[oe] samba-essential upgrade or remove?

Koen Kooi k.kooi at student.utwente.nl
Mon Mar 15 09:30:32 UTC 2010

Hash: SHA1

On 15-03-10 08:46, Holger Hans Peter Freyther wrote:
> On Monday 15 March 2010 08:30:09 Frans Meulenbroeks wrote:
>> Do we feel we have that responsibility?
>> I didn't feel that sentiment when it came to removing other legacy
>> recipes (some of which definitely also will have security issues).
>> E.g. for openssl we have
>> openssl_0.9.7e.bb
>> openssl_0.9.7g.bb
>> openssl_0.9.7m.bb
>> openssl_0.9.8g.bb
>> openssl_0.9.8m.bb
>> I'm pretty certain the last one will fix some vulnerabilities present
>> in the first one.
> Well you are comparing two different things here. One is having the _default_ 
> of a recipe with known security issues, and one is keeping old non default 
> recipes with security issues.
> If a distro maker decides to use an ancient version of OpenSSL it was his 
> choice, if he just typed bitbake foo-image and he has a vulnerable daemon 
> waiting to be owned in his default image... the story is a bit different.
> I think we have at least three options on how to deal with it:
> 1.) Put a big fat warning on Openembedded.org saying it should not be used for 
> users that have network connectivity or might put a SDcard/Storage with 
> content on a device as we don't care about fixing vulnerable software.
> 2.) Adopt a policy of addressing vulnerabilities in our defaults right away..
> 3.) Remove recipes for vulnerable software when no one is updating them in 
> time... This can be combined with option 2...

I don't think 1) is a realistic option, if we go with that, we should
just redirect oe.org to buildroot.org and go home.

I my vote goes to 2) and I like 3) as well.


Version: GnuPG v1.4.5 (Darwin)


More information about the Openembedded-devel mailing list