[PATCH] cve-check: Add allowlist that is same function of whitelist.

[PATCH] cve-check: Add allowlist that is same function of whitelist.

[ito-yuichi]

The Linux team plan to removed references to racially-charged jargon from
their code for more neutral and inclusive language.
So replace use of "whitelist" with "allowlist" in cve-check.

First, we add CVE_CHECK_ALLOWLIST and it is considered patched as well as
CVE_CHECK_WHITELIST.
We plan to replace about other word later and eventualy, replace all
"whitelist" to "allowlist".

Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
---
 meta/classes/cve-check.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d..5e3441a783 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -52,6 +52,7 @@ CVE_CHECK_PN_WHITELIST ?= ""
 # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
 #
 CVE_CHECK_WHITELIST ?= ""
+CVE_CHECK_ALLOWLIST ?= ""
 
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -238,7 +239,7 @@ def check_cves(d, patched_cves):
     old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
     if old_cve_whitelist:
         bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
-    cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
+    cve_whitelist = d.getVar("CVE_CHECK_ALLOWLIST").split() + d.getVar("CVE_CHECK_WHITELIST").split()
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
-- 
2.25.1

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[Richard Purdie]

On Wed, 2021-06-23 at 17:56 +0900, ito-yuichi@fujitsu.com wrote:
> The Linux team plan to removed references to racially-charged jargon from
> their code for more neutral and inclusive language.
> So replace use of "whitelist" with "allowlist" in cve-check.
> 
> First, we add CVE_CHECK_ALLOWLIST and it is considered patched as well as
> CVE_CHECK_WHITELIST.
> We plan to replace about other word later and eventualy, replace all
> "whitelist" to "allowlist".
> 
> Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>

The TSC did discuss this and proposed a plan on how we should go about 
addressing these issues:

https://lists.openembedded.org/g/openembedded-architecture/topic/inclusive_language_summary/75821819

I appreciate this patch has good intent but I would really like to
see a wider plan on how we address this rather than changing single 
variables piecemeal. 

For example we may want to standardise on the term "IGNORE" rather than
"ALLOW" or even "FILTER" or "VERIFIED" or something more specific to the meaning
of CVEs and CVE checking.

There is an opportunity to try and make the metadata and variable names
more consistent and understandable but if we just change single things at
a time this opportunity would be missed.

Cheers,

Richard

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[ito-yuichi]

Hi Richard,

Thank you for replying.

> I appreciate this patch has good intent but I would really like to see a wider
> plan on how we address this rather than changing single variables piecemeal.

Shoud I need to replace not only CVE check but also other class?
I plan to replace inclusive languages only in CVE check tool.
I will replace words except for CVE_CHECK_WHITELIST in the class(ex. cve_whitelist, whitelisted) with another patch.

Thanks,

> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Saturday, June 26, 2021 7:04 PM
> To: Ito, Yuichi <ito-yuichi@fujitsu.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] cve-check: Add allowlist that is same
> function of whitelist.
> 
> On Wed, 2021-06-23 at 17:56 +0900, ito-yuichi@fujitsu.com wrote:
> > The Linux team plan to removed references to racially-charged jargon
> > from their code for more neutral and inclusive language.
> > So replace use of "whitelist" with "allowlist" in cve-check.
> >
> > First, we add CVE_CHECK_ALLOWLIST and it is considered patched as
> well
> > as CVE_CHECK_WHITELIST.
> > We plan to replace about other word later and eventualy, replace all
> > "whitelist" to "allowlist".
> >
> > Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
> 
> The TSC did discuss this and proposed a plan on how we should go about
> addressing these issues:
> 
> https://lists.openembedded.org/g/openembedded-architecture/topic/inclus
> ive_language_summary/75821819
> 
> I appreciate this patch has good intent but I would really like to see a wider
> plan on how we address this rather than changing single variables piecemeal.
> 
> For example we may want to standardise on the term "IGNORE" rather than
> "ALLOW" or even "FILTER" or "VERIFIED" or something more specific to the
> meaning of CVEs and CVE checking.
> 
> There is an opportunity to try and make the metadata and variable names
> more consistent and understandable but if we just change single things at a
> time this opportunity would be missed.
> 
> Cheers,
> 
> Richard

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[Armin Kuster]

On 6/26/21 3:04 AM, Richard Purdie wrote:
> On Wed, 2021-06-23 at 17:56 +0900, ito-yuichi@fujitsu.com wrote:
>> The Linux team plan to removed references to racially-charged jargon from
>> their code for more neutral and inclusive language.
>> So replace use of "whitelist" with "allowlist" in cve-check.
>>
>> First, we add CVE_CHECK_ALLOWLIST and it is considered patched as well as
>> CVE_CHECK_WHITELIST.
>> We plan to replace about other word later and eventualy, replace all
>> "whitelist" to "allowlist".
>>
>> Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
> The TSC did discuss this and proposed a plan on how we should go about 
> addressing these issues:
>
> https://lists.openembedded.org/g/openembedded-architecture/topic/inclusive_language_summary/75821819
>
> I appreciate this patch has good intent but I would really like to
> see a wider plan on how we address this rather than changing single 
> variables piecemeal. 
>
> For example we may want to standardise on the term "IGNORE" rather than
> "ALLOW" or even "FILTER" or "VERIFIED" or something more specific to the meaning
> of CVEs and CVE checking.
>
> There is an opportunity to try and make the metadata and variable names
> more consistent and understandable but if we just change single things at
> a time this opportunity would be missed.

I have created a wiki page to collate our thoughts and agreements to
help us move foreword in a coherent manner to address renaming some
troubling variable names.
https://wiki.yoctoproject.org/wiki/Inclusive_language

I logged some variable names along with a few renaming examples. Maybe
this can turn into a plan???

Since it's a wiki, please edit accordingly.

- armin


Cheers,
> Richard
>
>
> 
>

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[ito-yuichi]

HI, Armin

Thanks for information of wiki.
I created account and add CVE_CHECK_WHITELIST in Variables.

According to this message, CVE_CHECK_PN_WHITELIST is deprecate and should remove it.
https://lists.openembedded.org/g/openembedded-core/message/142505

Thanks,

Yuichi Ito

> -----Original Message-----
> From: akuster808 <akuster808@gmail.com>
> Sent: Tuesday, July 6, 2021 4:09 AM
> To: Richard Purdie <richard.purdie@linuxfoundation.org>; Ito, Yuichi/伊藤 有
> 一 <ito-yuichi@fujitsu.com>; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] cve-check: Add allowlist that is same
> function of whitelist.
> 
> 
> 
> On 6/26/21 3:04 AM, Richard Purdie wrote:
> > On Wed, 2021-06-23 at 17:56 +0900, ito-yuichi@fujitsu.com wrote:
> >> The Linux team plan to removed references to racially-charged jargon
> >> from their code for more neutral and inclusive language.
> >> So replace use of "whitelist" with "allowlist" in cve-check.
> >>
> >> First, we add CVE_CHECK_ALLOWLIST and it is considered patched as
> >> well as CVE_CHECK_WHITELIST.
> >> We plan to replace about other word later and eventualy, replace all
> >> "whitelist" to "allowlist".
> >>
> >> Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
> > The TSC did discuss this and proposed a plan on how we should go about
> > addressing these issues:
> >
> >
> https://lists.openembedded.org/g/openembedded-architecture/topic/inclu
> > sive_language_summary/75821819
> >
> > I appreciate this patch has good intent but I would really like to see
> > a wider plan on how we address this rather than changing single
> > variables piecemeal.
> >
> > For example we may want to standardise on the term "IGNORE" rather
> > than "ALLOW" or even "FILTER" or "VERIFIED" or something more specific
> > to the meaning of CVEs and CVE checking.
> >
> > There is an opportunity to try and make the metadata and variable
> > names more consistent and understandable but if we just change single
> > things at a time this opportunity would be missed.
> 
> I have created a wiki page to collate our thoughts and agreements to help us
> move foreword in a coherent manner to address renaming some troubling
> variable names.
> https://wiki.yoctoproject.org/wiki/Inclusive_language
> 
> I logged some variable names along with a few renaming examples. Maybe
> this can turn into a plan???
> 
> Since it's a wiki, please edit accordingly.
> 
> - armin
> 
> 
> Cheers,
> > Richard
> >
> >
> > 
> >

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[ito-yuichi]

HI, Armin

> I created account and add CVE_CHECK_WHITELIST in Variables.

Shouldn't I post a patch before variables in wiki is approved?
And when will variables be approved?

Please let me know if there is anything I can do.

Thanks,

Yuichi Ito

Re: [OE-core] [PATCH] cve-check: Add allowlist that is same function of whitelist.

[ito-yuichi]

HI, Armin

Sorry to bother you again.
Could you please tell me what should I do for the variables to be approved in wiki?

Thanks,

Yuichi Ito

> -----Original Message-----
> From: Ito, Yuichi
> Sent: Tuesday, July 20, 2021 3:49 PM
> To: 'akuster808' <akuster808@gmail.com>
> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>;
> openembedded-core@lists.openembedded.org
> Subject: RE: [OE-core] [PATCH] cve-check: Add allowlist that is same
> function of whitelist.
> 
> HI, Armin
> 
> Thanks for information of wiki.
> I created account and add CVE_CHECK_WHITELIST in Variables.
> 
> According to this message, CVE_CHECK_PN_WHITELIST is deprecate and
> should remove it.
> https://lists.openembedded.org/g/openembedded-core/message/142505
> 
> Thanks,
> 
> Yuichi Ito
> 
> > -----Original Message-----
> > From: akuster808 <akuster808@gmail.com>
> > Sent: Tuesday, July 6, 2021 4:09 AM
> > To: Richard Purdie <richard.purdie@linuxfoundation.org>; Ito,
> > Yuichi/伊藤 有
> > 一 <ito-yuichi@fujitsu.com>;
> openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core] [PATCH] cve-check: Add allowlist that is same
> > function of whitelist.
> >
> >
> >
> > On 6/26/21 3:04 AM, Richard Purdie wrote:
> > > On Wed, 2021-06-23 at 17:56 +0900, ito-yuichi@fujitsu.com wrote:
> > >> The Linux team plan to removed references to racially-charged
> > >> jargon from their code for more neutral and inclusive language.
> > >> So replace use of "whitelist" with "allowlist" in cve-check.
> > >>
> > >> First, we add CVE_CHECK_ALLOWLIST and it is considered patched as
> > >> well as CVE_CHECK_WHITELIST.
> > >> We plan to replace about other word later and eventualy, replace
> > >> all "whitelist" to "allowlist".
> > >>
> > >> Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
> > > The TSC did discuss this and proposed a plan on how we should go
> > > about addressing these issues:
> > >
> > >
> >
> https://lists.openembedded.org/g/openembedded-architecture/topic/inclu
> > > sive_language_summary/75821819
> > >
> > > I appreciate this patch has good intent but I would really like to
> > > see a wider plan on how we address this rather than changing single
> > > variables piecemeal.
> > >
> > > For example we may want to standardise on the term "IGNORE" rather
> > > than "ALLOW" or even "FILTER" or "VERIFIED" or something more
> > > specific to the meaning of CVEs and CVE checking.
> > >
> > > There is an opportunity to try and make the metadata and variable
> > > names more consistent and understandable but if we just change
> > > single things at a time this opportunity would be missed.
> >
> > I have created a wiki page to collate our thoughts and agreements to
> > help us move foreword in a coherent manner to address renaming some
> > troubling variable names.
> > https://wiki.yoctoproject.org/wiki/Inclusive_language
> >
> > I logged some variable names along with a few renaming examples. Maybe
> > this can turn into a plan???
> >
> > Since it's a wiki, please edit accordingly.
> >
> > - armin
> >
> >
> > Cheers,
> > > Richard
> > >
> > >
> > > 
> > >