On Mon, Mar 15, 2010 at 09:08:24AM +0100, Frans Meulenbroeks wrote: > > 3.) Remove recipes for vulnerable software when no one is updating them in > > time... This can be combined with option 2... > > These are good plans, but I'm not sure if you will get volunteers for > 2 and people will definitely complain if you do 3.
For security issues would be nice to adopt some form of Angstrom blacklist class and put blacklist entry for all vulnerable recipes in some security-blacklist.conf included from bitbake.conf. This way it would be easy to show why the recipe is not available (CVE noted in message shown by blacklist when some image tries to pull that recipe). Also it would allow easy blacklist removal for people who don't care about security and easy to return recipe if someone cares and puts enough time to fix that issue. But current code would probably need to extend for blacklist based on PN-PV not only PN (which someone already proposed for blacklisting old recipes). Regards, -- uin:136542059 jid:[email protected] Jansa Martin sip:[email protected] JaMa _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
