On 02/24/2016 07:19 PM, akuster808 wrote:
Many vulnerability notifications will make the same statements.
Updating a package that other packages depend on can cause a cascading
set of failures. Now you have a bigger set of problems to contend with.
I don't think the possibility of failures is a bigger problem than the
certainty of having to backport a huge number of CVE fixes within a
codebase that you don't understand.
Many of those are not a matter of cherry-picking the right patch; they
require actual webkit expertise, because the code has changed too much
in the meantime. Also, each webkit build takes hours, which slows things
down even more. Do you have the resources for all of that?
From the commercial side you just can't move your install base to the
latest package versions for every security issue. The Yocto maintenance
policy operates very close to this too.
I think you need to make an exception for webkit, and explain this to
your customers.
Alex
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
