> -----Original Message----- > From: [email protected] > <[email protected]> On Behalf Of Alexander > Kanavin via lists.openembedded.org > Sent: den 4 juni 2026 10:21 > To: Marko, Peter <[email protected]> > Cc: [email protected] > Subject: Re: [Openembedded-architecture] Stable version upgrades on OE stable > branches > > On Sun, 31 May 2026 at 10:38, Marko, Peter <[email protected]> wrote: > > > I do agree that 4 years is too long for patch backports in age of AI > > vulnerability search and CRA. > > However, since the Yocto project does have a 4-year LTS policy, we need to > > deal with that timespan right now. > > Or is there a plan to decrease the LTS maintenance window or to allow more > > version upgrades? > > Yocto LTS carries no promises of security, regardless of how long is > its lifecycle. > > The only promises are: > - there's a branch > - there's a maintainer who looks at incoming patches and backport > candidates in master > - there's CI which is used to test those patches for lack of regressions > - there's a policy for what those patches can and cannot be > > I'm not sure why you see it any other way; the stream of CVE backports > is entirely ad hoc volunteer work, and doesn't imply any security > guarantees or goals to be met. There are significant limitations to > feasibility of those backports: the gradually increasing delta to > upstream, the need to keep the stability promise that doesn't allow > version updates, and simply lack of people who would do the work. The > only way to deal with these natural limits is to indeed migrate the > products off older LTS onto newer yocto versions in a timely manner, a > subject you keep evading. > > Personally, I do not like how long LTS maintenance windows are, > regardless of how successful and liked that approach is by Yocto > users. For two reasons: > - it's hard to contribute to Yocto core when what you're working with > is far removed from master. It's a kind of gravity pull in the wrong > direction. > - it's harder still to transition to a workflow that regularly updates > the product stack. It's just so much easier to stay on LTS until it's > no longer possible, instead of pro-actively moving forward. > > Alex
Well, one does not preclude the other. Our platform is always based on the latest Yocto release (normally updated within a week or two; with Wrynose we even updated a couple of days before the real release). This is what we use when releasing new products, and where one can get the latest release for actively maintained products. At the same time we maintain our own LTS releases, and since a couple of years back they are now aligned with Yocto's LTS branches. This means we get a great help from Yocto for the first four years of our products' lifetimes (which typically is 10+ years), while still being able to use and actively contribute to the latest version of Yocto. The benefit of this model is that we never have to go through the hassle of upgrading and adapting to two years of development, and also that once one of our LTSes is End of Life, we can just kill it off. //Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2384): https://lists.openembedded.org/g/openembedded-architecture/message/2384 Mute This Topic: https://lists.openembedded.org/mt/119437109/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
