On 20 Oct 2023, at 16:25, Armin Kuster via lists.yoctoproject.org <[email protected]> wrote: >> We should probably mention this issue to the other layer maintainers, >> maybe on the architecture list and perhaps also open a bug to make >> SECURITY.md a requirement for Yocto Project Compatible status? > Why? My layers only have upstream components. I would just tell an individual > to go to the upstream source and deal with those maintainers. I bring no > value being in the middle.
That’s not quite true. You could have patched a security-critical library with what you thought was an innocent patch and inadvertently created a massive security flaw. This is nothing to do with upstream and entirely the layer’s responsibility. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1800): https://lists.openembedded.org/g/openembedded-architecture/message/1800 Mute This Topic: https://lists.openembedded.org/mt/102083332/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
