[yocto] how does one stay on top of YP security alerts?

Mark Hatle mark.hatle at windriver.com
Wed Jan 11 09:46:39 PST 2017 

On 1/11/17 8:49 AM, Philip Balister wrote:
> The question of security comes up at every OpenEmbedded developer
> meeting. Clearly, the companies building products with OpenEmbedded care
> about security.
> 
> The problem following the CVE's direct is you need to do analysis to
> determine if a specific release has the vulnerability.
> 
> We do have guidelines for marking CVE's addressed by commits, to help
> people interested in developing tools to show what CVE's are addressed
> in the meta data.
> 
> One suggestion made is to setup some form of git hook to email commits
> with CVE tags to the security list. We are very interested in
> encouraging people who care about security to use the security mailing
> list to improve overall security of distributions (like Poky) built with
> OpenEmbedded.

We started looking into having a git hook that would email the list whenever a
commit (with the CVE tag in it) was present, but with holidays (and other work
items I had).. this of course dropped lower in the priority list.

I do think this is the only reasonable way to do this.  Use an individual
branch's commit information to discover what is fixed.

If it's not listed as fixed, it's the users responsibility to understand if they
are vulnerable, deal with the vulnerability and (hopefully) send the patch to
the mailing lists so others can benefit from it.

(Speaking as a commercial OSV for a second)  The latest step of triage, fix and
send -- as well as announcing to customers and documenting things that are NOT
vulnerable are all services we provide.  I would expect any commercial OSV to
provide a similar service for their customers.  This is certainly a 'value-add'
that we do above and beyond the open source community.

This really is an 'above and beyond' request for the community.  The community
only cares about what HAS been fixed and the in-progress development release.
Anything beyond that is best effort, and the Yocto Project compliance guidelines
(and related process, encouraging contributions) helps keep commercial OSVs (who
do this work anyway) involved with keeping the community up to date.

--Mark

> Philip
> 
> On 01/10/2017 05:37 AM, Bent Bisballe Nyeng wrote:
>> On 01/10/2017 11:29 AM, Burton, Ross wrote:
>>
>> On 10 January 2017 at 10:01, Bent Bisballe Nyeng <xbbn at mjolner.dk<mailto:xbbn at mjolner.dk>> wrote:
>> So /is/ the yocto-security mailinglist considered "dead"? Or has there
>> simply not been any security issues for a while?
>>
>> IIRC, yocto-security was more to discuss security issues, not an announcement of security related fixes.  If you care about security then you'll want notice for more than just what is in oe-core, so I suggest monitoring the CVE announcements directly.
>>
>> Ross
>>
>> I found the list initially through this page: https://wiki.yoctoproject.org/wiki/Security where it is described as the security [at] yoctoprojct [dot] org being the discussion list and the yocto [dash] security [at] yoctoproject[dot] org being the security announcement list.
>>
>> If the yocto [dash] security [at] yoctoproject[dot] org is in fact no longer active I think it is important that the wiki page is changed to reflect that to prevent potential dangerous misunderstandings in the future.
>>
>> Kind regards
>> Bent Bisballe Nyeng
>>
>>
>>

More information about the yocto mailing list