Re: [OE-core] [Openembedded-architecture] [yocto] Security processes: YP needs
Hi Marta! > What about 11am Pacific on tomorrow (28 Sept or Oct 3)? Let us aim for October 3 so that I can prepare a full demo.. > I think that you have meant 10am to 2PM, otherwise 1am Pacific would work > very well for me too I actually did mean 2:00 am Pacific. I do work with our India team, so I am often up late to sync with them.. > As discussed yesterday in the call, there are some other people who seem > interested. What time zone are you in? I believe Ross is in England (UTC) I know that Randy is in Ottawa. If anyone else wants to join, that would be great!. They should ping us and I can send the Zoom link. I do not want to send that link blindly to the full mail list. > I'm going to add the missing file for the test next week, the tool needs a > script to download 2023 data. That file is part of my code update, so you can get that for free. David -Original Message- From: Marta Rybczynska Sent: Wednesday, September 27, 2023 12:18 AM To: Reyna, David Cc: yocto-secur...@lists.yoctoproject.org; OE-core ; openembedded-architect...@lists.openembedded.org; yo...@lists.yoctoproject.org; MacLeod, Randy ; Richard Purdie ; Steve Sakoman ; Khem Raj ; mark.ha...@kernel.crashing.org; Ross Burton ; Joshua Watt Subject: Re: [Openembedded-architecture] [yocto] Security processes: YP needs Hi David, Thank you very much for the description and the offer to get a demo. As discussed yesterday in the call, there are some other people who seem interested. > PROPOSAL 1: If the full triage is too much to bite off to start with, perhaps > using it to track and coordinate work will bring immediate benefit. This is the reason I want to test how much time it takes. > PROPOSAL 2: I am happy to give you a live demo of Wind River's fully > operational SRTool, so you can see all of the bells and whistles in action. I > am available pretty much anytime between 10:00 am Pacific to 2:00 am Pacific. That would be nice. What about 11am Pacific on tomorrow (28 Sept or Oct 3)? I think that you have meant 10am to 2PM, otherwise 1am Pacific would work very well for me too :P > PROPOSAL 3: I will start refreshing the YP SRTool repository with my current > implementation level from Wind River (with the Wind River specific modules > left out of course :-) That would be great. I'm going to add the missing file for the test next week, the tool needs a script to download 2023 data. Kind regards, Marta On Mon, Sep 25, 2023 at 11:02 AM Reyna, David via lists.openembedded.org wrote: > > Hi Marta, > > * SRTool: We might decide to use it again. It allows one to do much but > requires constant commitment. > > There are many ways to use the SRTool. > (a) The original design was to perform 100% triage of incoming CVEs. This > was a business requirement of Wind River, and we have used the SRTool > successfully for 4-5 year now. > (b) The main limitation with the SRTool for Yocto Project was the lack of > integration with Bugzilla (Ross ran out of time) > * This is the crucial other half of the workflow > * There is the automatic creation of appropriate defect records for > investigation > * There is also the automatic tracking of the overall CVE status, both > CVEs in progress and the CVEs completed > * Wind River has an extension for full integration with Jira, and that > saves weeks of work for the CVE management > (c) The guiding rule was that CVE management was in the SRTool, but > specific defect work was also done in Jira/Bugzilla, for a clean separate of > domains > (d) The SRTool has a user model > * Together with Bugzilla, it is easy to track single people and even > multiple people working on CVEs > (e) The SRTool also has the built-on ability to look up the CVE status from > other distributions (Red Hat, Debian, ...) so that one can get a peek of > existing triages and resolutions > (f) The SRTool is build like Toaster on top of Django, so development and > debugging skills for Toaster immediate apply > (g) Also with the Django base, it is very simple to add any number of > modular extensions to support for example CVE Scanner integration > (h) The SRTool also has report generation (in text, CSV, and Excel) in > addition to email notification support. > (i) There is also a "private" model for CVEs under embargo, with strict > access control lists. > > PROPOSAL 1: If the full triage is too much to bite off to start with, perhaps > using it to track and coordinate work will bring immediate benefit. > > PROPOSAL 2: I am happy to give you a live demo of Wind River's fully > operational SRTool, so you can see all of the bells and whistles in action. I > am available pretty much anytime between 10:00 am Pacific to 2:00 am Pacific. > > PROPOSAL
Re: [OE-core] [yocto] Security processes: YP needs
Hi Marta, * SRTool: We might decide to use it again. It allows one to do much but requires constant commitment. There are many ways to use the SRTool. (a) The original design was to perform 100% triage of incoming CVEs. This was a business requirement of Wind River, and we have used the SRTool successfully for 4-5 year now. (b) The main limitation with the SRTool for Yocto Project was the lack of integration with Bugzilla (Ross ran out of time) * This is the crucial other half of the workflow * There is the automatic creation of appropriate defect records for investigation * There is also the automatic tracking of the overall CVE status, both CVEs in progress and the CVEs completed * Wind River has an extension for full integration with Jira, and that saves weeks of work for the CVE management (c) The guiding rule was that CVE management was in the SRTool, but specific defect work was also done in Jira/Bugzilla, for a clean separate of domains (d) The SRTool has a user model * Together with Bugzilla, it is easy to track single people and even multiple people working on CVEs (e) The SRTool also has the built-on ability to look up the CVE status from other distributions (Red Hat, Debian, ...) so that one can get a peek of existing triages and resolutions (f) The SRTool is build like Toaster on top of Django, so development and debugging skills for Toaster immediate apply (g) Also with the Django base, it is very simple to add any number of modular extensions to support for example CVE Scanner integration (h) The SRTool also has report generation (in text, CSV, and Excel) in addition to email notification support. (i) There is also a "private" model for CVEs under embargo, with strict access control lists. PROPOSAL 1: If the full triage is too much to bite off to start with, perhaps using it to track and coordinate work will bring immediate benefit. PROPOSAL 2: I am happy to give you a live demo of Wind River's fully operational SRTool, so you can see all of the bells and whistles in action. I am available pretty much anytime between 10:00 am Pacific to 2:00 am Pacific. PROPOSAL 3: I will start refreshing the YP SRTool repository with my current implementation level from Wind River (with the Wind River specific modules left out of course :-) David BTW, I also support an extension to the SRTool that manages CVE scanning of build images, with hooks to a number existing CVE scanners (e.g. Trivy) in addition to other vulnerability metrics. This is probably out of scope to YP at this time, but it is perhaps something to grow in to. -Original Message- From: yo...@lists.yoctoproject.org On Behalf Of Marta Rybczynska via lists.yoctoproject.org Sent: Wednesday, September 13, 2023 4:52 AM To: yocto-secur...@lists.yoctoproject.org; OE-core ; openembedded-architect...@lists.openembedded.org; yo...@lists.yoctoproject.org Cc: Richard Purdie ; Steve Sakoman ; Khem Raj ; mark.ha...@kernel.crashing.org; Ross Burton ; Joshua Watt Subject: [yocto] Security processes: YP needs Hello, I've been working recently on collecting what works and what doesn't in YP security processes. The goal is to go forward and define an actionable strategy! Today, I'd like to share with you the summary of what I have heard as needs from several people (those in Cc:). I want the community to comment and tell us what you find important and what you'd like to see added or changed from this list. * CVEs: Visibility if YP is vulnerable or not People want to be able to check/look up a specific CVE; it might be a CVE unrelated to YP (eg. package not included, Windows issue). The cve-checker result is a part of the solution, but people also want to know which CVEs do not apply. * CVEs: synchronization of the work on fixes Currently, there is no synchronization; multiple parties might be working on the same fix while nobody is working on another. There might be duplication of work. Ross has https://wiki.yoctoproject.org/wiki/CVE_Status * Triaging of security issues Related to CVE fixes and includes issues reported directly to the YP. Some issues are more likely to be serious for embedded products (attack by network), so not all has the same priority. * Private security communication A way to send a notification of a non-public security issue. For researchers, other projects etc. The security alias exists, but only some people know about its existence. * Visibility of the security work of the YP There is much work on security in the YP, but it lacks visibility. * Documentation Related to visibility. We need easy-to-find documentation of subjects like submitting a CVE fix, reporting a private issue, and how our processes work... This documentation should address people who are not regular contributors. * Additional tooling We could add additional tooling: a template on how to add cve-check to the CI (possibly a different one than the autobuilder),
Re: [Yocto-Advocacy] [OE-core] Yocto Project Community Manager updates
Hi Nico, Thank you for the many years of accomplishment and contribution. In additional to all the other things you helped foster, I would like to specifically thank you for your help with all the DevDays I ran (like 8 or 9 of them!). You were always there when I needed someone help out or even just to bounce ideas off of, and that really helped make things happen and happen well. And with all that, you also could not have been a nicer person to work with! Thanks. You will be missed. David -Original Message- From: yocto-advoc...@lists.yoctoproject.org On Behalf Of Khem Raj via lists.yoctoproject.org Sent: Friday, May 5, 2023 10:47 AM To: Nicolas Dechesne Cc: yo...@lists.yoctoproject.org; yocto-advoc...@lists.yoctoproject.org; openembedded-core ; Josef Holzmayr ; Richard Purdie Subject: Re: [Yocto-Advocacy] [OE-core] Yocto Project Community Manager updates Nico, thanks fo all your contributions to project. We will miss you. On Thu, May 4, 2023 at 7:40 AM Nicolas Dechesne wrote: > > Dear all, > > After five years, I have decided to resign from my position as the Yocto > Project Community Manager. I joined the OpenEmbedded community around 2008. I > have fond memories of my early days, and still remember some of my first > interactions on IRC and mailing lists! This is a very welcoming community, > always helping new people with patience and kindness. Serving the project > during the last five years is something I am very proud of, and I will be > forever grateful to all of you for accepting me! > > During these years, we have gone through a lot together, the pandemic gave us > an opportunity to rethink how our community should come together. Setting up > our Virtual Summits has been a lot of work (and stress!) for a group of few > people, but the never ending success of these events has been very rewarding! > Our online presence in social media has dramatically improved, and allows us > to reach out to and interact with our community faster than ever before! > > On the side of all the technical changes, and releases, we have also > established the Yocto LTS process which was a recurring request from the > community and has become a strength of the project! We also revamped the > project documentation to make it easier to maintain and contribute. The Yocto > Project documentation is such a great resource for our community! I have > spent so many hours on these PDFs in my early days! > > Anyway, let’s not focus on the past! The future looks bright and I am really > excited to announce that Josef Holzmayr has accepted to take over the > Community Manager role. Josef needs no introduction, he has been a key member > of this community for so many years. Thanks to Josef's relentless efforts, we > have grown our social media presence on Youtube, Twitter, LinkedIn and > Mastodon! His energy will be a great source of inspiration for this > community! I wish Josef and Yocto the best for the years to come, and I am > convinced this community is in good hands and that Josef will be a great > community leader! > > Many thanks! > Nico > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181020): https://lists.openembedded.org/g/openembedded-core/message/181020 Mute This Topic: https://lists.openembedded.org/mt/98758337/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-