Hi Alex,
Am 14.01.2022 um 20:58 schrieb Alexander Kanavin:
On Fri, 14 Jan 2022 at 20:38, Stefan Herbrechtsmeier
<[email protected]
<mailto:[email protected]>> wrote:
Do you really thing YP should switch to a distributed approach? Doesn't
Log4Shell, 'colors' and 'faker' shows the disadvantages of this
approach?
Once again, the world has decided that bundling dependencies is the way
to build software. That ship has sailed, and we simply don't have the
manpower or the influence to change this.
Do they have a choice?
This could also be an opportunity to promote OE as a build system for
docker images with all the OE advantages and full control over the
dependencies.
Does this mean that we no longer try to remove bundle dependencies from
C/C++ projects?
What would help is support in
the tools for a manifest which would
- protect you from rogue upstreams by locking down and locally caching
source trees
- generate a useful SBOM that will tell exactly where log4j is being
pulled in, and at which version, should another critical vulnerability hit.
The recipe meanwhile would be simple, short and sweet: it only needs the
checksum for the source tree and a checksum for the licensing, and we
would put the trust into the upstream tooling that it correctly verifies
the checksums.
This means a total change of the OE philosophy and tooling because you
change from central to distribute management and from static to dynamic
meta data.
Like we already do by trusting git provided by the build
host for instance.
Do you really compare a program shipped by a distribution with a project
in your dependency chain managed by an unknown person or nobody?
I thing we have both make clear that we have different options. Any
opinions from a TSC member would be helpful because you propose
fundamental changes.
Regards
Stefan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1424):
https://lists.openembedded.org/g/openembedded-architecture/message/1424
Mute This Topic: https://lists.openembedded.org/mt/88417908/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
