Message ID | 20220606155943.52427-1-michael.opdenacker@bootlin.com |
---|---|
State | Accepted |
Commit | 42bfcb2d3a13e71264e5f29b07615c2da9866273 |
Headers | show |
Series | dev-manual: mention the new CVE patch metrics page | expand |
Hi Michael, On 6/6/22 17:59, Michael Opdenacker via lists.yoctoproject.org wrote: > From: Michael Opdenacker <michael.opdenacker@bootlin.com> > > Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Looks good. Was puzzled by the lack of extlink use but it seems that we only have one for autobuilder.yoctoproject.org which points to a different thing than autobuilder.yocto.io? I think we should also advertise this page in more places than here? This is a very important document I think, so the more places we show it the better? Don't have any particular place to add this to though. Reviewed-by: Quentin Schulz <foss+yocto@0leil.net> Thanks, Quentin
Hi Quentin, Thanks for the suggestion! On 6/7/22 11:07, Quentin Schulz wrote: > Hi Michael, > > On 6/6/22 17:59, Michael Opdenacker via lists.yoctoproject.org wrote: >> From: Michael Opdenacker <michael.opdenacker@bootlin.com> >> >> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> > > Looks good. Was puzzled by the lack of extlink use but it seems that > we only have one for autobuilder.yoctoproject.org which points to a > different thing than autobuilder.yocto.io? > > I think we should also advertise this page in more places than here? > This is a very important document I think, so the more places we show > it the better? Don't have any particular place to add this to though. I looked at the pages on https://www.yoctoproject.org/, and didn't really find any suitable place. The most natural place is the wiki, to I added a link to https://wiki.yoctoproject.org/wiki/Security and made a few update to the links referred to by this page. I also suggested to add this link to the weekly "CVE metrics" e-mails: https://lists.openembedded.org/g/openembedded-core/message/168512 Any other ideas, anyone? Cheers Michael.
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index ca6d594386..d7f0b263e7 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst @@ -11507,8 +11507,15 @@ known security vulnerabilities, as tracked by the public `Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__ database. -To know which packages are vulnerable to known security vulnerabilities, -add the following setting to your configuration:: +The Yocto Project maintains a `list of known vulnerabilities +<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__ +for packages in Poky and OE-Core, tracking the evolution of the number of +unpatched CVEs and the status of patches. Such information is available for +the current development version and for each supported release. + +To know which packages are vulnerable to known security vulnerabilities +in the specific image you are building, add the following setting to your +configuration:: INHERIT += "cve-check"