| Message ID | 20260603-sec-team-v2-2-ee7d2016fbf4@pbarker.dev |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Security team documentation updates | expand |
On Wed, 3 Jun 2026, 21:45 Paul Barker via lists.yoctoproject.org, <paul= pbarker.dev@lists.yoctoproject.org> wrote: > The section "What Yocto Security Team does when it receives a security > vulnerability" duplicated information already found in the previous > section "Security Team Operations", so merge the sections and tidy up > the flow of the text. > > While we're editing this, Mitre is now just one of the places you can go > to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are > available. They also now have a web form for contact and requesting CVE > assignment so let's link directly to that. > Assigning CVEs from different CNAs for the same project has heavy disadvantages, and it has been an option since the beginning. I originally wrote only about Mitre, to have all CVEs in the same scope and make it easier to update if needed (contacting one entity only). But there are other options. For example, Ygreky is a CNA, so I can assign from our pool if needed. And that brings again the question if YP desires to become a CNA. Kind regards Marta > Also drop "If an upstream project does not respond quickly" down a > heading level. > > Signed-off-by: Paul Barker <paul@pbarker.dev> > --- > documentation/security-reference/security-team.rst | 26 > +++++++--------------- > 1 file changed, 8 insertions(+), 18 deletions(-) > > diff --git a/documentation/security-reference/security-team.rst > b/documentation/security-reference/security-team.rst > index 7ec1dda02e0c..c83ada17eb56 100644 > --- a/documentation/security-reference/security-team.rst > +++ b/documentation/security-reference/security-team.rst > @@ -56,31 +56,21 @@ original reporter in the loop. There is also sometimes > some coordination for > handling patches, backporting patches etc, or just understanding the > problem > or what caused it. > > -When the fix is publicly available, the YP security team member or the > -package maintainer sends patches against the YP code base, following usual > -procedures, including public code review. > - > -What Yocto Security Team does when it receives a security vulnerability > -======================================================================= > - > -The YP Security Team team performs a quick analysis and would usually > report > -the flaw to the upstream project. Normally the upstream project analyzes > the > -problem. If they deem it a real security problem in their software, they > -develop and release a fix following their own security policy. They may > want > -to include the original reporter in the loop. There is also sometimes some > -coordination for handling patches, backporting patches etc, or just > -understanding the problem or what caused it. > - > The security policy of the upstream project might include a notification > to > Linux distributions or other important downstream projects in advance to > discuss coordinated disclosure. These mailing lists are normally > non-public. > > When the upstream project releases a version with the fix, they are > responsible > -for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number > assigned and > -the CVE record published. > +for contacting an appropriate CVE Numbering Authority (CNA), such as > `Mitre > +<https://cveform.mitre.org/>`__, to get a CVE number assigned and the CVE > +record published. > + > +When the fix is publicly available, the YP security team member or the > +package maintainer sends patches against the YP code base, following usual > +procedures, including public code review. > > If an upstream project does not respond quickly > -=============================================== > +----------------------------------------------- > > If an upstream project does not fix the problem in a reasonable time, > the Yocto's Security Team will contact other interested parties (usually > > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9572): > https://lists.yoctoproject.org/g/docs/message/9572 > Mute This Topic: https://lists.yoctoproject.org/mt/119635127/5827677 > Group Owner: docs+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/docs/unsub [ > rybczynska@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Thu, 2026-06-04 at 07:33 +0200, Marta Rybczynska via lists.yoctoproject.org wrote: > On Wed, 3 Jun 2026, 21:45 Paul Barker via lists.yoctoproject.org, <paul= > pbarker.dev@lists.yoctoproject.org> wrote: > > > The section "What Yocto Security Team does when it receives a security > > vulnerability" duplicated information already found in the previous > > section "Security Team Operations", so merge the sections and tidy up > > the flow of the text. > > > > While we're editing this, Mitre is now just one of the places you can go > > to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are > > available. They also now have a web form for contact and requesting CVE > > assignment so let's link directly to that. > > > > Assigning CVEs from different CNAs for the same project has heavy > disadvantages, and it has been an option since the beginning. > > I originally wrote only about Mitre, to have all CVEs in the same scope and > make it easier to update if needed (contacting one entity only). > > But there are other options. For example, Ygreky is a CNA, so I can assign > from our pool if needed. Hi Marta, I think it's misleading to only mention Mitre as if it's the only CNA, for example for the Linux kernel is now the preferred CNA for their project. > > And that brings again the question if YP desires to become a CNA. I've discussed this with Richard, and we're currently of the opinion that it isn't worth the additional work for us. Being our own CNA for Yocto Project would only apply for software we directly publish (bitbake, metadata layers, layerindex, wic, etc), not for upstream projects for which we have recipes, so the scope is narrow. The overwhelming majority of CVEs we deal with are in upstream software, not in our direct components. Best regards,
diff --git a/documentation/security-reference/security-team.rst b/documentation/security-reference/security-team.rst index 7ec1dda02e0c..c83ada17eb56 100644 --- a/documentation/security-reference/security-team.rst +++ b/documentation/security-reference/security-team.rst @@ -56,31 +56,21 @@ original reporter in the loop. There is also sometimes some coordination for handling patches, backporting patches etc, or just understanding the problem or what caused it. -When the fix is publicly available, the YP security team member or the -package maintainer sends patches against the YP code base, following usual -procedures, including public code review. - -What Yocto Security Team does when it receives a security vulnerability -======================================================================= - -The YP Security Team team performs a quick analysis and would usually report -the flaw to the upstream project. Normally the upstream project analyzes the -problem. If they deem it a real security problem in their software, they -develop and release a fix following their own security policy. They may want -to include the original reporter in the loop. There is also sometimes some -coordination for handling patches, backporting patches etc, or just -understanding the problem or what caused it. - The security policy of the upstream project might include a notification to Linux distributions or other important downstream projects in advance to discuss coordinated disclosure. These mailing lists are normally non-public. When the upstream project releases a version with the fix, they are responsible -for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and -the CVE record published. +for contacting an appropriate CVE Numbering Authority (CNA), such as `Mitre +<https://cveform.mitre.org/>`__, to get a CVE number assigned and the CVE +record published. + +When the fix is publicly available, the YP security team member or the +package maintainer sends patches against the YP code base, following usual +procedures, including public code review. If an upstream project does not respond quickly -=============================================== +----------------------------------------------- If an upstream project does not fix the problem in a reasonable time, the Yocto's Security Team will contact other interested parties (usually
The section "What Yocto Security Team does when it receives a security vulnerability" duplicated information already found in the previous section "Security Team Operations", so merge the sections and tidy up the flow of the text. While we're editing this, Mitre is now just one of the places you can go to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are available. They also now have a web form for contact and requesting CVE assignment so let's link directly to that. Also drop "If an upstream project does not respond quickly" down a heading level. Signed-off-by: Paul Barker <paul@pbarker.dev> --- documentation/security-reference/security-team.rst | 26 +++++++--------------- 1 file changed, 8 insertions(+), 18 deletions(-)