* is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc?
@ 2025-12-15 21:02 Robert P. J. Day
2025-12-16 9:33 ` [docs] " Quentin Schulz
0 siblings, 1 reply; 3+ messages in thread
From: Robert P. J. Day @ 2025-12-15 21:02 UTC (permalink / raw)
To: YP docs mailing list
i know i've mentioned this before but, to start with, the dev manual
section "Making Images More Secure":
https://docs.yoctoproject.org/dev-manual/securing-images.html
opens with three links all of which are more than a decade old. and
further down in that same manual, there are two sections related to
vulnerabilities. given the importance of security in the embedded
space, might it be time for a whole document devoted to the subject?
there were a number of talks related to this in the recent YP
virtual summit, that seems like a decent place to start. surely there
is easily enough content to justify a separate manual for this, no?
rday
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [docs] is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc?
2025-12-15 21:02 is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc? Robert P. J. Day
@ 2025-12-16 9:33 ` Quentin Schulz
2025-12-16 10:09 ` Antonin Godard
0 siblings, 1 reply; 3+ messages in thread
From: Quentin Schulz @ 2025-12-16 9:33 UTC (permalink / raw)
To: rpjday, YP docs mailing list
Hi Robert,
On 12/15/25 10:00 PM, Robert P. J. Day via lists.yoctoproject.org wrote:
>
> i know i've mentioned this before but, to start with, the dev manual
> section "Making Images More Secure":
>
> https://docs.yoctoproject.org/dev-manual/securing-images.html
>
> opens with three links all of which are more than a decade old. and
> further down in that same manual, there are two sections related to
> vulnerabilities. given the importance of security in the embedded
> space, might it be time for a whole document devoted to the subject?
>
> there were a number of talks related to this in the recent YP
> virtual summit, that seems like a decent place to start. surely there
> is easily enough content to justify a separate manual for this, no?
>
https://lore.kernel.org/yocto-docs/20251204-reorg-security-section-v1-1-75aeeb741c83@bootlin.com/
Maybe?
Anything more to add to that patch? Since you have some interest in the
topic, please take a few minutes and help reviewing it?
Cheers,
Quentin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [docs] is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc?
2025-12-16 9:33 ` [docs] " Quentin Schulz
@ 2025-12-16 10:09 ` Antonin Godard
0 siblings, 0 replies; 3+ messages in thread
From: Antonin Godard @ 2025-12-16 10:09 UTC (permalink / raw)
To: quentin.schulz, rpjday, YP docs mailing list
Hi,
On Tue Dec 16, 2025 at 10:33 AM CET, Quentin Schulz via lists.yoctoproject.org wrote:
> Hi Robert,
>
> On 12/15/25 10:00 PM, Robert P. J. Day via lists.yoctoproject.org wrote:
>>
>> i know i've mentioned this before but, to start with, the dev manual
>> section "Making Images More Secure":
>>
>> https://docs.yoctoproject.org/dev-manual/securing-images.html
>>
>> opens with three links all of which are more than a decade old. and
>> further down in that same manual, there are two sections related to
>> vulnerabilities. given the importance of security in the embedded
>> space, might it be time for a whole document devoted to the subject?
>>
>> there were a number of talks related to this in the recent YP
>> virtual summit, that seems like a decent place to start. surely there
>> is easily enough content to justify a separate manual for this, no?
>>
>
> https://lore.kernel.org/yocto-docs/20251204-reorg-security-section-v1-1-75aeeb741c83@bootlin.com/
>
> Maybe?
>
> Anything more to add to that patch? Since you have some interest in the
> topic, please take a few minutes and help reviewing it?
This patch moves the process-related security bits to its own section, but it's
process only. I believe Robert was talking more about a "how to secure your
target" manual.
Right now, I can see we have:
- dev-manual/securing-images.rst
- dev-manual/vulnerabilities.rst
- dev-manual/read-only-rootfs.rst
- (anything else?)
I'm not against moving these to a security manual, like the kernel or profiling
one. It also puts security a bit more to the front, which I think is what the
YP (and rest of the world) is leaning towards.
Afterwards, people can plug-in security guides/tips in there, as long as the
implementation is supported in OE-Core/Poky. For example, systemd security
features through PACKAGECONFIG, etc.
This would also help with this open bug:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14509.
Regarding the links in securing-images.rst, yes, they could be refreshed or even
removed, as I find the sentence "Consider the issues and problems discussed in
just this sampling of work found across the Internet:" not strictly necessary in
a Yocto Project documentation context. Patches welcome :)
Antonin
--
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-16 10:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-15 21:02 is it time for a separate YP doc focusing on security/vulnerabilities/CVEs, etc? Robert P. J. Day
2025-12-16 9:33 ` [docs] " Quentin Schulz
2025-12-16 10:09 ` Antonin Godard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox