On 10/25/23 01:32, Marta Rybczynska wrote:
On Tue, Oct 24, 2023 at 4:41 PM Marta Rybczynska via
lists.yoctoproject.org <[email protected]>
wrote:
On Tue, Oct 24, 2023 at 2:47 PM Richard Purdie
<[email protected]> wrote:
On 10/20/23 05:49, Richard Purdie via lists.openembedded.org wrote:
We should probably mention this issue to the other layer maintainers,
maybe on the architecture list and perhaps also open a bug to make
SECURITY.md a requirement for Yocto Project Compatible status?
We should also add it to some of the code/tools repositories, in
particular:
auto-upgrade-helper, buildhistory-web, error-report-web, git-refinery-
web, layerindex-web, pseudo, psplash, ptest-runner2, update-rc.d,
swatbot, yocto-autobuilder-helper, yocto-autobuilder2.
If we're happy with the test in OE-Core, I can update several of these
to make the work a little easier?
We should email the maintainers for opkg/opkg-utils as well (opkg
mailing list).
That's me. :)
The request here is that I add a SECURITY.md with instructions for how
to file security issues against opkg, a la the same document that is
already in OE-core; right?
Would y'all prefer if private security emails for opkg went to
`[email protected]`? Otherwise, I'll default to my email directly.
I've just been trying to work out what we're doing with other repos
before replying.
For "tools", I've gone with simply:
"""
How to Report a Potential Vulnerability?
========================================
If you would like to report a public issue (for example, one with a released
CVE number), please report it using the
[https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security
Bugzilla].
If you have a patch ready, submit it following the same procedure as any other
patch as described in README.md.
If you are dealing with a not-yet released or urgent issue, please send a
message to security AT yoctoproject DOT org, including as many details as
possible: the layer or software module affected, the recipe and its version,
and any example code, if available.
"""
e.g.
https://git.yoctoproject.org/swatbot/commit/?id=961b8c10da89f011e79834c160196057a4233170
There is a second paragraph about release but it only makes sense in
metadata repositories (e.g. meta-yocto or meta-mingw).
You would be more than welcome to put your name as the maintainer
there. We've gone with the security list/bugzilla as the project
defaults but the maintainer makes sense when they're willing/able as
they're better placed to handle this.
The key thing is to get a SECURITY file in place.
If you could take care of opkg/opkg-utils that would be great!
Cheers,
Richard
Following the discussion, I've added a wiki page discussing usage of
SECURITY.md:
https://wiki.yoctoproject.org/wiki/SECURITY_file
Please comment/adjust. When we agree on this text, I will transcribe
it to the documentation.
Richard has posted a number of patches yesterday in different repos.
Alex, what do you think about adding it to opkg and opkg-utils ?
Will do. If this is particularly timely, I can get it done this week.
Otherwise, it is already on my backlog and will probably get done the
week after next.
Bruce, what about yocto-kernel-tools?
Tim, and about layerindex-web?
Kind regards,
Marta
--
Alex Stewart
Software Engineer - NI Real-Time OS
NI (National Instruments)
[email protected]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1809):
https://lists.openembedded.org/g/openembedded-architecture/message/1809
Mute This Topic: https://lists.openembedded.org/mt/102173042/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
