Re: [PATCH RFC CFH][sumo 00/47] CVE check backport

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Adrian Bunk <bunk@stusta.de>
To: Mikko.Rapeli@bmw.de
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH RFC CFH][sumo 00/47] CVE check backport
Date: Thu, 7 Nov 2019 16:47:52 +0200	[thread overview]
Message-ID: <20191107144752.GB23775@localhost> (raw)
In-Reply-To: <20191107121351.GK2398@hiutale>

On Thu, Nov 07, 2019 at 12:13:51PM +0000, Mikko.Rapeli@bmw.de wrote:
> Hi,

Hi Mikko,

> On Thu, Nov 07, 2019 at 01:13:32PM +0200, Adrian Bunk wrote:
> > On Wed, Nov 06, 2019 at 05:37:15PM +0200, Mikko Rapeli wrote:
> > > Hi,
> > 
> > Hi Mikko,
> > 
> > >...
> > > I use sumo and due to various reasons like BSP layers, binary
> > > compatibility, contracts etc can't update to newer release
> > > or to master branch. I suspect I'm not alone.
> > 
> > I might end up with similar reasons, but for warrior.
> > And might end up doing similar longer term updates for warrior.
> > (not yet 100% certain)
> 
> I'm skipping warrior but going to zeus in addition to sumo. After
> insipiration from Yocto Project Summit I hope to run master branch
> in some projects with regular updates, and eventually aligning to
> some stable release again. Hopefully an LTS one :)

everyone is currently running projects on different releases.

Let's hope LTS will happen, and that with a properly communicated LTS 
schedule most distributions and users will switch to the LTS releases
just like what happened with Ubuntu.

> > >...
> > > The tooling will expose that sumo is severely lacking in security
> > > patches, but the tooling is a start for anyone interested, like me,
> > > to fill the gaps and publish patches for bitbake recipes we care
> > > about.
> > >...
> > 
> > Thud is officially still community maintained, as long as this is true
> > the point could be made that everything that gets fixed in sumo should
> > also get fixed in thud.
> 
> So to keep sumo alive, we should the also keep zeus, warrior and thud, and
> of course master branch first. For some issues this actually works when
> the exact same CVE patch applies, but the open question then is testing.
>...

When a branch is EOL it is documented to be dead.

But upgrading to a more recent non-EOL branch, e.g. sumo to thud,
should not result in losing (security) fixes.

The root problem is that "community support" for a stable branch in 
practice often means "no support".

If sumo is supported but thud is not, this should at least be made 
visible to users.

> -Mikko

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

     prev parent reply	other threads:[~2019-11-07 14:47 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-06 15:37 [PATCH RFC CFH][sumo 00/47] CVE check backport Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 01/47] cve-update-db: New recipe to update CVE database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 02/47] cve-check: Remove dependency to cve-check-tool-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 03/47] cve-check: Manage CVE_PRODUCT with more than one name Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 04/47] cve-check: Consider CVE that affects versions with less than operator Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 05/47] flac: also add flac to CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 06/47] cve-update-db: Use std library instead of urllib3 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 07/47] cve-check: be idiomatic Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 08/47] cve-update-db: Manage proxy if needed Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 09/47] cve-update-db: do_populate_cve_db depends on do_fetch Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 10/47] cve-update-db: Catch request.urlopen errors Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 11/47] cve-check: Depends on cve-update-db-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 12/47] cve-check: Update unpatched CVE matching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 13/47] cve-check: remove redundant readline CVE whitelisting Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 14/47] cve-check-tool: remove Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 15/47] glibc: exclude child recipes from CVE scanning Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 16/47] cve-check.bbclass: initialize to_append Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 17/47] cve-check: allow comparison of Vendor as well as Product Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 18/47] cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 19/47] cve-update-db-native: use SQL placeholders instead of format strings Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 20/47] cve-update-db: Use NVD CPE data to populate PRODUCTS table Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 21/47] cve-update-db-native: Remove hash column from database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 22/47] cve-update-db-native: use os.path.join instead of + Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 23/47] cve-update-db: actually inherit native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 24/47] cve-update-db-native: use executemany() to optimise CPE insertion Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 25/47] cve-update-db-native: improve metadata parsing Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 26/47] cve-update-db-native: clean up JSON fetching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 27/47] cve-update-db-native: fix https proxy issues Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 28/47] cve-check: ensure all known CVEs are in the report Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 29/47] cve-check: failure to parse versions should be more visible Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 30/47] xserver-xorg: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 31/47] nasm: add CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 32/47] dropbear: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 33/47] libsdl: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 34/47] ghostscript: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 35/47] squashfs-tools: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 36/47] libxfont2: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 37/47] flex: set CVE_PRODUCT to include vendor Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 38/47] webkitgtk: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 39/47] libpam: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 40/47] procps: whitelist CVE-2018-1121 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 41/47] libpng: whitelist CVE-2019-17371 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 42/47] openssl: set CVE vendor to openssl Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 43/47] rsync: fix CVEs for included zlib Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 44/47] ed: set CVE vendor to avoid false positives Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 45/47] boost: set CVE vendor to Boost Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 46/47] subversion: set CVE vendor to Apache Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 47/47] git: set CVE vendor to git-scm Mikko Rapeli
2019-11-06 17:32 ` ✗ patchtest: failure for CVE check backport Patchwork
2019-11-06 21:46 ` [PATCH RFC CFH][sumo 00/47] " akuster808
2019-11-07  9:14   ` Mikko.Rapeli
2019-11-07 15:03   ` Richard Purdie
2019-11-07 15:55     ` akuster808
2019-11-07 16:32       ` Richard Purdie
2019-11-11 10:42         ` Adrian Bunk
2019-11-11 13:12           ` Richard Purdie
2019-11-11 14:14             ` Adrian Bunk
2019-11-11 15:54               ` Khem Raj
2019-11-11 16:13                 ` Adrian Bunk
2019-11-07 11:13 ` Adrian Bunk
2019-11-07 12:13   ` Mikko.Rapeli
2019-11-07 14:47     ` Adrian Bunk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191107144752.GB23775@localhost \
    --to=bunk@stusta.de \
    --cc=Mikko.Rapeli@bmw.de \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.