* Package revision
@ 2022-02-07 23:18 jbouchard
2022-02-08 9:07 ` [OE-core] " Mikko.Rapeli
0 siblings, 1 reply; 2+ messages in thread
From: jbouchard @ 2022-02-07 23:18 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 461 bytes --]
Hi,
I was wondering why the package revision are not increasing when a patch is apply to other project source, like this commit https://git.openembedded.org/openembedded-core/commit/?h=honister&id=2d3c5b078feb34cb729902292d2805c9288ebc4c. Most distribution tend to increase the package revision when such changes occur. This help to track vulnerability and bugs. I know CVE_CHECK can deal with CVE, but it is hard to track with external software.
Thanks
[-- Attachment #2: Type: text/html, Size: 645 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [OE-core] Package revision
2022-02-07 23:18 Package revision jbouchard
@ 2022-02-08 9:07 ` Mikko.Rapeli
0 siblings, 0 replies; 2+ messages in thread
From: Mikko.Rapeli @ 2022-02-08 9:07 UTC (permalink / raw)
To: jeanbouch418; +Cc: openembedded-core
Hi,
On Mon, Feb 07, 2022 at 03:18:20PM -0800, jbouchard wrote:
> I was wondering why the package revision are not increasing when a patch is apply to other project source, like this commit https://git.openembedded.org/openembedded-core/commit/?h=honister&id=2d3c5b078feb34cb729902292d2805c9288ebc4c. Most distribution tend to increase the package revision when such changes occur. This help to track vulnerability and bugs. I know CVE_CHECK can deal with CVE, but it is hard to track with external software.
Yocto is different from other Linux distributions. There is no binary compatibility
between binary packages. Every single yocto build can break everything in compatibility.
Thus recipe version numbers don't matter that much, and it's not important to update
them as long as the major version number is matching to the SW component which is used.
As user of yocto, you can configure yocto build system to produce unique and monotonically
increasing binary package version numbers using prserv. This will update PR when ever recipes
are recompiled.
https://www.yoctoproject.org/docs/current/mega-manual/mega-manual.html#working-with-a-pr-service
For CVE checks, the metadata in CVE patches marks the issues as patched when yocto internal
CVE checker is used. External CVE security issue detection tooling must take into account
the patches which have already been applied. Any tooling will be useless if they don't take
this into account. For security analysis work, it is best to follow what yocto upstream
maintainers do and use the same tooling as the basis, then maybe add your custom stuff
on top, or in best case contribute things back to the project. It's quite a bit of work
to maintain a large yocto based Linux distro well so you are better off if you work
with the community and maintainers there.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-08 9:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-07 23:18 Package revision jbouchard
2022-02-08 9:07 ` [OE-core] " Mikko.Rapeli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.