[yocto-security] Hello from OpenBMC
Joseph Reynolds
jrey at linux.vnet.ibm.com
Mon Dec 3 10:02:41 PST 2018
Hello. I work on the OpenBMC project [1][2] which is built on top of
Yocto/OpenEmbedded. The OpenBMC Security Working Group [3][4] is
interested in becoming a CVE Numbering Authority (CNA) and needs to
understand the boundary between OpenBMC and Yocto/OE. For example, if
OpenBMC found a security vulnerability that was caused by an OE recipe
which the OpenBMC project cloned, how would we work together to resolve
this, and who would own the authority to write the CVE?
I've detailed the questions and sketched out the answers here: [5][6].
The interesting parts for you are in the "CNA coverage" section.
If you have any ideas, comments, or suggestions, feel free to email the
group (cc my email), participate in the review, or attend an OpenBMC
Security Working Group meeting. The meetings are very informal.
[1]: https://www.openbmc.org/
[2]: https://github.com/openbmc/openbmc/
[3]: https://github.com/openbmc/openbmc/wiki/Security-working-group
[4]: https://github.com/openbmc/docs/tree/master/security
[5]:
https://lists.ozlabs.org/pipermail/openbmc/2018-December/014188.html
[6]: https://gerrit.openbmc-project.xyz/#/c/15621 then click on
cna-request.md
Thanks!
- Joseph Reynolds
More information about the yocto-security
mailing list