[yocto] General policies for CVE fixes
Khem Raj
raj.khem at gmail.com
Mon Oct 17 16:01:15 PDT 2016
On Mon, Oct 17, 2016 at 12:11 PM, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> Hi all,
>
> From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance:
>
> General policies:
>
> Fixes must go into master first unless they are applicable only to the
> stable branch; if back-porting to an older stable branch, the fix should
> first be applied to the newer stable branches before being back-ported to
> the older branch
>
> Does anyone know the reason for the policy above i.e. why fixes have to go
> to master first?
>
> 1) It makes more sense at least for users to get CVE fixes as soon as
> possible in the maintenance branches.
this is to ensure, that we do not regress next time when we release next version
from master. So its important to ensure that the fix has been applied to master
sometimes you can assert that the fix has gone into new version of a package
that is due to be uprevved in master and will be done soonish. Such information
is helpful when making security patches for release branches.
Actually there was a suggestion at OEDEM on informing CVE ml that we have
as the CVE fixes get applied to metadata. Thats a good suggestion to have
implemented.
>
> 2) Normally the versions are different in master and maintenance
> branches so different patches are required.
>
> Thanks
>
> //Sona
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
More information about the yocto
mailing list