[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

Sean Hudson sean_hudson at mentor.com
Tue Jun 20 13:27:15 UTC 2017

On 2017-06-20 04:30 AM, Paul Eggleton wrote:
> On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote:
>> On 2017-06-19 09:05 AM, Mark Hatle wrote:
>>> It would be reasonable to write up a 'best practices' type document. 
>>> Explaining that simply due to the nature of building many of these things
>>> will be 'leaked' and where some of them are leaked through.  (Package
>>> generation, compilation, etc for instance.)
>> That sounds reasonable, although, TBH, if someone is adding credentials
>> to their SRC_URIs, I would expect that a best practice would be ignored.
>>  Perhaps adding a detection routine that emitted a warning during
>> parsing for credentials in the SRC_URI might be warranted?  Thoughts?
> This might be useful yes. I think the stumbling block is that at the moment we
> would have to have it off by default and then the user is almost certainly not
> going to know to turn it on. Perhaps this is another thing that we might check 
> in a "production" vs. "development" mode where the user can easily switch to
> the former to enable a set of more stringent checks.

I'm not sure I follow.  What would prevent us from turning on a warning
that detected credentials in a SRC_URI by default?  Even with Richard's
change to prevent the information from propagating into the .ipk, it
seems useful to notify the user.  Personally, I'd like to know if one of
the recipes I'm using has such information in it regardless of whether
I'm generating a development or a production image.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170620/b2a52991/attachment-0002.sig>

More information about the Openembedded-core mailing list