On Tue, Oct 24, 2023 at 4:41 PM Marta Rybczynska via lists.yoctoproject.org <[email protected]> wrote: > > On Tue, Oct 24, 2023 at 2:47 PM Richard Purdie > <[email protected]> wrote: > > > > > > > > On 10/20/23 05:49, Richard Purdie via lists.openembedded.org wrote: > > > > On Fri, 2023-10-20 at 10:56 +0200, Marta Rybczynska wrote: > > > > > While working on multiple aspects of security processes, one question > > > > > comes back frequently: which are the layers we support with those > > > > > processes? This has impact on the number of SECURITY.md I will be > > > > > submitting, of configuring any CVE synchronization work etc. > > > > > > > > > > The YP download page offers a download of poky. The release > > > > > documentation > > > > > https://docs.yoctoproject.org/migration-guides/index.html#release-information > > > > > nor the Release page (https://wiki.yoctoproject.org/wiki/Releases) > > > > > does not exactly list layers covered. > > > > > > > > > > Is it poky only? Poky + meta-openemedded? With some BSP layers? > > > > > > > > > > This has a general impact, because I assume that layers maintained > > > > > "externally" might have different security contacts, for example. > > > > > > > > > > Do we have that documented somewhere so that we can reference in the > > > > > security documentation? > > > > It will be for the layer maintainers to decide what to do about this > > > > file. From the Yocto Project perspective, we should cover bitbake, > > > > meta-yocto, openembedded-core (done) and yocto-docs. > > > > > > > > Looking over https://git.yoctoproject.org/ we should add one to meta- > > > > mingw as a tested layer. I've asked meta-gplv2 move to other layers. > > > > > > > > We should probably mention this issue to the other layer maintainers, > > > > maybe on the architecture list and perhaps also open a bug to make > > > > SECURITY.md a requirement for Yocto Project Compatible status? > > > > > > > > We should also add it to some of the code/tools repositories, in > > > > particular: > > > > > > > > auto-upgrade-helper, buildhistory-web, error-report-web, git-refinery- > > > > web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d, > > > > swatbot, yocto-autobuilder-helper, yocto-autobuilder2. > > > > > > > > If we're happy with the test in OE-Core, I can update several of these > > > > to make the work a little easier? > > > > > > > > We should email the maintainers for opkg/opkg-utils as well (opkg > > > > mailing list). > > > > > > That's me. :) > > > > > > The request here is that I add a SECURITY.md with instructions for how > > > to file security issues against opkg, a la the same document that is > > > already in OE-core; right? > > > > > > Would y'all prefer if private security emails for opkg went to > > > `[email protected]`? Otherwise, I'll default to my email directly. > > > > I've just been trying to work out what we're doing with other repos > > before replying. > > > > For "tools", I've gone with simply: > > > > """ > > How to Report a Potential Vulnerability? > > ======================================== > > > > If you would like to report a public issue (for example, one with a released > > CVE number), please report it using the > > [https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security > > Bugzilla]. > > If you have a patch ready, submit it following the same procedure as any > > other > > patch as described in README.md. > > > > If you are dealing with a not-yet released or urgent issue, please send a > > message to security AT yoctoproject DOT org, including as many details as > > possible: the layer or software module affected, the recipe and its version, > > and any example code, if available. > > > > """ > > e.g. > > > > https://git.yoctoproject.org/swatbot/commit/?id=961b8c10da89f011e79834c160196057a4233170 > > > > There is a second paragraph about release but it only makes sense in > > metadata repositories (e.g. meta-yocto or meta-mingw). > > > > You would be more than welcome to put your name as the maintainer > > there. We've gone with the security list/bugzilla as the project > > defaults but the maintainer makes sense when they're willing/able as > > they're better placed to handle this. > > > > The key thing is to get a SECURITY file in place. > > > > If you could take care of opkg/opkg-utils that would be great! > > > > Cheers, > > > > Richard > > > > > > > > Following the discussion, I've added a wiki page discussing usage of > SECURITY.md: > https://wiki.yoctoproject.org/wiki/SECURITY_file > > Please comment/adjust. When we agree on this text, I will transcribe > it to the documentation. >
Richard has posted a number of patches yesterday in different repos. Alex, what do you think about adding it to opkg and opkg-utils ? Bruce, what about yocto-kernel-tools? Tim, and about layerindex-web? Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1808): https://lists.openembedded.org/g/openembedded-architecture/message/1808 Mute This Topic: https://lists.openembedded.org/mt/102173042/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
