Re: [oe] [meta-oe][scarthgap][PATCH] kernel-hardening-checker: backport recipe

[Gyorgy Sarvari <skandigraun@gmail.com>]

On 8/20/25 10:04, Michael Opdenacker wrote:
> Hi Gyorgy
>
> Thanks for your reply!
>
> On 8/20/25 09:44, Gyorgy Sarvari wrote:
>> On 8/19/25 22:39, Michael Opdenacker via lists.openembedded.org wrote:
>>> From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
>>>
>>> This recipe is a Scarthgap backport of kernel-hardening-checker_0.6.10.2.bb
>>> in the master branch as of August 19, 2025.
>>>
>>> Tested on qemux86-64 and on beaglebone-yocto
>>>
>>> Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
>>> ---
>>>   ...ject.toml-fix-up-license-information.patch | 31 ++++++++++++++
>>>   ...-relax-setuptool-version-requirement.patch | 29 +++++++++++++
>>>   .../kernel-hardening-checker_0.6.10.2.bb      | 41 +++++++++++++++++++
>>>   3 files changed, 101 insertions(+)
>>>   create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch
>>>   create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch
>>>   create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb
>> Note that new recipes are only accepted in master branch, not in stable
>> branches.
> However, this has already been accepted in master 
> (https://git.openembedded.org/meta-openembedded/commit/?id=5ae3536204ba3764b03647ab75169ee65ca43531)
> It's true that meta-oe didn't originally have this recipe, but what's 
> the harm in sharing with LTS users that could have the same need as 
> mine? The risk of breaking tests again meta-oe?

At the end of the day it's of course the branch maintainer's call if he
accepts the extra recipe and the testing and maintenance tasks that come
with it, but I don't recall it happening in recent years. 

I think it would make precedent - if this recipe is accepted, why
wouldn't others be accepted? When does a small addition become an
unacceptably risky or big one? Stability is boring - and that's the
point. This of course is just the personal opinion of an internet rando
(me), and not official in any shape or form.

> I'm reading https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS 
> ... I guess such a backport qualifies as a "new feature". But does this 
> really apply to meta-openembedded which is not officially part of the LTS?
>
> On the other hand, mixin layers are supposed to be for "potentially 
> invasive changes", which is not the case here.
> So, where are such (new) backports supposed to be shared?

Such backports usually live in product specific layers (sometimes in
other community layers that take up the task of acting like a mixin
layer) until the project updates to a release that contains that recipe.

> Thanks
> Michael.
>