[yocto-security] Yocto security responses.

Paul Eggleton paul.eggleton at linux.intel.com
Thu Oct 12 14:32:16 PDT 2017 

Hi Jim,

(resending with corrected CC)

On Friday, 13 October 2017 8:56:50 AM NZDT Jim Gettys wrote:
> I'm trying to understand the Yocto response to security issues.
> 
> The OE https://patchwork.openembedded.org/project/oe/patches/ page shows
> you added a patch to fix the recent dnsmasq problems on October 3, by
> updating to dnsmasq 2.78.
> 
> But being new to Yocto, I don't know how long it takes to percolate through
> the Yocto system.
> 
> https://layers.openembedded.org/layerindex/recipe/4473/
> 
> Still says version 2.76, whereas the fixes are in 2.78.
> 
> If one built Yocto today from current head of tree, what version would be
> picked up?
> 
> Any insight on how Yocto handles security issues would be helpful.

To explain a little background - OpenEmbedded recipes are split up into 
various different layers. The layer in which dnsmasq is contained, 
meta-networking, isn't actually maintained by the Yocto Project - it's not 
part of our release/test cycle that we do for the core. I just happened to 
send a patch because I noticed the security issue announcement and it was a 
straightforward upgrade from 2.76.

Patch testing for meta-networking and other layers in the meta-openembedded 
repository in which meta-networking is contained is graciously carried out for 
the community by Martin (on CC) which involves world builds for every 
architecture we support. Usually when patches get sent it takes a few days for 
them to get through those tests. I would like to see security patches like 
this one have some kind of fast track - I'd have to agree that 10 days is 
longer than we would like. We do have a number of volunteers who work on 
security issues particularly within OE-Core (which is officially maintained by 
the Yocto Project) however not so much for recipes outside of that - we are 
largely reliant upon vendors or other community members responding to these 
issues and sending back their patches. We also unfortunately do not have 
advance embargoed notice of security issues (apart from employees of some 
vendors who are themselves bound not to discuss those embargoed issues) so we 
can only react when they are publicly announced.

I realise this is not a great answer. However until we have someone who is 
willing to step up and institute a more rigorous process for handling security 
updates, particularly for layers outside of the core that the Yocto Project 
maintains, that is where things stand.

FYI there is an alternative if you are working on something where you need 
updated recipes faster - it's pretty easy to add the updated recipes to your 
own layer on top of the OE/Yocto provided ones (or add a bbappend to apply the 
patch), and a little less messy than for example forking the original layer 
and applying the patch there. The only issue is you have to remember to remove 
it later, otherwise when the time comes that we move beyond that update you 
will still be building that same version (less of an issue with the bbappend, 
because that.

Kind regards,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto-security mailing list