On 10/25/19 5:04 AM, Adrian Bunk wrote:
> On Thu, Oct 24, 2019 at 11:52:13PM +0100, Richard Purdie wrote:
>> ...
>> The Yocto Project TSC believes one of the things needed for YP and for
>> OE is more information being pulled together about how an LTS release
>> could work.
>> ...
>
> Did anyone already bring up the idea of piggy-backing security support
> from a different distribution?
>
> The currently suggested schedule would have Yocto LTS releases perfectly
> aligned with Ubuntu LTS releases, and for many security-relevant
> packages like kernel/glibc/bind/systemd/openssl/... 5 years of security
> support are provided in Ubuntu.[1]
>
> Feature freeze for Ubuntu 20.04 is at the end of February.
>
> Giving preference to "same version as in Ubuntu" over "latest upstream
> version" when upgrading packages for Yocto 3.1 would make it easier to
> take security fixes directly from Ubuntu.
In my experience this won't really reduce any burden. The majority of the work
done is the integration (and testing).
The creation of the patches is already being done by others (original upstream,
other OSVs.. and only last resort would we need to do it ourselves. To be clear
the longer we go, the more likely we would have to do it ourselves.)
If this becomes the process, and there is a team that can manage this work -- it
may put us, as a group, on the footing to join the oss-security vendor list.
This list usually gives a 1-14 day lead on some of the more complex security
issues. (It rarely, goes over 14 days.)
--Mark
> Note that this might not make sense for all recipes, e.g. Ubuntu tends
> to use non-LTS kernels in its LTS releases so what kernel to ship in
> Yocto LTS releases would still have to be discussed.
>
> It might not be popular when someones upgrade submission gets rejected
> when the package in Debian (and therefore in Ubuntu) has not yet been
> updated, but that might be required in some cases.
>
> Piggy-backing security support from Ubuntu would require to define right
> now a list of recipes that have frequent CVEs, have 5 years support in
> Ubuntu, and where Yocto 3.1 should provide the same upstream version as
> Ubuntu 20.04. And then run automated checks on that in oe-core master-next,
> as well as teaching AUH about it.
>
> This would be more work before the release, but it would make security
> support easier afterwards.
>
>> Cheers,
>>
>> Richard
>> [on behalf of the YP TSC]
>
> cu
> Adrian
>
> [1] not all packages in Ubuntu have 5 years support
>
_______________________________________________
Openembedded-architecture mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
