Re: Yocto post-release CVE and package uprev policy - openssl, ffmpeg, etc.


Randy MacLeod
 

On 2017-01-27 07:31 AM, Alexander Kanavin wrote:
On 01/26/2017 10:10 PM, Randy MacLeod wrote:
I've done a review of openssl below but
before I proceed with more evaluation or sending the
uprev to the list for morty, I'd like to know if the upgrade
policy will block such a change. From my analysis, there's only
one change that seems like an upgrade blocker and I need help
to evaluate that since I'm not an openssl maintainer.

The change to always call setup_engine() may be a problem
but I'm not familiar with the openssl code base so I'm
not sure how big a deal it is. Alex, are you familiar with
this part of openssl?
Randy, you are starting with a wrong assumption: that people listed in
maintainers.inc are real maintainers - real in the sense that they
follow upstream development, take care of regular runtime testing
(including writing the testsuite if upstream doesn't provide a good
one), and understand the source code well to make informed decisions.
That is simply not true. I have no idea about what goes on inside
openssl, and I think no one else in Yocto does. My duty is updating
openssl to the latest version in master and reacting to bug reports;
there's simply no time for more.
Well, I expected such a reply but hoped to be surprised. It's a
tough call as a distro maintainer. I wonder if maintainers for other
major distros would generally have the same concerns about lack of time
to develop the required expertise or is Yocto different due to lack of
community participation.

We need to spread out recipe maintainership a lot more than is the case
currently, then we can have a sane policy in place for stable releases.

Alex
That makes sense to me as well.


--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, Canada, K2K 2W5

Join openembedded-architecture@lists.openembedded.org to automatically receive all group messages.