On Mon, Feb 24, 2020 at 08:32:24AM -0800, akuster808 wrote: >... > On 2/23/20 9:17 PM, Adrian Bunk wrote: > > On Sun, Feb 23, 2020 at 04:25:18PM -0800, Khem Raj wrote: > >> On Sun, Feb 23, 2020 at 11:34 AM Adrian Bunk <b...@stusta.de> wrote: > >>> rpm was the last user in OE-core. > >> we should also assess external dependencies especially on libraries, > >> there might be layers which do not depend on meta-oe but use nss > >> or enable nss packageconfigs in core components like curl. > >> ... > > Is providing a crypto library in OE-core without providing security > > support better than not shipping it? > > > > nss in warrior seems to lack fixes for at least 5 CVEs. > > I don't see how that is relevant to the RFC? >...
It is a crypto library with a history of unfixed CVEs in supported stable Yocto releases. > - armin cu Adrian -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core