-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15-03-10 08:46, Holger Hans Peter Freyther wrote: > On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote: > >> Do we feel we have that responsibility? >> >> I didn't feel that sentiment when it came to removing other legacy >> recipes (some of which definitely also will have security issues). >> E.g. for openssl we have >> openssl_0.9.7e.bb >> openssl_0.9.7g.bb >> openssl_0.9.7m.bb >> openssl_0.9.8g.bb >> openssl_0.9.8m.bb >> I'm pretty certain the last one will fix some vulnerabilities present >> in the first one. > > Well you are comparing two different things here. One is having the _default_ > of a recipe with known security issues, and one is keeping old non default > recipes with security issues. > > If a distro maker decides to use an ancient version of OpenSSL it was his > choice, if he just typed bitbake foo-image and he has a vulnerable daemon > waiting to be owned in his default image... the story is a bit different. > > I think we have at least three options on how to deal with it: > > 1.) Put a big fat warning on Openembedded.org saying it should not be used > for > users that have network connectivity or might put a SDcard/Storage with > content on a device as we don't care about fixing vulnerable software. > > 2.) Adopt a policy of addressing vulnerabilities in our defaults right away.. > > 3.) Remove recipes for vulnerable software when no one is updating them in > time... This can be combined with option 2...
I don't think 1) is a realistic option, if we go with that, we should just redirect oe.org to buildroot.org and go home. I my vote goes to 2) and I like 3) as well. regards, Koen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFLnf44MkyGM64RGpERAmzaAKCp0hTPChpWBSA+ZNOu4EONro5SdACggdvk i1RVEm4+eqwaPItxFiYzE9Q= =2RGA -----END PGP SIGNATURE----- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
