On Tue, Oct 24, 2023 at 2:47 PM Richard Purdie <[email protected]> wrote: > > > > > On 10/20/23 05:49, Richard Purdie via lists.openembedded.org wrote: > > > On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote: > > > > While working on multiple aspects of security processes, one question > > > > comes back frequently: which are the layers we support with those > > > > processes? This has impact on the number of SECURITY.md I will be > > > > submitting, of configuring any CVE synchronization work etc. > > > > > > > > The YP download page offers a download of poky. The release > > > > documentation > > > > https://docs.yoctoproject.org/migration-guides/index.html#release-information > > > > nor the Release page (https://wiki.yoctoproject.org/wiki/Releases) > > > > does not exactly list layers covered. > > > > > > > > Is it poky only? Poky + meta-openemedded? With some BSP layers? > > > > > > > > This has a general impact, because I assume that layers maintained > > > > "externally" might have different security contacts, for example. > > > > > > > > Do we have that documented somewhere so that we can reference in the > > > > security documentation? > > > It will be for the layer maintainers to decide what to do about this > > > file. From the Yocto Project perspective, we should cover bitbake, > > > meta-yocto, openembedded-core (done) and yocto-docs. > > > > > > Looking over https://git.yoctoproject.org/ we should add one to meta- > > > mingw as a tested layer. I've asked meta-gplv2 move to other layers. > > > > > > We should probably mention this issue to the other layer maintainers, > > > maybe on the architecture list and perhaps also open a bug to make > > > SECURITY.md a requirement for Yocto Project Compatible status? > > > > > > We should also add it to some of the code/tools repositories, in > > > particular: > > > > > > auto-upgrade-helper, buildhistory-web, error-report-web, git-refinery- > > > web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d, > > > swatbot, yocto-autobuilder-helper, yocto-autobuilder2. > > > > > > If we're happy with the test in OE-Core, I can update several of these > > > to make the work a little easier? > > > > > > We should email the maintainers for opkg/opkg-utils as well (opkg > > > mailing list). > > > > That's me. :) > > > > The request here is that I add a SECURITY.md with instructions for how > > to file security issues against opkg, a la the same document that is > > already in OE-core; right? > > > > Would y'all prefer if private security emails for opkg went to > > `[email protected]`? Otherwise, I'll default to my email directly. > > I've just been trying to work out what we're doing with other repos > before replying. > > For "tools", I've gone with simply: > > """ > How to Report a Potential Vulnerability? > ======================================== > > If you would like to report a public issue (for example, one with a released > CVE number), please report it using the > [https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security > Bugzilla]. > If you have a patch ready, submit it following the same procedure as any other > patch as described in README.md. > > If you are dealing with a not-yet released or urgent issue, please send a > message to security AT yoctoproject DOT org, including as many details as > possible: the layer or software module affected, the recipe and its version, > and any example code, if available. > > """ > e.g. > > https://git.yoctoproject.org/swatbot/commit/?id=961b8c10da89f011e79834c160196057a4233170 > > There is a second paragraph about release but it only makes sense in > metadata repositories (e.g. meta-yocto or meta-mingw). > > You would be more than welcome to put your name as the maintainer > there. We've gone with the security list/bugzilla as the project > defaults but the maintainer makes sense when they're willing/able as > they're better placed to handle this. > > The key thing is to get a SECURITY file in place. > > If you could take care of opkg/opkg-utils that would be great! > > Cheers, > > Richard > > >
Following the discussion, I've added a wiki page discussing usage of SECURITY.md: https://wiki.yoctoproject.org/wiki/SECURITY_file Please comment/adjust. When we agree on this text, I will transcribe it to the documentation. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1806): https://lists.openembedded.org/g/openembedded-architecture/message/1806 Mute This Topic: https://lists.openembedded.org/mt/102077441/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
