[yocto] General policies for CVE fixes
Sona Sarmadi
sona.sarmadi at enea.com
Wed Oct 19 03:42:32 PDT 2016
> > From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance:
> >
> > General policies:
> >
> > Fixes must go into master first unless they are applicable only to the
> > stable branch; if back-porting to an older stable branch, the fix
> > should first be applied to the newer stable branches before being
> > back-ported to the older branch
> >
> > Does anyone know the reason for the policy above i.e. why fixes have
> > to go to master first?
> >
> > 1) It makes more sense at least for users to get CVE fixes as soon as
> > possible in the maintenance branches.
>
> this is to ensure, that we do not regress next time when we release next
> version from master. So its important to ensure that the fix has been
> applied to master sometimes you can assert that the fix has gone into new
> version of a package that is due to be uprevved in master and will be
> done soonish. Such information is helpful when making security patches
> for release branches.
>
> Actually there was a suggestion at OEDEM on informing CVE ml that we
> have as the CVE fixes get applied to metadata. Thats a good suggestion to
> have implemented.
Thanks everyone for your explanation.
Yes regressions (forgetting to fix bugs in master) are bad. I believe there
are other ways to avoid this, Yocto project has a bug reporting system to
have track of such things, right?
Maintenance branches are likely deployed in production systems, I think
Fixing security problems here should have higher priority. Don't you agree?
Perhaps we should discuss this at next OEDEM :)
Cheers //Sona
More information about the yocto
mailing list