From: Philip Balister <philip@balister.org>
To: Bent Bisballe Nyeng <xbbn@mjolner.dk>,
"yocto@yoctoproject.org" <yocto@yoctoproject.org>
Subject: Re: how does one stay on top of YP security alerts?
Date: Wed, 11 Jan 2017 09:49:48 -0500 [thread overview]
Message-ID: <300aed1d-93fe-7d21-2436-172e7d35e728@balister.org> (raw)
In-Reply-To: <1c32c82c773d4d0b81f428bc62435118@drift35.mia.local>
The question of security comes up at every OpenEmbedded developer
meeting. Clearly, the companies building products with OpenEmbedded care
about security.
The problem following the CVE's direct is you need to do analysis to
determine if a specific release has the vulnerability.
We do have guidelines for marking CVE's addressed by commits, to help
people interested in developing tools to show what CVE's are addressed
in the meta data.
One suggestion made is to setup some form of git hook to email commits
with CVE tags to the security list. We are very interested in
encouraging people who care about security to use the security mailing
list to improve overall security of distributions (like Poky) built with
OpenEmbedded.
Philip
On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote:
> On 01/10/2017 11:29 AM, Burton, Ross wrote:
>
> On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn@mjolner.dk<mailto:xbbn@mjolner.dk>> wrote:
> So /is/ the yocto-security mailinglist considered "dead"? Or has there
> simply not been any security issues for a while?
>
> IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes. If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly.
>
> Ross
>
> I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list.
>
> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future.
>
> Kind regards
> Bent Bisballe Nyeng
>
>
>
next prev parent reply other threads:[~2017-01-11 14:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-07 15:29 how does one stay on top of YP security alerts? Robert P. J. Day
2017-01-09 13:08 ` Alexander Kanavin
2017-01-10 10:01 ` Bent Bisballe Nyeng
2017-01-10 10:29 ` Burton, Ross
2017-01-10 10:37 ` Bent Bisballe Nyeng
2017-01-10 20:51 ` Paul Eggleton
2017-01-11 8:29 ` Bent Bisballe Nyeng
2017-01-11 14:49 ` Philip Balister [this message]
2017-01-11 14:56 ` Alexander Kanavin
2017-01-11 17:46 ` Mark Hatle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=300aed1d-93fe-7d21-2436-172e7d35e728@balister.org \
--to=philip@balister.org \
--cc=xbbn@mjolner.dk \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.