On Mon, 16 Mar 2026 at 10:39, Deepak Rathore via lists.openembedded.org <[email protected]> wrote: > When the upstream fix exists only in an updated version, upgrading the > package is the only viable approach > > Please share your thoughts on this.
My thought, and I've expressed it many, many times before, is that you should learn to upgrade your products to new Yocto releases, instead of assuming that they can stay on the same LTS release for their entire lifecycle. Yes it's difficult and costly and adds risk. You need to set up bulletproof, automated testing and qa pipelines. You need to convince management. But I firmly believe that's the only way you can avoid hitting those nasty CVEs that can't be backported. vim upstream is a special kind of madness. They file CVEs for pretty much any potential security issue they find, and I have this feeling that people want to address vim CVEs not to improve actual product security, but merely to silence the CVE tooling they run. Meanwhile, there's plenty of potential security issues fixed in various other components that don't even get a CVE, they're simply released quietly in a new version. I feel that product security is better addressed by simply staying close to upstream. Unfortunately a whole industry has developed around CVE backports, and I am aware this is a minority opinion. LTS upgrade policy is not going to change. LTS makes the promise of stability, and unfortunately it does come at the expense of security, or at least is pushes the security issue down to product developers from yocto upstream. That promise can't be broken. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233243): https://lists.openembedded.org/g/openembedded-core/message/233243 Mute This Topic: https://lists.openembedded.org/mt/118275693/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
