Re: [yocto] General policies for CVE fixes

Wed, 19 Oct 2016 08:43:00 -0700 


On 10/19/2016 03:42 AM, Sona Sarmadi wrote:

 From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance:

General policies:

Fixes must go into master first unless they are applicable only to the
stable branch; if back-porting to an older stable branch, the fix
should first be applied to the newer stable branches before being
back-ported to the older branch

Does anyone know the reason for the policy above i.e. why fixes have
to go to master first?

1)      It makes more sense at least for users  to get CVE fixes as soon as
possible in the maintenance branches.

this is to ensure, that we do not regress next time when we release next
version from master. So its important to ensure that the fix has been
applied to master sometimes you can assert that the fix has gone into new
version of a package that is due to be uprevved in master and will be
done soonish. Such information is helpful when making security patches
for release branches.

Actually there was a suggestion at OEDEM on informing CVE ml that we
have as the CVE fixes get applied to metadata. Thats a good suggestion to
have implemented.


Thanks everyone for your explanation.

Yes regressions (forgetting to fix bugs in master) are bad.  I believe there
are other ways to avoid this, Yocto project has a bug reporting system to
have track of such things, right?

The issue there is if Jethro gets a fix and Krogoth, morty and mater  
need it as well, the bug system implies someone else is going to have to 
do the work.
That is the problem. Not too many people are stepping up to do the work 
in the other branches.




Maintenance branches are likely deployed in production systems, I think
Fixing security problems here should have higher priority.

You are more than welcome to submit patches for the stable branch you 
are concerned about knowing the patches wont be applied until the parent 
branches are addressed first.



  Don't you agree?

Perhaps we should discuss this at next OEDEM :)

We have and until more people step up to help, this will be a constant 
issue.


-armin


Cheers //Sona


--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto






















					Reply via email to