Does YP provide security support for stable and LTS branches?

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Adrian Bunk <bunk@stusta.de>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: openembedded-architecture@lists.openembedded.org,
	Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Does YP provide security support for stable and LTS branches?
Date: Wed, 4 Mar 2020 16:01:09 +0200	[thread overview]
Message-ID: <20200304140109.GC7923@localhost> (raw)
In-Reply-To: <CANNYZj8wnuNLrw6s=y0cgg5uoMTjA+fMEXW_TsmtKWZ4UDzwOA@mail.gmail.com>

On Wed, Mar 04, 2020 at 01:13:19PM +0100, Alexander Kanavin wrote:
> On Wed, 4 Mar 2020 at 12:32, Adrian Bunk <bunk@stusta.de> wrote:
> 
> > I am sure there will be an update to the announcement if this doesn't
> > reflect current reality.
> 
> Who is expected to do the actual work of tracking CVEs, making action
> points and performing the actions? The current reality is this: the
> security update work is done ad hoc by community, even for stable branches.
> There is no rigorous security process like in Debian, and no roles to
> follow in that process. This means that if no one bothers to make a patch,
> the security issue will remain unfixed, and this does happen often. If you
> are expecting anything else (e.g. that listed recipe maintainers should do
> something), you're setting yourself up to be disappointed.

All I am expecting is honesty.

If YP does not provide security support for supported stable branches, 
then public statements that community support would be worse than stable 
branches due to lack of security support are dishonest and offensive.

It also puts all users of Yocto stable and LTS releases and billions of 
devices at danger if the Yocto project announces security support but 
does not deliver.

The normal user expects that that the announced "usual defect fixes and 
updates for the extended period of two years" in LTS include the regular 
security updates that were claimed for stable branches earlier in the 
same announcement.

For cases where I am the user the only benefit of going through the pain 
of upgrading existing products from older releases to Yocto 3.1 would be 
2 years of security support from upstream. Doing the upgrade and only 
discovering afterwards that it doesn't bring the benefit that was 
promised would make me <unprintable>.

Let me repeat that the only thing I am expecting is honesty,
and all I am asking for is that if YP does not provide security
support for stable and LTS branches this should be communicated
clearly so that all users are aware.

> Alex

cu
Adrian

next prev parent reply	other threads:[~2020-03-04 14:01 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-23 19:34 [RFC][PATCH 1/2] nss: Move to meta-oe Adrian Bunk
2020-02-23 19:34 ` [RFC][PATCH 2/2] nspr: " Adrian Bunk
2020-02-24  0:25 ` [RFC][PATCH 1/2] nss: " Khem Raj
2020-02-24  5:17   ` Adrian Bunk
2020-02-24 16:32     ` akuster808
2020-02-27 13:27       ` Adrian Bunk
2020-02-27 14:03         ` Alexander Kanavin
2020-03-04  9:05           ` Adrian Bunk
2020-03-04  9:36             ` Alexander Kanavin
2020-03-04 11:32               ` Adrian Bunk
2020-03-04 12:13                 ` Alexander Kanavin
2020-03-04 14:01                   ` Adrian Bunk [this message]
2020-03-04 16:00                     ` Does YP provide security support for stable and LTS branches? Alexander Kanavin
2020-03-04 17:24                       ` Adrian Bunk
2020-03-04 20:26                         ` [Openembedded-architecture] " akuster808
2020-03-06 10:04                           ` Adrian Bunk
2020-03-06 10:36                             ` Richard Purdie
2020-03-08 21:46                               ` Adrian Bunk
2020-03-08 22:08                                 ` Alexander Kanavin
2020-03-09  0:23                                   ` Adrian Bunk
2020-03-09  7:29                                     ` Ayoub Zaki
2020-03-09  9:53                                       ` Alexander Kanavin
2020-03-09 12:45                                       ` Richard Purdie
2020-03-10 16:11                                       ` Ross Burton
2020-03-10 19:45                                         ` Ayoub Zaki
2020-03-11 14:53                                           ` Ross Burton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200304140109.GC7923@localhost \
    --to=bunk@stusta.de \
    --cc=alex.kanavin@gmail.com \
    --cc=openembedded-architecture@lists.openembedded.org \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox