Re: [PATCH RFC CFH][sumo 00/47] CVE check backport

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Adrian Bunk <bunk@stusta.de>
To: Mikko.Rapeli@bmw.de
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH RFC CFH][sumo 00/47] CVE check backport
Date: Thu, 7 Nov 2019 16:47:52 +0200	[thread overview]
Message-ID: <20191107144752.GB23775@localhost> (raw)
In-Reply-To: <20191107121351.GK2398@hiutale>

On Thu, Nov 07, 2019 at 12:13:51PM +0000, Mikko.Rapeli@bmw.de wrote:
> Hi,

Hi Mikko,

> On Thu, Nov 07, 2019 at 01:13:32PM +0200, Adrian Bunk wrote:
> > On Wed, Nov 06, 2019 at 05:37:15PM +0200, Mikko Rapeli wrote:
> > > Hi,
> > 
> > Hi Mikko,
> > 
> > >...
> > > I use sumo and due to various reasons like BSP layers, binary
> > > compatibility, contracts etc can't update to newer release
> > > or to master branch. I suspect I'm not alone.
> > 
> > I might end up with similar reasons, but for warrior.
> > And might end up doing similar longer term updates for warrior.
> > (not yet 100% certain)
> 
> I'm skipping warrior but going to zeus in addition to sumo. After
> insipiration from Yocto Project Summit I hope to run master branch
> in some projects with regular updates, and eventually aligning to
> some stable release again. Hopefully an LTS one :)

everyone is currently running projects on different releases.

Let's hope LTS will happen, and that with a properly communicated LTS 
schedule most distributions and users will switch to the LTS releases
just like what happened with Ubuntu.

> > >...
> > > The tooling will expose that sumo is severely lacking in security
> > > patches, but the tooling is a start for anyone interested, like me,
> > > to fill the gaps and publish patches for bitbake recipes we care
> > > about.
> > >...
> > 
> > Thud is officially still community maintained, as long as this is true
> > the point could be made that everything that gets fixed in sumo should
> > also get fixed in thud.
> 
> So to keep sumo alive, we should the also keep zeus, warrior and thud, and
> of course master branch first. For some issues this actually works when
> the exact same CVE patch applies, but the open question then is testing.
>...

When a branch is EOL it is documented to be dead.

But upgrading to a more recent non-EOL branch, e.g. sumo to thud,
should not result in losing (security) fixes.

The root problem is that "community support" for a stable branch in 
practice often means "no support".

If sumo is supported but thud is not, this should at least be made 
visible to users.

> -Mikko

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

     prev parent reply	other threads:[~2019-11-07 14:47 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-06 15:37 [PATCH RFC CFH][sumo 00/47] CVE check backport Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 01/47] cve-update-db: New recipe to update CVE database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 02/47] cve-check: Remove dependency to cve-check-tool-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 03/47] cve-check: Manage CVE_PRODUCT with more than one name Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 04/47] cve-check: Consider CVE that affects versions with less than operator Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 05/47] flac: also add flac to CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 06/47] cve-update-db: Use std library instead of urllib3 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 07/47] cve-check: be idiomatic Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 08/47] cve-update-db: Manage proxy if needed Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 09/47] cve-update-db: do_populate_cve_db depends on do_fetch Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 10/47] cve-update-db: Catch request.urlopen errors Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 11/47] cve-check: Depends on cve-update-db-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 12/47] cve-check: Update unpatched CVE matching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 13/47] cve-check: remove redundant readline CVE whitelisting Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 14/47] cve-check-tool: remove Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 15/47] glibc: exclude child recipes from CVE scanning Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 16/47] cve-check.bbclass: initialize to_append Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 17/47] cve-check: allow comparison of Vendor as well as Product Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 18/47] cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 19/47] cve-update-db-native: use SQL placeholders instead of format strings Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 20/47] cve-update-db: Use NVD CPE data to populate PRODUCTS table Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 21/47] cve-update-db-native: Remove hash column from database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 22/47] cve-update-db-native: use os.path.join instead of + Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 23/47] cve-update-db: actually inherit native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 24/47] cve-update-db-native: use executemany() to optimise CPE insertion Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 25/47] cve-update-db-native: improve metadata parsing Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 26/47] cve-update-db-native: clean up JSON fetching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 27/47] cve-update-db-native: fix https proxy issues Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 28/47] cve-check: ensure all known CVEs are in the report Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 29/47] cve-check: failure to parse versions should be more visible Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 30/47] xserver-xorg: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 31/47] nasm: add CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 32/47] dropbear: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 33/47] libsdl: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 34/47] ghostscript: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 35/47] squashfs-tools: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 36/47] libxfont2: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 37/47] flex: set CVE_PRODUCT to include vendor Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 38/47] webkitgtk: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 39/47] libpam: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 40/47] procps: whitelist CVE-2018-1121 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 41/47] libpng: whitelist CVE-2019-17371 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 42/47] openssl: set CVE vendor to openssl Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 43/47] rsync: fix CVEs for included zlib Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 44/47] ed: set CVE vendor to avoid false positives Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 45/47] boost: set CVE vendor to Boost Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 46/47] subversion: set CVE vendor to Apache Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 47/47] git: set CVE vendor to git-scm Mikko Rapeli
2019-11-06 17:32 ` ✗ patchtest: failure for CVE check backport Patchwork
2019-11-06 21:46 ` [PATCH RFC CFH][sumo 00/47] " akuster808
2019-11-07  9:14   ` Mikko.Rapeli
2019-11-07 15:03   ` Richard Purdie
2019-11-07 15:55     ` akuster808
2019-11-07 16:32       ` Richard Purdie
2019-11-11 10:42         ` Adrian Bunk
2019-11-11 13:12           ` Richard Purdie
2019-11-11 14:14             ` Adrian Bunk
2019-11-11 15:54               ` Khem Raj
2019-11-11 16:13                 ` Adrian Bunk
2019-11-07 11:13 ` Adrian Bunk
2019-11-07 12:13   ` Mikko.Rapeli
2019-11-07 14:47     ` Adrian Bunk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191107144752.GB23775@localhost \
    --to=bunk@stusta.de \
    --cc=Mikko.Rapeli@bmw.de \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox