From: "Antonin Godard" <antonin.godard@bootlin.com>
To: <quentin.schulz@cherry.de>, <rpjday@crashcourse.ca>,
"YP docs mailing list" <docs@lists.yoctoproject.org>
Subject: Re: [docs] is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc?
Date: Tue, 16 Dec 2025 11:09:17 +0100 [thread overview]
Message-ID: <DEZK4PFP76QY.NVX9OTMIP8WE@bootlin.com> (raw)
In-Reply-To: <dc3f345e-ad6f-435b-b0bb-98c07e1a9b7f@cherry.de>
Hi,
On Tue Dec 16, 2025 at 10:33 AM CET, Quentin Schulz via lists.yoctoproject.org wrote:
> Hi Robert,
>
> On 12/15/25 10:00 PM, Robert P. J. Day via lists.yoctoproject.org wrote:
>>
>> i know i've mentioned this before but, to start with, the dev manual
>> section "Making Images More Secure":
>>
>> https://docs.yoctoproject.org/dev-manual/securing-images.html
>>
>> opens with three links all of which are more than a decade old. and
>> further down in that same manual, there are two sections related to
>> vulnerabilities. given the importance of security in the embedded
>> space, might it be time for a whole document devoted to the subject?
>>
>> there were a number of talks related to this in the recent YP
>> virtual summit, that seems like a decent place to start. surely there
>> is easily enough content to justify a separate manual for this, no?
>>
>
> https://lore.kernel.org/yocto-docs/20251204-reorg-security-section-v1-1-75aeeb741c83@bootlin.com/
>
> Maybe?
>
> Anything more to add to that patch? Since you have some interest in the
> topic, please take a few minutes and help reviewing it?
This patch moves the process-related security bits to its own section, but it's
process only. I believe Robert was talking more about a "how to secure your
target" manual.
Right now, I can see we have:
- dev-manual/securing-images.rst
- dev-manual/vulnerabilities.rst
- dev-manual/read-only-rootfs.rst
- (anything else?)
I'm not against moving these to a security manual, like the kernel or profiling
one. It also puts security a bit more to the front, which I think is what the
YP (and rest of the world) is leaning towards.
Afterwards, people can plug-in security guides/tips in there, as long as the
implementation is supported in OE-Core/Poky. For example, systemd security
features through PACKAGECONFIG, etc.
This would also help with this open bug:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509.
Regarding the links in securing-images.rst, yes, they could be refreshed or even
removed, as I find the sentence "Consider the issues and problems discussed in
just this sampling of work found across the Internet:" not strictly necessary in
a Yocto Project documentation context. Patches welcome :)
Antonin
--
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2025-12-16 10:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-15 21:02 is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc? Robert P. J. Day
2025-12-16 9:33 ` [docs] " Quentin Schulz
2025-12-16 10:09 ` Antonin Godard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DEZK4PFP76QY.NVX9OTMIP8WE@bootlin.com \
--to=antonin.godard@bootlin.com \
--cc=docs@lists.yoctoproject.org \
--cc=quentin.schulz@cherry.de \
--cc=rpjday@crashcourse.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox