Encouraging distros to use newer recipe versions?

Encouraging distros to use newer recipe versions?

[Mike Westerhof]

Does it make any sense to create a class (or extend the sanity or testlab classes) so that OE can inform someone when a given build is using a recipe that can be considered obsolete?  Perhaps we might also add a bit more encouragement if it were possible to have that same class call out builds that have selected versions with known security vulnerabilities.

This would certainly help me with the distro I maintain -- one of the questions I cannot easily answer, and therefore tend to ignore, is "exactly how out-of-date has my distro become?".

I have no patches to do such a thing, and neither do I have time to create such a thing at this point in time, but perhaps if someone thinks this is worthwhile time can be made for it...

-Mike (mwester)

Re: Encouraging distros to use newer recipe versions?

[Richard Purdie]

On Sat, 2010-03-06 at 09:00 -0600, Mike Westerhof wrote:
> Does it make any sense to create a class (or extend the sanity or
> testlab classes) so that OE can inform someone when a given build is
> using a recipe that can be considered obsolete?  Perhaps we might also
> add a bit more encouragement if it were possible to have that same
> class call out builds that have selected versions with known security
> vulnerabilities.
> 
> This would certainly help me with the distro I maintain -- one of the
> questions I cannot easily answer, and therefore tend to ignore, is
> "exactly how out-of-date has my distro become?".
> 
> I have no patches to do such a thing, and neither do I have time to
> create such a thing at this point in time, but perhaps if someone
> thinks this is worthwhile time can be made for it...

I've been keeping half an eye on what Holger has been doing and yes, I
think this could be desirable. Its also rather straightforward to do.
Simply create a new variable

SECURITY_ISSUES_PRESENT = "This package has know security issues of: X,
Y, Z"

and then have insane.bbclass choke on this printing the messages unless
you set a variable ILOVESECURITYHOLES = "1"

:)

Cheers,

Richard

Re: Encouraging distros to use newer recipe versions?

[Holger Hans Peter Freyther]

On Saturday 06 March 2010 16:10:40 Richard Purdie wrote:

> > I have no patches to do such a thing, and neither do I have time to
> > create such a thing at this point in time, but perhaps if someone
> > thinks this is worthwhile time can be made for it...
> 
> I've been keeping half an eye on what Holger has been doing and yes, I
> think this could be desirable. Its also rather straightforward to do.
> Simply create a new variable


Such a class does make sense but is only fixing 50% of the issue. E.g. when we 
look at "gpdf" there are two things.

1.) The distro builder should be informed that building gpdf is bad in regard 
to known security issues. So he might decide to throw it out of the feed.

2.) A user using the distro has the (discontinued) package still installed and 
he will not notice that his latest gpdf is "bad". Distribution makers will 
also need a way to announce such things to their users. I have wondered if we 
could create a ipk with RCONFLICTS on discontinued software or such.


z.