Re: Yocto post-release CVE and package uprev policy - openssl, ffmpeg, etc.
Paul Eggleton <paul.eggleton@...>
On Thursday, 26 January 2017 3:10:57 PM NZDT Randy MacLeod wrote:
Yocto seems to have a policy not to update packages once aWe have made exceptions in the past for exactly the reasons you outline.
Unfortunately I know at least for OpenSSL when we have done so on at least one
occasion we have been bitten by compatibility issues :(
If we can introduce more rigorous runtime testing (and by that I don't just
mean tests for the package itself - runtime tests for functionality in other
applications that rely on that package would be preferred) then we would be in
a much better place. Being able to measure ABI compatibility is a good start
but doesn't cover any internal changes in behaviour that might be problematic.
See:I would say we're not hard-blocked by the policy - we can make exceptions, but
we really do need to be careful, and I don't think we're prepared to make a
continuing exception for specific packages yet. The better idea we can get
that there won't be regressions, hopefully in an automated or semi-automated
manner, the safer position we'll be in.
Intel Open Source Technology Centre