Hi, On Mon, Feb 07, 2022 at 03:18:20PM -0800, jbouchard wrote: > I was wondering why the package revision are not increasing when a patch is > apply to other project source, like this commit > https://git.openembedded.org/openembedded-core/commit/?h=honister&id=2d3c5b078feb34cb729902292d2805c9288ebc4c. > Most distribution tend to increase the package revision when such changes > occur. This help to track vulnerability and bugs. I know CVE_CHECK can deal > with CVE, but it is hard to track with external software.
Yocto is different from other Linux distributions. There is no binary compatibility between binary packages. Every single yocto build can break everything in compatibility. Thus recipe version numbers don't matter that much, and it's not important to update them as long as the major version number is matching to the SW component which is used. As user of yocto, you can configure yocto build system to produce unique and monotonically increasing binary package version numbers using prserv. This will update PR when ever recipes are recompiled. https://www.yoctoproject.org/docs/current/mega-manual/mega-manual.html#working-with-a-pr-service For CVE checks, the metadata in CVE patches marks the issues as patched when yocto internal CVE checker is used. External CVE security issue detection tooling must take into account the patches which have already been applied. Any tooling will be useless if they don't take this into account. For security analysis work, it is best to follow what yocto upstream maintainers do and use the same tooling as the basis, then maybe add your custom stuff on top, or in best case contribute things back to the project. It's quite a bit of work to maintain a large yocto based Linux distro well so you are better off if you work with the community and maintainers there. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161486): https://lists.openembedded.org/g/openembedded-core/message/161486 Mute This Topic: https://lists.openembedded.org/mt/88985299/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
