kirkstone meta-security branch

kirkstone meta-security branch

[Marko, Peter]

Hello maintainers,

I'd be interested to know if meta-security repository for kirkstone is still maintained.
Looking at commit history, there are only two commits since July 2022 (almost a year).

The mailing lists has several contributions meanwhile (list what I could find from 2023):
- tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745   <- this one from me I'd be interested to be picked
- apparmor: fix ownership issues
- libmhash: add multilib header
- dm-verity-img.bbclass: add squashfs images
- Add EROFS support to dm-verity-img class

Are we submitting these wrongly?
I have found this message suggesting that this could be the case: https://lists.yoctoproject.org/g/yocto/message/59432
Maybe just adding [meta-security][kirkstone][PATCH] does not seem to be enough and we need to add sublayer like [meta-security][meta-tpm][kirkstone][PATCH]?
Please advise as the README suggest that it's not needed...

Thanks,
  Peter

Re: [yocto] kirkstone meta-security branch

[Mikko Rapeli]

Hi,

On Mon, Jun 05, 2023 at 08:31:55AM +0000, Peter Marko via lists.yoctoproject.org wrote:
> Hello maintainers,
> 
> I'd be interested to know if meta-security repository for kirkstone is still maintained.
> Looking at commit history, there are only two commits since July 2022 (almost a year).

FWIW, meta-security master branch worked for me on kirkstone
by adding "kirkstone" to LAYERSERIES_COMPAT in my own layer.conf
(it is only possible to override other layers configuration in another layer config).

This was the case for many other open source layers. The LTS branches
are, as you noted as well, not really maintained. They are just old
snapshots which work against the poky LTS branch.

With some extra work like LAYERSERIES_COMPAT and a few patches here and there,
I switched to using master branch with poky, meta-openembedded and meta-arm
kirkstone branch, and eventually switched completely to poky master branch
(currently mickledore).

Yocto LTS branches are relatively new, and best practices around them have not
yet formed, and there are very few maintainers for the less-used non-core
meta layers. Thus I understand the release specific branches, but I would actually
advice against using them, if they have not been touched in the past few months.
That just shows that branch is really not maintained. As said, with some extra work,
master branch of a meta layer can support multiple poky branches, master and LTS(es).

I'm hope maintainers will at least accept patches which help supporting multiple
releases from a single branch, even if they actively set LAYERSERIES_COMPAT in a
way which breaks this and marks "using master branch on kirkstone" as "do it on
your own risk". One of the major breaking issues has been bbappends to specific
kernel or busybox versions when the applicaple version range is actually much broader.
The compiler and other tooling version differences did not cause much issues, in
my experience.

Cheers,

-Mikko

Re: [yocto] kirkstone meta-security branch

[akuster808]

Hello Peter,

On 6/5/23 4:31 AM, Peter Marko via lists.yoctoproject.org wrote:
> Hello maintainers,
>
> I'd be interested to know if meta-security repository for kirkstone is still maintained.
> Looking at commit history, there are only two commits since July 2022 (almost a year).

Thanks for bringing this issue to my attention. I wouldn't say it rises 
to the level of Maintained but a best effort situation. Master tends to 
get all the attention.

> The mailing lists has several contributions meanwhile (list what I could find from 2023):
> - tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745   <- this one from me I'd be interested to be picked
> - apparmor: fix ownership issues
I have those now. Thanks for the reminder.
> - libmhash: add multilib header
This is actually in Kirkstone.
> - dm-verity-img.bbclass: add squashfs images
> - Add EROFS support to dm-verity-img class
I general, I do follow the OE or Yocto Project guidelines on style, 
patch format and  stable process.  So the dm changes sorta fall under 
new features but is more of a grey area as its an opt-in if one needs 
that support. I suspect while I was ponder that I got distracted by a 
shinny object and forgot to revisit the patches.
> Are we submitting these wrongly?

The major of the issue will be landing on myself as I don' have my 
workflow sorted out correctly and I may miss things.
> I have found this message suggesting that this could be the case:https://lists.yoctoproject.org/g/yocto/message/59432
> Maybe just adding [meta-security][kirkstone][PATCH] does not seem to be enough and we need to add sublayer like [meta-security][meta-tpm][kirkstone][PATCH]?
> Please advise as the README suggest that it's not needed...

I would stick with what the README's have in them.

BR,
Armin
>
> Thanks,
>    Peter
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#60177):https://lists.yoctoproject.org/g/yocto/message/60177
> Mute This Topic:https://lists.yoctoproject.org/mt/99336201/3616698
> Group Owner:yocto+owner@lists.yoctoproject.org
> Unsubscribe:https://lists.yoctoproject.org/g/yocto/unsub  [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>