Re: [Openembedded-architecture] [yocto-security] Question: supported layers for security processes

Fri, 20 Oct 2023 08:25:26 -0700 


On 10/20/23 5:49 AM, Richard Purdie wrote:

On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote:

While working on multiple aspects of security processes, one question
comes back frequently: which are the layers we support with those
processes? This has impact on the number of SECURITY.md I will be
submitting, of configuring any CVE synchronization work etc.

The YP download page offers a download of poky. The release
documentation 
https://docs.yoctoproject.org/migration-guides/index.html#release-information
nor the Release page (https://wiki.yoctoproject.org/wiki/Releases)
does not exactly list layers covered.

Is it poky only? Poky + meta-openemedded? With some BSP layers?

This has a general impact, because I assume that layers maintained
"externally" might have different security contacts, for example.

Do we have that documented somewhere so that we can reference in the
security documentation?

It will be for the layer maintainers to decide what to do about this
file. From the Yocto Project perspective, we should cover bitbake,
meta-yocto, openembedded-core (done) and yocto-docs.

Looking over https://git.yoctoproject.org/ we should add one to meta-
mingw as a tested layer. I've asked meta-gplv2 move to other layers.

We should probably mention this issue to the other layer maintainers,
maybe on the architecture list and perhaps also open a bug to make
SECURITY.md a requirement for Yocto Project Compatible status?

Why? My layers only have upstream components. I would just tell an 
individual to go to the upstream source and deal with those maintainers. 
I bring no value being in the middle.


- armin




We should also add it to some of the code/tools repositories, in
particular:

auto-upgrade-helper,  buildhistory-web, error-report-web, git-refinery-
web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d,
swatbot, yocto-autobuilder-helper, yocto-autobuilder2.

If we're happy with the test in OE-Core, I can update several of these
to make the work a little easier?

We should email the maintainers for opkg/opkg-utils as well (opkg
mailing list).

Cheers,

Richard







-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1799): 
https://lists.openembedded.org/g/openembedded-architecture/message/1799
Mute This Topic: https://lists.openembedded.org/mt/102083332/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to