Hello, I would like to propose a way of working on coordinating CVE backports to reduce wasted effort.
Problem: Now with the CRA more are more companies will start sending backports to the different LTS branches for oe-core and meta-openembedded. This will make 2 or more people working on the same correction, resulting on a waste of time for the persons that do not send the patch first. This time could have been invested in fixing another CVE, which then whole community will benefit. We discussed this in a small group in the OSS EU in Amsterdam last August and Marta ask to create the a new mailing list https://lists.openembedded.org/g/security-discussions So far, no one has been using the mailing list. Proposal: To use the mailing list when someone is starting to work on a backport and announce it. This is completely optional but could help others to prevent stating working on the same backport. If there is no activity, let’s say within a week, anyone could take the lead. The person who initiated can also indicate the status if he/she gets stuck and needs help. The list can also be used to coordinate work, for example if a CVE is complex and the person working on it gets stuck. Format: Subject: Starting oe-core backport for CVE-XXXX-XXXXXX for component X version Y Example: Subject: Starting oe-core backport for CVE-2025-68276 for avahi 0.8 Once we agree, I can write the documentation, so it is also visible https://docs.yoctoproject.org/dev/security-manual/index.html Do you think is a good idea? Any comments or suggestions of improvements? Best regards, Daniel
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2234): https://lists.openembedded.org/g/openembedded-architecture/message/2234 Mute This Topic: https://lists.openembedded.org/mt/117650483/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
