On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote: > Do we feel we have that responsibility? > > I didn't feel that sentiment when it came to removing other legacy > recipes (some of which definitely also will have security issues). > E.g. for openssl we have > openssl_0.9.7e.bb > openssl_0.9.7g.bb > openssl_0.9.7m.bb > openssl_0.9.8g.bb > openssl_0.9.8m.bb > I'm pretty certain the last one will fix some vulnerabilities present > in the first one.
Well you are comparing two different things here. One is having the _default_ of a recipe with known security issues, and one is keeping old non default recipes with security issues. If a distro maker decides to use an ancient version of OpenSSL it was his choice, if he just typed bitbake foo-image and he has a vulnerable daemon waiting to be owned in his default image... the story is a bit different. I think we have at least three options on how to deal with it: 1.) Put a big fat warning on Openembedded.org saying it should not be used for users that have network connectivity or might put a SDcard/Storage with content on a device as we don't care about fixing vulnerable software. 2.) Adopt a policy of addressing vulnerabilities in our defaults right away.. 3.) Remove recipes for vulnerable software when no one is updating them in time... This can be combined with option 2... z. _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
