Yocto, Kernel and OpenBMC security maintenance

Xo Wang xow at google.com
Tue Nov 14 11:14:59 AEDT 2017


On Sun, Nov 12, 2017 at 9:37 PM, Andrew Jeffery <andrew at aj.id.au> wrote:
>
> On Tue, 2017-11-07 at 15:56 +1030, Joel Stanley wrote:
> > On todays community call we chatted about security updates for the
> > project. Nancy pointed out that there tools in the tree that are many
> > versions out of date and have security fixes available, but not
> > applied to our tree.
> >
> > To date there has been no focused effort on ensuring known
> > vulnerabilities are patched, weather this be backporting patches or
> > updating to newer releases. I suggested we focus on ensuring the
> > OpenBMC tree, as the upstream for our products, is where security
> > fixes are applied.
>
> For what it's worth there's some discussion of upgrading to Yocto 2.3
> and what we might do to better track master on the issue tracker:
>
> https://github.com/openbmc/openbmc/issues/2461
>
> I agree we need to improve how we track things such as security patches
> that go into upstream.
>
> Andrew

Any opinions on whether to merge point releases (e.g. currently 2.2.x
releases) or to continuously pull in from the stable branch (e.g.
currently yocto's morty branch)?

Also does anyone have objections to pulling in 2.2.2 at this time? It
could potentially be painless. The fixes we'd get are noted in release
notes.
https://www.yoctoproject.org/downloads/core/morty221
https://www.yoctoproject.org/downloads/core/morty222

cheers
xo


More information about the openbmc mailing list