[yocto] how does one stay on top of YP security alerts?

[Alexander Kanavin]

On 01/11/2017 04:49 PM, Philip Balister wrote:
> The problem following the CVE's direct is you need to do analysis to
> determine if a specific release has the vulnerability.
>
> We do have guidelines for marking CVE's addressed by commits, to help
> people interested in developing tools to show what CVE's are addressed
> in the meta data.
 >
> One suggestion made is to setup some form of git hook to email commits
> with CVE tags to the security list.

This is not going to work if a security issue is fixed by a version 
update without an intermediate backported patch (which often happens). 
And cve-check-tool is notorious for inaccuracies both ways.

There's simply no easy, working solution to this, the way I see it. In 
the master branch the best we can do is to stay close to upstream, for 
release branches the only thing that will really work is having real 
recipe maintainers who follow upstream development closely.

Alex