automated checks on that in oe-core master-next,
as well as teaching AUH about it.
This would be more work before the release, but it would make security
support easier afterwards.
> Cheers,
>
> Richard
> [on behalf of the YP TSC]
cu
Adrian
[1] not all packages in Ubuntu have 5 years support
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
_______________________________________________
Openembedded-architecture mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
