Synchronization CVEs: Difference between revisions
From Yocto Project
Jump to navigationJump to search
(Initial version) |
(→Regular cve-check runs: Add cve-check runs) |
||
| Line 6: | Line 6: | ||
The project runs cve-check regularly on the Poky repository with a world build. This allows the generation of an up-to-date state of the known CVEs. | The project runs cve-check regularly on the Poky repository with a world build. This allows the generation of an up-to-date state of the known CVEs. | ||
Results from multiple runs of the cve-check are available: | |||
- weekly emails sent to the [https://lists.yoctoproject.org/g/yocto-security yocto-security mailing list] | |||
- autobuilder daily runs | |||
- runs managed by Project's collaborators | |||
=== Synchronization page === | === Synchronization page === | ||
Revision as of 07:22, 20 October 2023
(WIP) Synchronization on the CVE work
The Yocto project is actively fixing public CVEs. This page describes the process to follow to allow synchronization between developers. The goal is to avoid duplicate work, and also limit the number of high severity CVEs that remain without a backport of the fix.
Regular cve-check runs
The project runs cve-check regularly on the Poky repository with a world build. This allows the generation of an up-to-date state of the known CVEs.
Results from multiple runs of the cve-check are available:
- weekly emails sent to the yocto-security mailing list - autobuilder daily runs - runs managed by Project's collaborators
Synchronization page
A synchronization wiki page is available for everyone working on CVE fixes.
WIP
To cover:
- Who updates the page?
- What happens when a fix is posted on the ML?
- How do we handle different LTS versions
