[oe] samba-essential upgrade or remove?

Dr. Michael Lauer mickey at vanille-media.de
Mon Mar 15 09:13:13 UTC 2010

Am 15.03.2010 um 08:46 schrieb Holger Hans Peter Freyther:

> On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote:
>> Do we feel we have that responsibility?
>> I didn't feel that sentiment when it came to removing other legacy
>> recipes (some of which definitely also will have security issues).
>> E.g. for openssl we have
>> openssl_0.9.7e.bb
>> openssl_0.9.7g.bb
>> openssl_0.9.7m.bb
>> openssl_0.9.8g.bb
>> openssl_0.9.8m.bb
>> I'm pretty certain the last one will fix some vulnerabilities present
>> in the first one.
> Well you are comparing two different things here. One is having the _default_ 
> of a recipe with known security issues, and one is keeping old non default 
> recipes with security issues.
> If a distro maker decides to use an ancient version of OpenSSL it was his 
> choice, if he just typed bitbake foo-image and he has a vulnerable daemon 
> waiting to be owned in his default image... the story is a bit different.
> I think we have at least three options on how to deal with it:
> 1.) Put a big fat warning on Openembedded.org saying it should not be used for 
> users that have network connectivity or might put a SDcard/Storage with 
> content on a device as we don't care about fixing vulnerable software.

Gets my vote; however with less dramatic wording.


More information about the Openembedded-devel mailing list