Hi Richard, Thanks for the comments.
The last thing I want is to hinder and reduce the number of contributors. Thay why I wanted to have it optional and discuss it in the mailing list to see if people think is useful. I fully agree that we need the buy in from the people involved to make it work. Best regards, Daniel > -----Original Message----- > From: Richard Purdie <[email protected]> > Sent: Thursday, 5 February 2026 10:05 > To: Daniel Turull <[email protected]>; security- > [email protected]; openembedded- > [email protected] > Cc: David Partain <[email protected]>; Marta Rybczynska > <[email protected]> > Subject: Re: [Openembedded-architecture] Proposal for coordination on work > for CVE backports > > Hi Daniel, > > On Thu, 2026-02-05 at 08:23 +0000, Daniel Turull via lists.openembedded.org > wrote: > > I would like to propose a way of working on coordinating CVE backports > > to reduce wasted effort. > > > > Problem: > > Now with the CRA more are more companies will start sending backports > > to the different LTS branches for oe-core and meta-openembedded. This > > will make 2 or more people working on the same correction, resulting > > on a waste of time for the persons that do not send the patch first. > > This time could have been invested in fixing another CVE, which then > > whole community will benefit. > > > > We discussed this in a small group in the OSS EU in Amsterdam last > > August and Marta ask to create the a new mailing > > listhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2F > > lists.openembedded.org%2Fg%2Fsecurity- > discussions&data=05%7C02%7Cdanie > > > l.turull%40ericsson.com%7C97f33fc2e3514562e21708de6495af4c%7C92e84ce > bf > > > bfd47abbe52080c6b87953f%7C0%7C0%7C639058791196671985%7CUnknow > n%7CTWFpb > > > GZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zM > iIsIkF > > > OIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=kw%2BCEsUXvV > A8TgCsSN2 > > xerSgydONVrscAg8RPVFzfe0%3D&reserved=0 > > > > So far, no one has been using the mailing list. > > As far as I know, that list was created directly by the OE board and wasn't > discussed with the OE or Yocto Project TSCs, just to see what happened. The > challenge with doing that is that nobody was really consulted and there > wasn't much communication around it. > > The OE TSC should really therefore defer to the OE board and ask it what it's > plans are. The Yocto Project isn't involved. > > > Proposal: > > To use the mailing list when someone is starting to work on a backport > > and announce it. This is completely optional but could help others to > > prevent stating working on the same backport. If there is no activity, > > let’s say within a week, anyone could take the lead. The person who > > initiated can also indicate the status if he/she gets stuck and needs > > help. > > > > The list can also be used to coordinate work, for example if a CVE is > > complex and the person working on it gets stuck. > > > > Format: > > Subject: Starting oe-core backport for CVE-XXXX-XXXXXX for component X > > version Y > > > > Example: > > Subject: Starting oe-core backport for CVE-2025-68276 for avahi 0.8 > > > > Once we agree, I can write the documentation, so it is also > > visiblehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F > > %2Fdocs.yoctoproject.org%2Fdev%2Fsecurity- > manual%2Findex.html&data=05% > > > 7C02%7Cdaniel.turull%40ericsson.com%7C97f33fc2e3514562e21708de6495a > f4c > > > %7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C63905879119669594 > 5%7CUnk > > > nown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwM > CIsIlAiOiJ > > > XaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=z3 > %2BAJ%2 > > BibFgqXL5imv9G%2Fve%2F9FX3vKkBXwon5mHlihmw%3D&reserved=0 > > > > Do you think is a good idea? Any comments or suggestions of > > improvements? > > Sharing the proposal is a good start but I'd like to hear from Marta about why > this was setup and why the TSCs weren't involved. I actually hate to ask that > question as it does start to pull more process into this and I don't like how > much work the existing process can cause me in particular. That said, > changing the project's security processes without the involvement of the TSCs > doesn't seem right to me. I end up being one of the people who tries to > follow the rules and procedures we setup, I'd love to just bypass them myself! > > Moving past the process issues and looking at the proposal itself, I think I'd > observe that: > > * we want to try and have as little overhead around fixing CVEs as we can. > > * the more process we put around it, particularly if we start insisting on > it, the > fewer contributions we might get > > * how (and who) would handle someone who says they start things but > never submit them? > > * if someone mentions on the list they're working on it but someone else > does it first, which one gets merged? > > * some existing contributors struggle to get management by in for sharing the > CVE fixes, this may make it harder to contribute for them > > * some companies don't want to announce the fact they're aware of a > security issue as for example that has implications under the CRA > > * some companies also view what they have people working on, or how long > it takes as commercially sensitive > > We really need the buy in from the people writing and submitting these > changes so I'd be interested to hear from them in particular. If they say > they'd > find it useful *and* are willing to participate, then I think we could make > something happen. If they can't/won't participate, I don't think this will > work. > > I also have concerns about the naming of a "security-discussions" > mailing list. I'm not 100% sure this use was the original intended use, I > think > there were others intended. We probably need to hear from Marta and the > OE board about any other plans there. > > Cheers, > > Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2237): https://lists.openembedded.org/g/openembedded-architecture/message/2237 Mute This Topic: https://lists.openembedded.org/mt/117650483/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
