On Mar 9, 2020, at 03:45, Ayoub Zaki <[email protected]> wrote: >> Nothing to discuss in public. >> >>> This >>> has been the situation from the start of the project, certainly this was >>> the case 5 years ago when I joined it, and the only person ever to make an >>> issue out of it is you. Everyone else seems to understand the deal they're >>> getting by using Yocto without a commercial support contract. >>> ... >> You are saying that 'track and fix CVEs' is on users. >> Let's check what YP is telling users. >> >> Click on the "Is Yocto Project for you?" link on the YP frontpage: >> >> https://www.yoctoproject.org/is-yocto-project-for-you/ >> 13. Yocto Project follows a strict release schedule incorporating >> security patches in all supported releases. This predictability is >> crucial for projects that are based on Yocto Project and allows the >> development teams to plan their activities. Developers can choose which >> Yocto Project branch on which to base their activities as a function of >> their needs. The development branch will ensure access to the latest >> features while the stable branches will reduce the pace of changes. CVEs >> (common vulnerabilities and exposures) issues are supported for the >> latest 2 releases. > > > Adrian is making a point here, The Yocto Project by claiming that it supports > security patches for Stable releases is misleading the Users! > > I work with different customers and some of them think that by using and > pulling the latest releases they will get the CVEs automatically fixed! > > YP should state that CLEARLY! Of course it will impact the choice of going > with Yocto or Not ( probably NOT in this case).
Would the Yocto mailing list [1] be a good venue to reach the maintainers of the Yocto website? There are now a handful of OE-arch / OE-core threads on this topic, which could be consolidated into a single thread on the Yocto list, where participants can act on recommendations. Rich [1] https://lists.yoctoproject.org/g/yocto
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
