On 1/9/2020 2:14 PM, Otavio Salvador wrote:
> On Thu, Jan 9, 2020 at 5:08 PM Jesse Gilles <jesse.gilles@gmail.com> wrote:
>> On Thu, Jan 9, 2020 at 11:18 AM Clay Montgomery <clay@montgomery1.com> wrote:
>> Hm, I don't agree.  If an embedded Linux device uses Wi-Fi and Bluetooth communications, won't vulnerabilities affecting those parts of the kernel need to be patched?
>>
>> Examples:
>> https://www.linuxkernelcves.com/cves/CVE-2019-17133
>> https://www.linuxkernelcves.com/cves/CVE-2019-16746
>> https://www.linuxkernelcves.com/cves/CVE-2019-9506
>>
>> I believe some of these could be exploitable without accessing the device or gaining local privileges.
> I agree with you Jesse and that's why we've been moving most of our
> customers to Linux mainline. Most vendor BSP does not have stable
> updates.
>
It depends in your target application/market. If anyone can connect to 
your device with Wi-Fi or Bluetooth, then obviously security is a lot 
more important.

But, consider the digital signage player market, for example, where it's 
actually an advantage over Windows and Android devices to never require 
updates.

Regards, Clay


>