2010/3/15 Koen Kooi <[email protected]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 15-03-10 08:46, Holger Hans Peter Freyther wrote: >> >> I think we have at least three options on how to deal with it: >> >> 1.) Put a big fat warning on Openembedded.org saying it should not be used >> for >> users that have network connectivity or might put a SDcard/Storage with >> content on a device as we don't care about fixing vulnerable software. >> >> 2.) Adopt a policy of addressing vulnerabilities in our defaults right away.. >> >> 3.) Remove recipes for vulnerable software when no one is updating them in >> time... This can be combined with option 2... > > I don't think 1) is a realistic option, if we go with that, we should > just redirect oe.org to buildroot.org and go home.
Why is it not realistic. Lots of driver code I get from commercial vendors, contain statements like "this is sample code only, not intended for use in products, proceed at own risk, bla bla bla". And frankly speaking I doubt that we have the resources to actually make sure that we fix all known security vulnerabilities shortly after a fix becomes available. So a +1 for having a warning on the OE website. Actually I would suggest repeating the message on the getting started page (http://wiki.openembedded.net/index.php/Getting_Started) (and of course each distro can decide on their own whether they want to have such a warning on their website or not). Frans > > I my vote goes to 2) and I like 3) as well. > > regards, > > Koen _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
