On Wed, 4 Mar 2020 at 12:32, Adrian Bunk <b...@stusta.de> wrote: > I am sure there will be an update to the announcement if this doesn't > reflect current reality. >
Who is expected to do the actual work of tracking CVEs, making action points and performing the actions? The current reality is this: the security update work is done ad hoc by community, even for stable branches. There is no rigorous security process like in Debian, and no roles to follow in that process. This means that if no one bothers to make a patch, the security issue will remain unfixed, and this does happen often. If you are expecting anything else (e.g. that listed recipe maintainers should do something), you're setting yourself up to be disappointed. Alex
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
