On 10/20/23 05:49, Richard Purdie via lists.openembedded.org wrote:
On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote:
While working on multiple aspects of security processes, one question
comes back frequently: which are the layers we support with those
processes? This has impact on the number of SECURITY.md I will be
submitting, of configuring any CVE synchronization work etc.
The YP download page offers a download of poky. The release
documentation
https://docs.yoctoproject.org/migration-guides/index.html#release-information
nor the Release page (https://wiki.yoctoproject.org/wiki/Releases)
does not exactly list layers covered.
Is it poky only? Poky + meta-openemedded? With some BSP layers?
This has a general impact, because I assume that layers maintained
"externally" might have different security contacts, for example.
Do we have that documented somewhere so that we can reference in the
security documentation?
It will be for the layer maintainers to decide what to do about this
file. From the Yocto Project perspective, we should cover bitbake,
meta-yocto, openembedded-core (done) and yocto-docs.
Looking over https://git.yoctoproject.org/ we should add one to meta-
mingw as a tested layer. I've asked meta-gplv2 move to other layers.
We should probably mention this issue to the other layer maintainers,
maybe on the architecture list and perhaps also open a bug to make
SECURITY.md a requirement for Yocto Project Compatible status?
We should also add it to some of the code/tools repositories, in
particular:
auto-upgrade-helper, buildhistory-web, error-report-web, git-refinery-
web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d,
swatbot, yocto-autobuilder-helper, yocto-autobuilder2.
If we're happy with the test in OE-Core, I can update several of these
to make the work a little easier?
We should email the maintainers for opkg/opkg-utils as well (opkg
mailing list).
That's me. :)
The request here is that I add a SECURITY.md with instructions for how
to file security issues against opkg, a la the same document that is
already in OE-core; right?
Would y'all prefer if private security emails for opkg went to
`[email protected]`? Otherwise, I'll default to my email directly.
--
Alex Stewart
Software Engineer - NI Real-Time OS
NI (National Instruments)
[email protected]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1803):
https://lists.openembedded.org/g/openembedded-architecture/message/1803
Mute This Topic: https://lists.openembedded.org/mt/102077441/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
