The question of security comes up at every OpenEmbedded developer meeting. Clearly, the companies building products with OpenEmbedded care about security.
The problem following the CVE's direct is you need to do analysis to determine if a specific release has the vulnerability. We do have guidelines for marking CVE's addressed by commits, to help people interested in developing tools to show what CVE's are addressed in the meta data. One suggestion made is to setup some form of git hook to email commits with CVE tags to the security list. We are very interested in encouraging people who care about security to use the security mailing list to improve overall security of distributions (like Poky) built with OpenEmbedded. Philip On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote: > On 01/10/2017 11:29 AM, Burton, Ross wrote: > > On 10 January 2017 at 10:01, Bent Bisballe Nyeng > <x...@mjolner.dk<mailto:x...@mjolner.dk>> wrote: > So /is/ the yocto-security mailinglist considered "dead"? Or has there > simply not been any security issues for a while? > > IIRC, yocto-security was more to discuss security issues, not an announcement > of security related fixes. If you care about security then you'll want > notice for more than just what is in oe-core, so I suggest monitoring the CVE > announcements directly. > > Ross > > I found the list initially through this page: > https://wiki.yoctoproject.org/wiki/Security where it is described as the > security [at] yoctoprojct [dot] org being the discussion list and the yocto > [dash] security [at] yoctoproject[dot] org being the security announcement > list. > > If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer > active I think it is important that the wiki page is changed to reflect that > to prevent potential dangerous misunderstandings in the future. > > Kind regards > Bent Bisballe Nyeng > > > -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
