[oe] samba-essential upgrade or remove?

Holger Hans Peter Freyther holger+oe at freyther.de
Mon Mar 15 07:46:33 UTC 2010

On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote:

> Do we feel we have that responsibility?
> I didn't feel that sentiment when it came to removing other legacy
> recipes (some of which definitely also will have security issues).
> E.g. for openssl we have
> openssl_0.9.7e.bb
> openssl_0.9.7g.bb
> openssl_0.9.7m.bb
> openssl_0.9.8g.bb
> openssl_0.9.8m.bb
> I'm pretty certain the last one will fix some vulnerabilities present
> in the first one.

Well you are comparing two different things here. One is having the _default_ 
of a recipe with known security issues, and one is keeping old non default 
recipes with security issues.

If a distro maker decides to use an ancient version of OpenSSL it was his 
choice, if he just typed bitbake foo-image and he has a vulnerable daemon 
waiting to be owned in his default image... the story is a bit different.

I think we have at least three options on how to deal with it:

1.) Put a big fat warning on Openembedded.org saying it should not be used for 
users that have network connectivity or might put a SDcard/Storage with 
content on a device as we don't care about fixing vulnerable software.

2.) Adopt a policy of addressing vulnerabilities in our defaults right away..

3.) Remove recipes for vulnerable software when no one is updating them in 
time... This can be combined with option 2...


More information about the Openembedded-devel mailing list