On Fri, 2023-10-20 at 11:25 -0400, akuster808 wrote: > > On 10/20/23 5:49 AM, Richard Purdie wrote: > > On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote: > > > While working on multiple aspects of security processes, one question > > > comes back frequently: which are the layers we support with those > > > processes? This has impact on the number of SECURITY.md I will be > > > submitting, of configuring any CVE synchronization work etc. > > > > > > The YP download page offers a download of poky. The release > > > documentation > > > https://docs.yoctoproject.org/migration-guides/index.html#release-information > > > nor the Release page (https://wiki.yoctoproject.org/wiki/Releases) > > > does not exactly list layers covered. > > > > > > Is it poky only? Poky + meta-openemedded? With some BSP layers? > > > > > > This has a general impact, because I assume that layers maintained > > > "externally" might have different security contacts, for example. > > > > > > Do we have that documented somewhere so that we can reference in the > > > security documentation? > > It will be for the layer maintainers to decide what to do about this > > file. From the Yocto Project perspective, we should cover bitbake, > > meta-yocto, openembedded-core (done) and yocto-docs. > > > > Looking over https://git.yoctoproject.org/ we should add one to meta- > > mingw as a tested layer. I've asked meta-gplv2 move to other layers. > > > > We should probably mention this issue to the other layer maintainers, > > maybe on the architecture list and perhaps also open a bug to make > > SECURITY.md a requirement for Yocto Project Compatible status? > > Why? My layers only have upstream components. I would just tell an > individual to go to the upstream source and deal with those maintainers. > I bring no value being in the middle.
Your layers always have every component up to date with latest upstream releases? I can imagine reasons why someone may need to report a security issue to the maintainer... Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1802): https://lists.openembedded.org/g/openembedded-architecture/message/1802 Mute This Topic: https://lists.openembedded.org/mt/102083332/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
