Re: [OE-core] What to do with vim in openembedded-core?

Fri, 08 May 2026 13:26:55 -0700 

Hello,

On 5/8/26 15:29, Paul Barker wrote:

Hi all,

We have a vim recipe in openembedded-core to provide:
- An editor without the limitations of busybox vi.
- The `xxd` command, used as a runtime dependency of dosfstools-ptest.

However, vim is difficult to maintain in our stable releases. There is a
regular stream of CVEs that need fixing due to the large UI and input
surface of vim, and backporting fixes has proven difficult. This isn't
just a Yocto Project issue, the Debian tracker [1] currently shows 14
unresolved CVEs in Trixie and 15 unresolved CVEs in Bookworm. And, it's
very difficult to share work between distros, as vim tags every commit
as a new release, every distro ends up on a different release and needs
to re-validate any backported patches.

So, I propose we drop vim from openembedded-core on the master branch,
post-wrynose.

We can use tinyxxd [2] to provide xxd, this is based on the vim codebase
and frequently merges changes from upstream.

We can use GNU Nano as our default editor where something more capable
than busybox vi is needed, this has a sensible release model. The much
simpler input model and lack of scripting facility means that CVEs in
nano are much fewer and further between.

If we do this, what should we do with vim? We could move it back to
meta-oe, but that would simply be moving the maintenance burden. We
could stop backporting CVE fixes to vim and recommend that an LTS mixin
layer is used to provide newer versions of vim for stable branches. I'm
open to ideas.

[1]: https://tracker.debian.org/pkg/vim
[2]: https://github.com/xyproto/tinyxxd

Best regards,
Last week I prepared a series splitting vim and xxd in different recipes, but I didn't have the time to send it. I will try to do it ASAP and I think this could avoid dropping vim from oe-core, since xxd would then be handled in a much simpler way. 

I hope I'm not too late in this discussion...

--
Best regards,
João Marcos Costa

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236738): 
https://lists.openembedded.org/g/openembedded-core/message/236738
Mute This Topic: https://lists.openembedded.org/mt/119214238/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to