> > On 10/20/23 05:49, Richard Purdie via lists.openembedded.org wrote: > > On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote: > > > While working on multiple aspects of security processes, one question > > > comes back frequently: which are the layers we support with those > > > processes? This has impact on the number of SECURITY.md I will be > > > submitting, of configuring any CVE synchronization work etc. > > > > > > The YP download page offers a download of poky. The release > > > documentation > > > https://docs.yoctoproject.org/migration-guides/index.html#release-information > > > nor the Release page (https://wiki.yoctoproject.org/wiki/Releases) > > > does not exactly list layers covered. > > > > > > Is it poky only? Poky + meta-openemedded? With some BSP layers? > > > > > > This has a general impact, because I assume that layers maintained > > > "externally" might have different security contacts, for example. > > > > > > Do we have that documented somewhere so that we can reference in the > > > security documentation? > > It will be for the layer maintainers to decide what to do about this > > file. From the Yocto Project perspective, we should cover bitbake, > > meta-yocto, openembedded-core (done) and yocto-docs. > > > > Looking over https://git.yoctoproject.org/ we should add one to meta- > > mingw as a tested layer. I've asked meta-gplv2 move to other layers. > > > > We should probably mention this issue to the other layer maintainers, > > maybe on the architecture list and perhaps also open a bug to make > > SECURITY.md a requirement for Yocto Project Compatible status? > > > > We should also add it to some of the code/tools repositories, in > > particular: > > > > auto-upgrade-helper, buildhistory-web, error-report-web, git-refinery- > > web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d, > > swatbot, yocto-autobuilder-helper, yocto-autobuilder2. > > > > If we're happy with the test in OE-Core, I can update several of these > > to make the work a little easier? > > > > We should email the maintainers for opkg/opkg-utils as well (opkg > > mailing list). > > That's me. :) > > The request here is that I add a SECURITY.md with instructions for how > to file security issues against opkg, a la the same document that is > already in OE-core; right? > > Would y'all prefer if private security emails for opkg went to > `[email protected]`? Otherwise, I'll default to my email directly.
I've just been trying to work out what we're doing with other repos before replying. For "tools", I've gone with simply: """ How to Report a Potential Vulnerability? ======================================== If you would like to report a public issue (for example, one with a released CVE number), please report it using the [https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla]. If you have a patch ready, submit it following the same procedure as any other patch as described in README.md. If you are dealing with a not-yet released or urgent issue, please send a message to security AT yoctoproject DOT org, including as many details as possible: the layer or software module affected, the recipe and its version, and any example code, if available. """ e.g. https://git.yoctoproject.org/swatbot/commit/?id=961b8c10da89f011e79834c160196057a4233170 There is a second paragraph about release but it only makes sense in metadata repositories (e.g. meta-yocto or meta-mingw). You would be more than welcome to put your name as the maintainer there. We've gone with the security list/bugzilla as the project defaults but the maintainer makes sense when they're willing/able as they're better placed to handle this. The key thing is to get a SECURITY file in place. If you could take care of opkg/opkg-utils that would be great! Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1805): https://lists.openembedded.org/g/openembedded-architecture/message/1805 Mute This Topic: https://lists.openembedded.org/mt/102077441/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
