Yocto, Kernel and OpenBMC security maintenance

[Joel Stanley]

On todays community call we chatted about security updates for the
project. Nancy pointed out that there tools in the tree that are many
versions out of date and have security fixes available, but not
applied to our tree.

To date there has been no focused effort on ensuring known
vulnerabilities are patched, weather this be backporting patches or
updating to newer releases. I suggested we focus on ensuring the
OpenBMC tree, as the upstream for our products, is where security
fixes are applied.

Taking that a further step would be to maintain security fixes against
the Yocto release that OpenBMC has based itself on. It appears that
Yocto does this:

>From https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance

> The Yocto Project maintains stable branches of Poky (OE-Core and
> BitBake). Typically, alongside the latest release the previous two
> releases are also maintained.

It looks like we should assign someone to ensure the OpenBMC Yocto
tree is kept up to date against the upstream branch.

Regarding the kernel, the intention has been to regularly update to
ensure we are on a maintained kernel. That hasn't gone smoothly to
date, but we will keep trying. We may end up maintaining a long-lived
tree on top of the long term Linux kernel community maintained 4.14,
in addition to moving master forward to the most recent releases.

Please reply to this mail with improvements, thoughts, suggestions,
objections. If you want to volunteer to help maintain an aspect of the
project, or know someone who does, please put your hand up.

Cheers,

Joel