On Fri, 2024-07-26 at 14:28 +0200, Marta Rybczynska via lists.openembedded.org wrote: > > > On Fri, Jul 26, 2024 at 2:24 PM Ross Burton <[email protected]> > wrote: > > On 24 Jul 2024, at 16:25, Marta Rybczynska via > > lists.openembedded.org > > <[email protected]> wrote: > > > > > > This file contains CVE_STATUS without machine-readable > > > information on which > > > recipe it applies to. All entries should be verified and, if > > > appropriate, > > > moved to their corresponding recipes. > > > > The point of this file was to be an opt-in for more exclusions > > where we didn’t feel 100% confident asserting the issues could be > > ignored. > > > > How much of a problem is it if this file contains a a limited > > number of CVEs? We can review what is in there and move/remove as > > needed to cut it down. > > With the vex class (and with SPDX too, I think) they end up copied > present in every single package of the build. This brings enormous > confusion. > Impossible to filter them out as there is no information about the > affected recipe/package.
Difficult, yes, impossible, no. Surely we know which recipes a given CVE apply to? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202735): https://lists.openembedded.org/g/openembedded-core/message/202735 Mute This Topic: https://lists.openembedded.org/mt/107525297/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
