[yocto] General policies for CVE fixes
Paul Eggleton
paul.eggleton at linux.intel.com
Mon Oct 17 14:34:48 PDT 2016
On Mon, 17 Oct 2016 15:23:55 Bruce Ashfield wrote:
> On 2016-10-17 03:11 PM, Sona Sarmadi wrote:
> > From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance:
> >
> > /General policies: /
> >
> > * /Fixes must go into master first unless they are applicable only to
> >
> > the stable branch; if back-porting to an older stable branch, the
> > fix should first be applied to the newer stable branches before
> > being back-ported to the older branch/
> >
> > Does anyone know the reason for the policy above i.e. why fixes have to
> > go to master first?
>
> The kernel has the same policy for -stable kernels. Speaking at a very
> high level, it simply ensures that the development of maintenance/stable
> branches does not move ahead of master in terms of fixes.
>
> That keeps development focused on the tip, where it belongs (versus
> companies/people working in silos for an extended period of time), since
> once in master many branches can benefit from it.
Another way to think about this is what would happen if we didn't fix it in
master first, then forgot to go back and do that? master (and the stable
release that eventually follows from it) would potentially be left without the
fix, so when you upgraded the vulnerability would come back.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the yocto
mailing list