Am 15.03.2010 um 08:46 schrieb Holger Hans Peter Freyther: > On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote: > >> Do we feel we have that responsibility? >> >> I didn't feel that sentiment when it came to removing other legacy >> recipes (some of which definitely also will have security issues). >> E.g. for openssl we have >> openssl_0.9.7e.bb >> openssl_0.9.7g.bb >> openssl_0.9.7m.bb >> openssl_0.9.8g.bb >> openssl_0.9.8m.bb >> I'm pretty certain the last one will fix some vulnerabilities present >> in the first one. > > Well you are comparing two different things here. One is having the _default_ > of a recipe with known security issues, and one is keeping old non default > recipes with security issues. > > If a distro maker decides to use an ancient version of OpenSSL it was his > choice, if he just typed bitbake foo-image and he has a vulnerable daemon > waiting to be owned in his default image... the story is a bit different. > > I think we have at least three options on how to deal with it: > > 1.) Put a big fat warning on Openembedded.org saying it should not be used > for > users that have network connectivity or might put a SDcard/Storage with > content on a device as we don't care about fixing vulnerable software.
Gets my vote; however with less dramatic wording. :M: _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
