@@ -711,7 +711,7 @@ follows:
#. *Identify the bug or CVE to be fixed:* This information should be
collected so that it can be included in your submission.
- See :ref:`dev-manual/vulnerabilities:checking for vulnerabilities`
+ See :ref:`security-manual/vulnerabilities:checking for vulnerabilities`
for details about CVE tracking.
#. *Check if the fix is already present in the master branch:* This will
@@ -33,7 +33,6 @@ Yocto Project Development Tasks Manual
external-toolchain
wic
bmaptool
- securing-images
custom-distribution
custom-template-configuration-directory
disk-space
@@ -42,11 +41,9 @@ Yocto Project Development Tasks Manual
init-manager
device-manager
external-scm
- read-only-rootfs
build-quality
debugging
licenses
- vulnerabilities
sbom
error-reporting-tool
wayland
@@ -6,7 +6,7 @@ Creating a Software Bill of Materials
Once you are able to build an image for your project, once the licenses for
each software component are all identified (see
":ref:`dev-manual/licenses:working with licenses`") and once vulnerability
-fixes are applied (see ":ref:`dev-manual/vulnerabilities:checking
+fixes are applied (see ":ref:`security-manual/vulnerabilities:checking
for vulnerabilities`"), the OpenEmbedded build system can generate
a description of all the components you used, their licenses, their dependencies,
their sources, the changes that were applied to them and the known
@@ -273,7 +273,7 @@ New Features / Enhancements in 4.2
- Prominent documentation updates:
- - Substantially expanded the ":doc:`/dev-manual/vulnerabilities`" section.
+ - Substantially expanded the ":doc:`/security-manual/vulnerabilities`" section.
- Added a new ":doc:`/dev-manual/sbom`" section about SPDX SBoM generation.
- Expanded ":ref:`init-manager`" documentation.
- New section about :ref:`ref-long-term-support-releases`.
@@ -1041,7 +1041,7 @@ stage of package installation, post installation scripts that are part
of the packages are run. Any scripts that fail to run on the build host
are run on the target when the target system is first booted. If you are
using a
-:ref:`read-only root filesystem <dev-manual/read-only-rootfs:creating a read-only root filesystem>`,
+:ref:`read-only root filesystem <security-manual/read-only-rootfs:creating a read-only root filesystem>`,
all the post installation scripts must succeed on the build host during
the package installation phase since the root filesystem on the target
is read-only.
@@ -659,7 +659,7 @@ These can only be detected by reviewing the details of the issues and iterating
and following what happens in other Linux distributions and in the greater open source community.
You will find some more details in the
-":ref:`dev-manual/vulnerabilities:checking for vulnerabilities`"
+":ref:`security-manual/vulnerabilities:checking for vulnerabilities`"
section in the Development Tasks Manual.
.. _ref-classes-cython:
@@ -320,7 +320,7 @@ the vulnerabilities using the SPDX document as input.
These third-party tools have the responsibility of providing support for
integrating with the Yocto Project SBOMs.
-Also see the :doc:`/dev-manual/vulnerabilities` section of the Yocto Project
+Also see the :doc:`/security-manual/vulnerabilities` section of the Yocto Project
Development Tasks Manual for more information on dealing with vulnerabilities.
Customizing generated images
@@ -333,7 +333,7 @@ The image features available for all images are:
- *read-only-rootfs:* Creates an image whose root filesystem is
read-only. See the
- ":ref:`dev-manual/read-only-rootfs:creating a read-only root filesystem`"
+ ":ref:`security-manual/read-only-rootfs:creating a read-only root filesystem`"
section in the Yocto Project Development Tasks Manual for more
information.
@@ -2070,7 +2070,7 @@ system and gives an overview of their function and contents.
It has the format "reason: description" and the description is optional.
The Reason is mapped to the final CVE state by mapping via
- :term:`CVE_CHECK_STATUSMAP`. See :ref:`dev-manual/vulnerabilities:fixing vulnerabilities in recipes`
+ :term:`CVE_CHECK_STATUSMAP`. See :ref:`security-manual/vulnerabilities:fixing vulnerabilities in recipes`
for details.
:term:`CVE_STATUS_GROUPS`
@@ -2919,7 +2919,7 @@ system and gives an overview of their function and contents.
useful if you want to develop against the libraries in the image.
- "read-only-rootfs" --- creates an image whose root filesystem is
read-only. See the
- ":ref:`dev-manual/read-only-rootfs:creating a read-only root filesystem`"
+ ":ref:`security-manual/read-only-rootfs:creating a read-only root filesystem`"
section in the Yocto Project Development Tasks Manual for more
information
- "tools-debug" --- adds debugging tools such as gdb and strace.
@@ -11,6 +11,9 @@ Yocto Project Security Manual
:numbered:
intro
+ securing-images
+ vulnerabilities
+ read-only-rootfs
.. include:: /boilerplate.rst
similarity index 100%
rename from documentation/dev-manual/read-only-rootfs.rst
rename to documentation/security-manual/read-only-rootfs.rst
similarity index 96%
rename from documentation/dev-manual/securing-images.rst
rename to documentation/security-manual/securing-images.rst
@@ -64,7 +64,7 @@ more secure:
especially applies when your device is network-enabled.
- Regularly scan and apply fixes for CVE security issues affecting
- all software components in the product, see ":ref:`dev-manual/vulnerabilities:checking for vulnerabilities`".
+ all software components in the product, see ":ref:`security-manual/vulnerabilities:checking for vulnerabilities`".
- Regularly update your version of Poky and OE-Core from their upstream
developers, e.g. to apply updates and security fixes from stable
@@ -72,7 +72,7 @@ more secure:
- Ensure you remove or disable debugging functionality before producing
the final image. For information on how to do this, see the
- ":ref:`dev-manual/securing-images:considerations specific to the openembedded build system`"
+ ":ref:`security-manual/securing-images:considerations specific to the openembedded build system`"
section.
- Ensure you have no network services listening that are not needed.
similarity index 100%
rename from documentation/dev-manual/vulnerabilities.rst
rename to documentation/security-manual/vulnerabilities.rst
Move the vulnerabilities, read-only-rootfs, and securing-images sections to the security manual. Update references to these documents to fix Sphinx reference errors. Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- documentation/contributor-guide/submit-changes.rst | 2 +- documentation/dev-manual/index.rst | 3 --- documentation/dev-manual/sbom.rst | 2 +- documentation/migration-guides/release-notes-4.2.rst | 2 +- documentation/overview-manual/concepts.rst | 2 +- documentation/ref-manual/classes.rst | 2 +- documentation/ref-manual/faq.rst | 2 +- documentation/ref-manual/features.rst | 2 +- documentation/ref-manual/variables.rst | 4 ++-- documentation/security-manual/index.rst | 3 +++ documentation/{dev-manual => security-manual}/read-only-rootfs.rst | 0 documentation/{dev-manual => security-manual}/securing-images.rst | 4 ++-- documentation/{dev-manual => security-manual}/vulnerabilities.rst | 0 13 files changed, 14 insertions(+), 14 deletions(-)