On 10/25/19 3:04 AM, Adrian Bunk wrote:
> On Thu, Oct 24, 2019 at 11:52:13PM +0100, Richard Purdie wrote:
>> ...
>> The Yocto Project TSC believes one of the things needed for YP and for
>> OE is more information being pulled together about how an LTS release
>> could work.
>> ...
> Did anyone already bring up the idea of piggy-backing security support
> from a different distribution?
Is this just taking patches from Ubuntu and getting them applied to the
recipes or somehthing else?
>
> The currently suggested schedule would have Yocto LTS releases perfectly
> aligned with Ubuntu LTS releases, and for many security-relevant
> packages like kernel/glibc/bind/systemd/openssl/... 5 years of security
> support are provided in Ubuntu.[1]
>
> Feature freeze for Ubuntu 20.04 is at the end of February.
>
> Giving preference to "same version as in Ubuntu" over "latest upstream
> version" when upgrading packages for Yocto 3.1 would make it easier to
> take security fixes directly from Ubuntu.
Why not just use meta-debian? Woudn't OE/YP just become another Debian
derivative?
>
> Note that this might not make sense for all recipes, e.g. Ubuntu tends
> to use non-LTS kernels in its LTS releases so what kernel to ship in
> Yocto LTS releases would still have to be discussed.
>
> It might not be popular when someones upgrade submission gets rejected
> when the package in Debian (and therefore in Ubuntu) has not yet been
> updated, but that might be required in some cases.
>
> Piggy-backing security support from Ubuntu would require to define right
> now a list of recipes that have frequent CVEs, have 5 years support in
> Ubuntu, and where Yocto 3.1 should provide the same upstream version as
> Ubuntu 20.04.
Are you suggesting OE/YP to align package versions with ubuntu?
> And then run automated checks on that in oe-core master-next,
> as well as teaching AUH about it.
Who would do that work?
- Armin
>
> This would be more work before the release, but it would make security
> support easier afterwards.
>
>> Cheers,
>>
>> Richard
>> [on behalf of the YP TSC]
> cu
> Adrian
>
> [1] not all packages in Ubuntu have 5 years support
>
_______________________________________________
Openembedded-architecture mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
