[yocto] Security updates question
Khem Raj
raj.khem at gmail.com
Fri Sep 7 13:36:14 PDT 2018
Hi Brian
On Fri, Sep 7, 2018 at 1:25 PM Brian Smucker <bds at bsmucker.eu.org> wrote:
>
> Hello all,
>
> We have a device whose image is built using an older yocto image. It is
> based on yocto Danny, if I recall correctly.
>
> How do users of yocto handle the need occasionally to update one or more
> component packages to deal with security vulnerabilities?
>
> I am not a yocto expert and I was hoping there would be a clear way
> forward here.
>
> Migrating all our recipes to the latest version of yocto probably should
> be done, but it would involve weeks of pain. I know, I started to do it
> sometime back.
>
> So that is one option, but a very unattractive one at the moment.
>
> When we jumped into using Yocto, I was hoping that there would be a
> clear answer to this, but I have been frustrated. Perhaps there is a
> clear answer, but it's outside of what I know.
>
> What are my options and the tradeoffs of each?
yocto project provided infra to build distributions. so you would have
either built your own distribution or procured it from someone else e.g.
OSVs, if its third party the they generally have security update schedules
that you can work with.
If you build your own distro then you have freedom to make changes
and patch the security vulnerability and deploy it.
community maintains releases for quite some time and you can just
cherry-pick the point releases which primarily get security fixes.
danny is an old release and is not currently supported in community
https://wiki.yoctoproject.org/wiki/Releases
so you can still check if needed fixes are there in danny and build it.
you can also work with some OE/yocto consultants to get this done
for danny
There are also binary feed based distributions like angstrom which can
provide prebuilt packages ( ipks) but they also have support schedule
and I am sure for angstrom danny based feeds are not updated.
Thanks
-Khem
>
> Thanks
>
> Brian
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list