[yocto] General policies for CVE fixes
Paul Eggleton
paul.eggleton at linux.intel.com
Mon Oct 17 15:53:38 PDT 2016
On Mon, 17 Oct 2016 15:41:04 akuster808 wrote:
> On 10/17/2016 02:34 PM, Paul Eggleton wrote:
> > On Mon, 17 Oct 2016 15:23:55 Bruce Ashfield wrote:
> >> On 2016-10-17 03:11 PM, Sona Sarmadi wrote:
> >>> From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance:
> >>> /General policies: /
> >>>
> >>> * /Fixes must go into master first unless they are applicable only to
> >>>
> >>> the stable branch; if back-porting to an older stable branch, the
> >>> fix should first be applied to the newer stable branches before
> >>> being back-ported to the older branch/
> >>>
> >>> Does anyone know the reason for the policy above i.e. why fixes have to
> >>> go to master first?
> >>
> >> The kernel has the same policy for -stable kernels. Speaking at a very
> >> high level, it simply ensures that the development of maintenance/stable
> >> branches does not move ahead of master in terms of fixes.
> >>
> >> That keeps development focused on the tip, where it belongs (versus
> >> companies/people working in silos for an extended period of time), since
> >> once in master many branches can benefit from it.
> >
> > Another way to think about this is what would happen if we didn't fix it
> > in master first, then forgot to go back and do that? master (and the
> > stable release that eventually follows from it) would potentially be left
> > without the fix, so when you upgraded the vulnerability would come back.
>
> That applies for any fix , security or not.
Absolutely.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the yocto
mailing list