On 10/26/19 12:45 PM, Adrian Bunk wrote: > On Fri, Oct 25, 2019 at 07:51:27AM -0700, akuster808 wrote: >> On 10/25/19 3:04 AM, Adrian Bunk wrote: >> ... >>> Did anyone already bring up the idea of piggy-backing security support >>> from a different distribution? >> Is this just taking patches from Ubuntu and getting them applied to the >> recipes or somehthing else? > Yes, that's what it is. > >> ... >>> Giving preference to "same version as in Ubuntu" over "latest upstream >>> version" when upgrading packages for Yocto 3.1 would make it easier to >>> take security fixes directly from Ubuntu. >> Why not just use meta-debian? Woudn't OE/YP just become another Debian >> derivative? > Debian/Ubuntu and Yocto are very different distributions with differing > usecases. > > In any case Yocto and Ubuntu are already somehow similar in the software > they ship since the release dates are always quite nearby. > >> ... >>> Piggy-backing security support from Ubuntu would require to define right >>> now a list of recipes that have frequent CVEs, have 5 years support in >>> Ubuntu, and where Yocto 3.1 should provide the same upstream version as >>> Ubuntu 20.04. >> Are you suggesting OE/YP to align package versions with ubuntu? > Exactly.
Sounds like a good topic for OEDEM. > >>> And then run automated checks on that in oe-core master-next, >>> as well as teaching AUH about it. >> Who would do that work? > Who will provide LTS security support for several years? The proposal did not go into such specifics. We just used the currently defined Stable process as the starting point. So my best guess would be by the same folks who are doing it now, "The Community". The hope is, since there is an LTS supported branch, more folks would be willing to send in their patches. We are also hoping more companies aligned to this release, thereby growing the potential pool of participants. On the Yocto Project 3.1 planning doc that was sent to the mailing lists last week, there is a section regarding Security. You are welcome to join the planning meetings and contribute your ideas. > > My suggestion is about doing work now for reducing the maintainance > work later. That maybe a good topic to discuss outside of this LTS proposal. We can still have an LTS program without that and if the YP/OE decide that is the direction we should go, then the LTS program is a logical benefactor. - Armin > >> - Armin > cu > Adrian > _______________________________________________ Openembedded-architecture mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
