* [Buildroot] [PATCH v2 0/2] Add security policy information @ 2026-03-26 8:14 Titouan Christophe via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot 0 siblings, 2 replies; 7+ messages in thread From: Titouan Christophe via buildroot @ 2026-03-26 8:14 UTC (permalink / raw) To: buildroot Cc: Julien Olivain, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann As part of the effort to obtain the OpenSSF Best Practices badge for the Buildroot project, add basic security contacts for the Buildroot project. This helps fulfilling the following requirements: > While active, the project documentation MUST contain security contacts. [OSPS-VM-02.01] > Create a security.md (or similarly-named) file that contains security contacts for the project. > The project MUST publish the process for reporting vulnerabilities on the project site. > If private vulnerability reports are supported, the project MUST include > how to send the information in a way that is kept private. Titouan Christophe (2): docs/website: add security contact information on the homepage SECURITY.md: add new file SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ docs/website/index.html | 11 +++++++++++ 2 files changed, 47 insertions(+) create mode 100644 SECURITY.md -- 2.53.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage 2026-03-26 8:14 [Buildroot] [PATCH v2 0/2] Add security policy information Titouan Christophe via buildroot @ 2026-03-26 8:14 ` Titouan Christophe via buildroot 2026-03-26 20:16 ` Julien Olivain via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot 1 sibling, 1 reply; 7+ messages in thread From: Titouan Christophe via buildroot @ 2026-03-26 8:14 UTC (permalink / raw) To: buildroot Cc: Julien Olivain, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> --- (no changes since v1 in this patch) --- docs/website/index.html | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/website/index.html b/docs/website/index.html index d68436c721..027fd485e0 100644 --- a/docs/website/index.html +++ b/docs/website/index.html @@ -148,4 +148,15 @@ </div> </div><!-- /container --> +<div class="container"> + <div class="row mt centered"> + <div class="col-lg-6 col-lg-offset-3"> + <h1>Security</h1> + <h3>To report a security vulnerability, please send an email to + <a href="mailto:security@buildroot.org">security@buildroot.org</a>.</h3> + </div> + </div><!-- /row --> + <hr> +</div><!-- /container --> + <!--#include file="footer.html" --> -- 2.53.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage 2026-03-26 8:14 ` [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot @ 2026-03-26 20:16 ` Julien Olivain via buildroot 0 siblings, 0 replies; 7+ messages in thread From: Julien Olivain via buildroot @ 2026-03-26 20:16 UTC (permalink / raw) To: Titouan Christophe Cc: buildroot, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann On 26/03/2026 09:14, Titouan Christophe via buildroot wrote: > Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> Series applied to master, thanks. _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file 2026-03-26 8:14 [Buildroot] [PATCH v2 0/2] Add security policy information Titouan Christophe via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot @ 2026-03-26 8:14 ` Titouan Christophe via buildroot 2026-03-26 9:38 ` Fiona Klute via buildroot 2026-04-03 10:28 ` Thomas Perale via buildroot 1 sibling, 2 replies; 7+ messages in thread From: Titouan Christophe via buildroot @ 2026-03-26 8:14 UTC (permalink / raw) To: buildroot Cc: Julien Olivain, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann This is an in-tree description of Buildroot's security policies Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> --- Changes v1->v2: - Add references to the Buildroot User Manual for vulnerability tracking - Add links to autobuilder pkg-stats and Buildroot security website - Link to CPE info for Buildroot - Explicitely say that security@buildroot.org is a private ML --- SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..6b21ffd2b9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Security advisories + +Advisories for Buildroot security vulnerabilities are reported on the +developer's mailing list. A public archive can be consulted on +https://lists.buildroot.org/mailman/listinfo/buildroot + +Buildroot itself has a CPE to track its published vulnerabilities: +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot + +The Buildroot project provides some ways for its users to track known +vulnerabilites in the packages included in the generated images, see: +- https://nightly.buildroot.org/manual.html#_details_about_packages + +In addition, detailed informations for all packages integrated with Buildroot +are updated daily on the following public web pages: +- https://security.buildroot.org/ +- https://autobuild.buildroot.org/stats/ + +## Reporting a Vulnerability + +To report a security vulnerability found in the Buildroot build system itself, +please send an email to [security@buildroot.org](mailto:security@buildroot.org). + +This is a private mailing list contacting the Buildroot maintainers only. + +## Vulnerabilities in packages + +Buildroot is a build system that cross-compiles packages from third-party +sources. The Buildroot developers are not responsible for security +vulnerabilities in these packages. Such vulnerabilities should be reported +directly to the upstream project that maintains the affected package. + +When vulnerabilities are fixed upstream, send a patch to update the affected +packages in Buildroot. -- 2.53.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file 2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot @ 2026-03-26 9:38 ` Fiona Klute via buildroot 2026-03-26 20:24 ` Julien Olivain via buildroot 2026-04-03 10:28 ` Thomas Perale via buildroot 1 sibling, 1 reply; 7+ messages in thread From: Fiona Klute via buildroot @ 2026-03-26 9:38 UTC (permalink / raw) To: Titouan Christophe, buildroot Cc: Julien Olivain, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann Hi Titouan! Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot: > This is an in-tree description of Buildroot's security policies > > Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> > --- > Changes v1->v2: > - Add references to the Buildroot User Manual for vulnerability tracking > - Add links to autobuilder pkg-stats and Buildroot security website > - Link to CPE info for Buildroot > - Explicitely say that security@buildroot.org is a private ML > --- > SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > create mode 100644 SECURITY.md > > diff --git a/SECURITY.md b/SECURITY.md > new file mode 100644 > index 0000000000..6b21ffd2b9 > --- /dev/null > +++ b/SECURITY.md > @@ -0,0 +1,36 @@ > +# Security Policy > + > +## Security advisories > + > +Advisories for Buildroot security vulnerabilities are reported on the > +developer's mailing list. A public archive can be consulted on > +https://lists.buildroot.org/mailman/listinfo/buildroot > + > +Buildroot itself has a CPE to track its published vulnerabilities: > +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot > + > +The Buildroot project provides some ways for its users to track known > +vulnerabilites in the packages included in the generated images, see: > +- https://nightly.buildroot.org/manual.html#_details_about_packages > + > +In addition, detailed informations for all packages integrated with Buildroot > +are updated daily on the following public web pages: > +- https://security.buildroot.org/ > +- https://autobuild.buildroot.org/stats/ > + > +## Reporting a Vulnerability > + > +To report a security vulnerability found in the Buildroot build system itself, > +please send an email to [security@buildroot.org](mailto:security@buildroot.org). > + > +This is a private mailing list contacting the Buildroot maintainers only. > + > +## Vulnerabilities in packages > + > +Buildroot is a build system that cross-compiles packages from third-party > +sources. The Buildroot developers are not responsible for security > +vulnerabilities in these packages. Such vulnerabilities should be reported > +directly to the upstream project that maintains the affected package. > + > +When vulnerabilities are fixed upstream, send a patch to update the affected > +packages in Buildroot. I'm not sure what the ideal phrasing is, but I think it is important to be clear here that bugfix patches (especially but not exclusively security ones) may be merged independently of upstream releases, though they should be sent upstream first. People following this ML probably know that, but for someone new it may be an important hint. Best regards, Fiona _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file 2026-03-26 9:38 ` Fiona Klute via buildroot @ 2026-03-26 20:24 ` Julien Olivain via buildroot 0 siblings, 0 replies; 7+ messages in thread From: Julien Olivain via buildroot @ 2026-03-26 20:24 UTC (permalink / raw) To: Fiona Klute Cc: Titouan Christophe, buildroot, Thomas Petazzoni, Romain Naour, Thomas Perale, Marcus Hoffmann Hi Fiona, Titouan, All, On 26/03/2026 10:38, Fiona Klute via buildroot wrote: > Hi Titouan! > > Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot: >> This is an in-tree description of Buildroot's security policies >> >> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> >> --- >> Changes v1->v2: >> - Add references to the Buildroot User Manual for vulnerability >> tracking >> - Add links to autobuilder pkg-stats and Buildroot security website >> - Link to CPE info for Buildroot >> - Explicitely say that security@buildroot.org is a private ML >> --- >> SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ >> 1 file changed, 36 insertions(+) >> create mode 100644 SECURITY.md >> >> diff --git a/SECURITY.md b/SECURITY.md >> new file mode 100644 >> index 0000000000..6b21ffd2b9 >> --- /dev/null >> +++ b/SECURITY.md >> @@ -0,0 +1,36 @@ >> +# Security Policy >> + >> +## Security advisories >> + >> +Advisories for Buildroot security vulnerabilities are reported on the >> +developer's mailing list. A public archive can be consulted on >> +https://lists.buildroot.org/mailman/listinfo/buildroot >> + >> +Buildroot itself has a CPE to track its published vulnerabilities: >> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot >> + >> +The Buildroot project provides some ways for its users to track known >> +vulnerabilites in the packages included in the generated images, see: >> +- https://nightly.buildroot.org/manual.html#_details_about_packages >> + >> +In addition, detailed informations for all packages integrated with >> Buildroot >> +are updated daily on the following public web pages: >> +- https://security.buildroot.org/ >> +- https://autobuild.buildroot.org/stats/ >> + >> +## Reporting a Vulnerability >> + >> +To report a security vulnerability found in the Buildroot build >> system itself, >> +please send an email to >> [security@buildroot.org](mailto:security@buildroot.org). >> + >> +This is a private mailing list contacting the Buildroot maintainers >> only. >> + >> +## Vulnerabilities in packages >> + >> +Buildroot is a build system that cross-compiles packages from >> third-party >> +sources. The Buildroot developers are not responsible for security >> +vulnerabilities in these packages. Such vulnerabilities should be >> reported >> +directly to the upstream project that maintains the affected package. >> + >> +When vulnerabilities are fixed upstream, send a patch to update the >> affected >> +packages in Buildroot. > > I'm not sure what the ideal phrasing is, but I think it is important to > be clear here that bugfix patches (especially but not exclusively > security ones) may be merged independently of upstream releases, though > they should be sent upstream first. People following this ML probably > know that, but for someone new it may be an important hint. While I agree with your comment, I still applied this patch as is. I think this SECURITY.md file (which is here for "administrative" reasons) should remain as short as possible, and all those security/bugfix patches details should preferably go in the manual: https://nightly.buildroot.org/manual.html#_contributing_to_buildroot https://nightly.buildroot.org/manual.html#RELENG Those sections needs few refreshes, to include the new LTS model, and the details to manage those patches to help LTS maintainers. When those sections will be up to date, we will simply add a link here pointing to those sections. > Best regards, > Fiona Best regards, Julien. _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file 2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot 2026-03-26 9:38 ` Fiona Klute via buildroot @ 2026-04-03 10:28 ` Thomas Perale via buildroot 1 sibling, 0 replies; 7+ messages in thread From: Thomas Perale via buildroot @ 2026-04-03 10:28 UTC (permalink / raw) To: Titouan Christophe; +Cc: Thomas Perale, buildroot In reply of: > This is an in-tree description of Buildroot's security policies > > Signed-off-by: Titouan Christophe <titouan.christophe@mind.be> Applied to 2025.02.x & 2026.02.x. Thanks > --- > Changes v1->v2: > - Add references to the Buildroot User Manual for vulnerability tracking > - Add links to autobuilder pkg-stats and Buildroot security website > - Link to CPE info for Buildroot > - Explicitely say that security@buildroot.org is a private ML > --- > SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > create mode 100644 SECURITY.md > > diff --git a/SECURITY.md b/SECURITY.md > new file mode 100644 > index 0000000000..6b21ffd2b9 > --- /dev/null > +++ b/SECURITY.md > @@ -0,0 +1,36 @@ > +# Security Policy > + > +## Security advisories > + > +Advisories for Buildroot security vulnerabilities are reported on the > +developer's mailing list. A public archive can be consulted on > +https://lists.buildroot.org/mailman/listinfo/buildroot > + > +Buildroot itself has a CPE to track its published vulnerabilities: > +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot > + > +The Buildroot project provides some ways for its users to track known > +vulnerabilites in the packages included in the generated images, see: > +- https://nightly.buildroot.org/manual.html#_details_about_packages > + > +In addition, detailed informations for all packages integrated with Buildroot > +are updated daily on the following public web pages: > +- https://security.buildroot.org/ > +- https://autobuild.buildroot.org/stats/ > + > +## Reporting a Vulnerability > + > +To report a security vulnerability found in the Buildroot build system itself, > +please send an email to [security@buildroot.org](mailto:security@buildroot.org). > + > +This is a private mailing list contacting the Buildroot maintainers only. > + > +## Vulnerabilities in packages > + > +Buildroot is a build system that cross-compiles packages from third-party > +sources. The Buildroot developers are not responsible for security > +vulnerabilities in these packages. Such vulnerabilities should be reported > +directly to the upstream project that maintains the affected package. > + > +When vulnerabilities are fixed upstream, send a patch to update the affected > +packages in Buildroot. > -- > 2.53.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-04-03 10:28 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-26 8:14 [Buildroot] [PATCH v2 0/2] Add security policy information Titouan Christophe via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot 2026-03-26 20:16 ` Julien Olivain via buildroot 2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot 2026-03-26 9:38 ` Fiona Klute via buildroot 2026-03-26 20:24 ` Julien Olivain via buildroot 2026-04-03 10:28 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox