On Fri, 8 May 2026 at 18:35, Vincent Davis Jr via lists.openembedded.org <[email protected]> wrote: > Would it be fine to stop applying CVE patches to vim and keep the recipe in > oe-core? I and i'm assuming most people solely use it for development > purposes anyways. Then remove vim from production builds.
I'm afraid it would not be fine, and this is why we're even considering these drastic changes. If vim CVEs are not patched, it would quickly start dominating CVE reports, dwarfing everything else, including significant single issues in other components, and it would make the yocto project look bad, regardless of explanations offered. I agree otherwise: this constant never-ending stream of CVEs feels like vim is misusing CVEs for minor issues that other projects fix quietly and without CVE fuss. It also feels like people want them fixed to make CVE reports better, not to improve actual security. Whenever I raise this and try to press the matter, they go silent, as if the subject makes them uncomfortable. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236731): https://lists.openembedded.org/g/openembedded-core/message/236731 Mute This Topic: https://lists.openembedded.org/mt/119215860/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
