[yocto-security] Hello from OpenBMC
Burton, Ross
ross.burton at intel.com
Wed Dec 5 03:49:43 PST 2018
On Mon, 3 Dec 2018 at 18:20, Joseph Reynolds <jrey at linux.vnet.ibm.com> wrote:
> Hello. I work on the OpenBMC project [1][2] which is built on top of
> Yocto/OpenEmbedded. The OpenBMC Security Working Group [3][4] is
> interested in becoming a CVE Numbering Authority (CNA) and needs to
> understand the boundary between OpenBMC and Yocto/OE. For example, if
> OpenBMC found a security vulnerability that was caused by an OE recipe
> which the OpenBMC project cloned, how would we work together to resolve
> this, and who would own the authority to write the CVE?
>
> I've detailed the questions and sketched out the answers here: [5][6].
> The interesting parts for you are in the "CNA coverage" section.
>
> If you have any ideas, comments, or suggestions, feel free to email the
> group (cc my email), participate in the review, or attend an OpenBMC
> Security Working Group meeting. The meetings are very informal.
My two cents is that your approach seems sensible and pragmatic: you
own code that you wrote, patched or otherwise customised, everything
else should have an obvious authority.
Your glibc patch is a security issue -> openbmc's responsibility
An OE glibc patch has a security issue -> OE's responsibility
Upstream glibc has a security issue -> glibc's responsibility.
The trick will be correctly triaging to ensure the right owner is
found. There's several CVEs I've encountered that are marked
"android" but are actually general Linux (or in one case, BlueZ)
issues.
Ross
Ross
More information about the yocto-security
mailing list