On Sun, Mar 08, 2020 at 11:08:08PM +0100, Alexander Kanavin wrote:
> On Sun, 8 Mar 2020 at 22:46, Adrian Bunk wrote:
>
> > It is on YP to make it clear to users whether or not Yocto comes with
> > the same set of security guarantees as distributions like Ubuntu or
> > Debian.
> > If it is the
On Sun, 8 Mar 2020 at 22:46, Adrian Bunk wrote:
> It is on YP to make it clear to users whether or not Yocto comes with
> the same set of security guarantees as distributions like Ubuntu or
> Debian.
> If it is the duty of every user of Yocto to track and fix CVEs,
> then this has to be stated
On Fri, Mar 06, 2020 at 10:36:59AM +, Richard Purdie wrote:
> On Fri, 2020-03-06 at 12:04 +0200, Adrian Bunk wrote:
> > For most community companies there is no clear Return on Investment
> > if they would use the opportunity to invest in upstream involvement.
>
> That isn't true. If you fix
On Fri, 2020-03-06 at 12:04 +0200, Adrian Bunk wrote:
> For most community companies there is no clear Return on Investment
> if they would use the opportunity to invest in upstream involvement.
That isn't true. If you fix something yourself and hold the change you
get to maintain it. If you work
On Wed, Mar 04, 2020 at 12:26:29PM -0800, akuster808 wrote:
...
> On 3/4/20 9:24 AM, Adrian Bunk wrote:
...
> > This could be combined with a call for help for security support,
> > an advantage of being honest would be that it becomes visible for
> > users that there is a resource shortage.
>
Adrian,
On 3/4/20 9:24 AM, Adrian Bunk wrote:
> On Wed, Mar 04, 2020 at 05:00:44PM +0100, Alexander Kanavin wrote:
>> Taking offense or getting angry at the yocto project is entirely
>> misdirected.
> I am not angry if YP does not provide security support.
>
> I am angry when YP is telling lies
On Wed, Mar 04, 2020 at 05:00:44PM +0100, Alexander Kanavin wrote:
> Taking offense or getting angry at the yocto project is entirely
> misdirected.
I am not angry if YP does not provide security support.
I am angry when YP is telling lies that it would provide security
support, but does not
Taking offense or getting angry at the yocto project is entirely
misdirected. The liability for insecure millions of devices does not lie
with the yocto project, it lies with the OEMs. If the OEMs are unwilling to
allocate manpower to work on security, there’s very little the yocto
project can do.
On Wed, Mar 04, 2020 at 01:13:19PM +0100, Alexander Kanavin wrote:
> On Wed, 4 Mar 2020 at 12:32, Adrian Bunk wrote:
>
> > I am sure there will be an update to the announcement if this doesn't
> > reflect current reality.
>
> Who is expected to do the actual work of tracking CVEs, making action
