[meta-security] layer.conf: Update to whinlatter release series

From: Hiago De Franco <hiago.franco@toradex.com>

Update to the new Yocto release series.

Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
---
 meta-tpm/conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Hello Marta, Richard, and all

On Sun, Jun 22, 2025 at 02:37:29PM -0300, Hiago De Franco wrote:
> From: Hiago De Franco <hiago.franco@toradex.com>
> 
> Update to the new Yocto release series.

I understand we are on a pivotal moment with meta-security maintainer
discussion [1].

And currently we have our whole integration and testing blocked because
there are build issue on meta-security layer master branch.

Do anybody see a short term solution, to solve the bare minimum build
issues?

Francesco

[1] https://lore.kernel.org/all/20250623202701.12590-1-akuster808@gmail.com/

On Fri, 2025-06-27 at 09:40 +0200, Francesco Dolcini wrote:
> Hello Marta, Richard, and all
> 
> On Sun, Jun 22, 2025 at 02:37:29PM -0300, Hiago De Franco wrote:
> > From: Hiago De Franco <hiago.franco@toradex.com>
> > 
> > Update to the new Yocto release series.
> 
> I understand we are on a pivotal moment with meta-security maintainer
> discussion [1].
> 
> And currently we have our whole integration and testing blocked
> because
> there are build issue on meta-security layer master branch.
> 
> Do anybody see a short term solution, to solve the bare minimum build
> issues?

There are two sides to this. On the one hand, you'd like the issue
resolved ASAP as it sounds like it is causing you a problem. Whether
such a change like this should cause you such a problem and whether you
can in fact work around it is a discussion for another time.

The trouble is as soon as master gets fixed, people will go back to
focusing elsewhere. Many are already finding ways to ignore it until
someone else fixes it. There is a much bigger/deeper issue here.

Since you have a key dependency on the layer, I did have a look at the
commit logs but I don't see any patches from you, which is interesting.

Thankfully we do have a couple of potential volunteers to help but I
was extremely worried we may not have any at all.

Work on layers such as this is hard and as a project we're struggling
with maintainer burnout. A drive for "the bare minimum" bandaid work
isn't going to help anyone and I want to be really clear about that.

I've recently been told I should just "let things break", i.e. stop
spending my life doing diving catches to keep things working/running.
If I do that, I suspect the ride will get a lot rougher.

Cheers,

Richard

Hello Richard,

On Fri, Jun 27, 2025 at 09:09:35AM +0100, Richard Purdie wrote:
> On Fri, 2025-06-27 at 09:40 +0200, Francesco Dolcini wrote:
> > Hello Marta, Richard, and all
> > 
> > On Sun, Jun 22, 2025 at 02:37:29PM -0300, Hiago De Franco wrote:
> > > From: Hiago De Franco <hiago.franco@toradex.com>
> > > 
> > > Update to the new Yocto release series.
> > 
> > I understand we are on a pivotal moment with meta-security maintainer
> > discussion [1].
> > 
> > And currently we have our whole integration and testing blocked
> > because
> > there are build issue on meta-security layer master branch.
> > 
> > Do anybody see a short term solution, to solve the bare minimum build
> > issues?
> 
> There are two sides to this. On the one hand, you'd like the issue
> resolved ASAP as it sounds like it is causing you a problem. Whether
> such a change like this should cause you such a problem and whether you
> can in fact work around it is a discussion for another time.
> 
> The trouble is as soon as master gets fixed, people will go back to
> focusing elsewhere. Many are already finding ways to ignore it until
> someone else fixes it. There is a much bigger/deeper issue here.
> 
> Since you have a key dependency on the layer, I did have a look at the
> commit logs but I don't see any patches from you, which is interesting.

Hiago is in my team, working for my company, Max the same (both in Cc here).
We send fixes regularly as we see stuff breaking (oe-core, meta-oe, ...).
You'll find commits from my team just grepping for the toradex.com email
address in meta-security, oe-core, meta-oe and so on.

I am genuinely trying to help, because while we can send patches to fix issues,
we need someone to apply those. And Marta already volunteered, and that's great
(thanks Marta!).

The desire to have it building, as the bare minimum, is because once we have
it our CI will just do its job and we can send new patches as issues as seen.

Francesco

On Fri, 2025-06-27 at 10:29 +0200, Francesco Dolcini wrote:
> Hello Richard,
> 
> On Fri, Jun 27, 2025 at 09:09:35AM +0100, Richard Purdie wrote:
> > On Fri, 2025-06-27 at 09:40 +0200, Francesco Dolcini wrote:
> > > Hello Marta, Richard, and all
> > > 
> > > On Sun, Jun 22, 2025 at 02:37:29PM -0300, Hiago De Franco wrote:
> > > > From: Hiago De Franco <hiago.franco@toradex.com>
> > > > 
> > > > Update to the new Yocto release series.
> > > 
> > > I understand we are on a pivotal moment with meta-security maintainer
> > > discussion [1].
> > > 
> > > And currently we have our whole integration and testing blocked
> > > because
> > > there are build issue on meta-security layer master branch.
> > > 
> > > Do anybody see a short term solution, to solve the bare minimum build
> > > issues?
> > 
> > There are two sides to this. On the one hand, you'd like the issue
> > resolved ASAP as it sounds like it is causing you a problem. Whether
> > such a change like this should cause you such a problem and whether you
> > can in fact work around it is a discussion for another time.
> > 
> > The trouble is as soon as master gets fixed, people will go back to
> > focusing elsewhere. Many are already finding ways to ignore it until
> > someone else fixes it. There is a much bigger/deeper issue here.
> > 
> > Since you have a key dependency on the layer, I did have a look at the
> > commit logs but I don't see any patches from you, which is interesting.
> 
> Hiago is in my team, working for my company, Max the same (both in Cc here).
> We send fixes regularly as we see stuff breaking (oe-core, meta-oe, ...).
> You'll find commits from my team just grepping for the toradex.com email
> address in meta-security, oe-core, meta-oe and so on.

Fair enough, thanks. I do recognise their names and there are 5 commits
in meta-security from toradex which is appreciated.

> I am genuinely trying to help, because while we can send patches to fix issues,
> we need someone to apply those. And Marta already volunteered, and that's great
> (thanks Marta!).

My point was that bandaiding this as requested can actually make the
problem worse. We need people to realise their dependency and realise
this isn't going to work unless people find a way to inject some time
on the layer.

For example, I know from experience, Marta is very busy. Despite great
intentions, I worry the turnaround time for her on patches might not
meet expectations.

I could easily push some patches into that layer, and I would get an
easier life right now as I'd not be writing these emails. I would
however then get another request to quickly fix something else and it
would spiral. I gave the same repsonse about meta-java recently.

Meanwhile, if I did push changes, people wouldn't see the issue and
would just pretend it was business as usual. Whilst hard, the correct
thing for me to do is not to merge anything and let this play out and
resolve itself.
 
> The desire to have it building, as the bare minimum, is because once we have
> it our CI will just do its job and we can send new patches as issues as seen.

Help with testing and such fixes is good however please do keep in mind
that the layers really need to develop and grow and adapt to the
changing world around them (like the duplication between layers in this
space and the different competing tools). That needs active maintainer
and userbase participation, not just fixing build issues.

I'm spelling this out for people in general to understand the
challenges here...

Cheers,

Richard

Hi,

On Fri, Jun 27, 2025 at 09:45:49AM +0100, Richard Purdie via lists.yoctoproject.org wrote:
> On Fri, 2025-06-27 at 10:29 +0200, Francesco Dolcini wrote:
> > Hello Richard,
> > 
> > On Fri, Jun 27, 2025 at 09:09:35AM +0100, Richard Purdie wrote:
> > > On Fri, 2025-06-27 at 09:40 +0200, Francesco Dolcini wrote:
> > > > Hello Marta, Richard, and all
> > > > 
> > > > On Sun, Jun 22, 2025 at 02:37:29PM -0300, Hiago De Franco wrote:
> > > > > From: Hiago De Franco <hiago.franco@toradex.com>
> > > > > 
> > > > > Update to the new Yocto release series.
> > > > 
> > > > I understand we are on a pivotal moment with meta-security maintainer
> > > > discussion [1].
> > > > 
> > > > And currently we have our whole integration and testing blocked
> > > > because
> > > > there are build issue on meta-security layer master branch.
> > > > 
> > > > Do anybody see a short term solution, to solve the bare minimum build
> > > > issues?
> > > 
> > > There are two sides to this. On the one hand, you'd like the issue
> > > resolved ASAP as it sounds like it is causing you a problem. Whether
> > > such a change like this should cause you such a problem and whether you
> > > can in fact work around it is a discussion for another time.
> > > 
> > > The trouble is as soon as master gets fixed, people will go back to
> > > focusing elsewhere. Many are already finding ways to ignore it until
> > > someone else fixes it. There is a much bigger/deeper issue here.
> > > 
> > > Since you have a key dependency on the layer, I did have a look at the
> > > commit logs but I don't see any patches from you, which is interesting.
> > 
> > Hiago is in my team, working for my company, Max the same (both in Cc here).
> > We send fixes regularly as we see stuff breaking (oe-core, meta-oe, ...).
> > You'll find commits from my team just grepping for the toradex.com email
> > address in meta-security, oe-core, meta-oe and so on.
> 
> Fair enough, thanks. I do recognise their names and there are 5 commits
> in meta-security from toradex which is appreciated.
> 
> > I am genuinely trying to help, because while we can send patches to fix issues,
> > we need someone to apply those. And Marta already volunteered, and that's great
> > (thanks Marta!).
> 
> My point was that bandaiding this as requested can actually make the
> problem worse. We need people to realise their dependency and realise
> this isn't going to work unless people find a way to inject some time
> on the layer.
> 
> For example, I know from experience, Marta is very busy. Despite great
> intentions, I worry the turnaround time for her on patches might not
> meet expectations.
> 
> I could easily push some patches into that layer, and I would get an
> easier life right now as I'd not be writing these emails. I would
> however then get another request to quickly fix something else and it
> would spiral.�I gave the same repsonse about meta-java recently.
> 
> Meanwhile, if I did push changes, people wouldn't see the issue and
> would just pretend it was business as usual. Whilst hard, the correct
> thing for me to do is not to merge anything and let this play out and
> resolve itself.
>  
> > The desire to have it building, as the bare minimum, is because once we have
> > it our CI will just do its job and we can send new patches as issues as seen.
> 
> Help with testing and such fixes is good however please do keep in mind
> that the layers really need to develop and grow and adapt to the
> changing world around them (like the duplication between layers in this
> space and the different competing tools). That needs active maintainer
> and userbase participation, not just fixing build issues.
> 
> I'm spelling this out for people in general to understand the
> challenges here...

FYI, me and few other colleagues from Linaro also have an interest in
meta-security contributions. I see that it lacks quite a bit of
CI infra and for some of the features like TPM support I'm trying
to contribute the missing pieces.

I think the layer has been in "best effort" state for a longer time
and it should be clear to all users that it's not in same best-of-class
support status as poky. It may help when creating products but the
maintenance, security support, testing status is a question mark which
users need to handle on their side.

I wont be holding my breath for things to change drasticly but can try
to help where the features like TPM match. I hope a maintainer
is found to handle contributions and basically ask the hard questions
around CI and testing. It is fine to ask for a test for regression
fixes and new features. We all will benefit when features can easily
be tested upstream, not just in product configurations. I don't think
more is needed at this time.

Cheers,

-Mikko