On Wed, Jun 19, 2024 at 7:04 PM Mehmet Fide via lists.yoctoproject.org
wrote:
> Yes, I believe I can do that. But there are couple of options, I'm not
> sure which one to be followed:
> 1. Replace rsa key with ecdsa and continue with ecdsa support only. (this
> disables rsa mode)
> 2. Keep rsa mo
On Wed, Jul 24, 2024 at 7:08 AM Tom Isaacson via lists.yoctoproject.org
wrote:
> We're using Kirkstone and wanted to take advantage of the SPDX support
> to use for dependency checking. The two apps we have access to are:
> 1. Github Dependabot
> (
> https://docs.github.com/en/code-security/getti
On Wed, Jul 31, 2024 at 10:03 AM Steven Dorigotti via lists.yoctoproject.org
wrote:
> Hello,
>
> I think I have come across some limitations in CVE and OSS handling for
> internal dependencies.
>
> As a practical example to make this clear, let’s take this CVE:
> https://nvd.nist.gov/vuln/detail/
On Wed, Jul 31, 2024 at 1:28 PM Peter Marko via lists.yoctoproject.org
wrote:
>
> > -Original Message-
> > From: Steven Dorigotti
> > Sent: Wednesday, July 31, 2024 13:20
> > To: Marko, Peter (ADV D EU SK BFS1)
> > Cc: yocto@lists.yoctoproject.org
> > Subject: Re: [yocto] CVEs and OSS i
On Tue, Aug 27, 2024 at 1:18 PM Bongini, Simone via lists.yoctoproject.org
wrote:
> Hello All,
> my first post here.
>
> I'm trying to check my yocto build against cve introducing
> INHERIT += "cve-check"
> in my local.conf
>
> But I got
> WARNING: cve-update-db-native-1.0-r0 do_fetch: Failed to
Compilers and related utils are better restricted on production platforms.
Change permissions of all installed binutils tools to remove access from
users outside of the root group.
This also demonstrates how to restrict file permissions in a hardened
distribution.
Signed-off-by: Marta Rybczynska
The address included in the meta-hardening documentation
does not work and was changed in other places in 2019.
Signed-off-by: Marta Rybczynska
---
meta-hardening/README | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-hardening/README b/meta-hardening/README
index
A number of typo fixes:
- tmp->tpm in the DISTRO_FEATURES
- update the mailing list address as it was out of date
- update the distro name in the subject
Signed-off-by: Marta Rybczynska
---
meta-tpm/README | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta-
A number of typo fixes:
- tmp->tpm in the DISTRO_FEATURES
- update the mailing list address as it was out of date
- update the distro name in the subject
Signed-off-by: Marta Rybczynska
---
meta-tpm/README | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta-
(correcting the wrong list address)
On Fri, Aug 27, 2021 at 6:07 AM akuster808 wrote:
> Marta,
>
> On 8/24/21 11:05 PM, Marta Rybczynska wrote:
> > Compilers and related utils are better restricted on production
> platforms.
> > Change permissions of all installed
On Mon, Jan 24, 2022 at 5:18 PM Jon Mason wrote:
> CVE_CHECK_PN_WHITELIST -> CVE_CHECK_SKIPRECIPE
> CVE_CHECK_WHITELIST -> CVE_CHECK_IGNORECVE
>
When running master-next I have found one missing rename, cve-check has
"CVE STATUS" result
which is still Patched, Unpatched, Whitelisted. I propose t
Hello all,
We're trying to use create-spdx.bbclass with meta-zephyr. However,
this is failing with errors like the one at the bottom of the message.
While digging deeper, it is hard to reproduce reliably (but happens at
different recipes and frequently enough to have it at every build).
The workaro
On Tue, Jul 5, 2022 at 2:31 PM wrote:
>
> I used the cve check class by including it in the local.conf and then ran the
> bitbake build process for my image. I got a log of all the detected CVEs in
> the packages used in the build. However, on closer inspection, I noticed that
> the packages us
On Tue, Aug 2, 2022 at 4:49 PM Neal Caidin wrote:
>
> Current Dev Position: YP 4.1 M3
>
> Next Deadline: 22nd August 2022 YP 4.1 M3 Build
>
>
> Next Team Meetings:
>
> Bug Triage meeting Thursday August 4th 7:30 am PDT
> (https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
>
> Weekl
Hello,
I've been working recently on collecting what works and what doesn't
in YP security processes. The goal is to go forward and define an
actionable strategy!
Today, I'd like to share with you the summary of what I have heard as
needs from several people (those in Cc:).
I want the community t
On Wed, Sep 13, 2023 at 2:33 PM Mikko Rapeli wrote:
>
> Hi,
>
> On Wed, Sep 13, 2023 at 01:52:19PM +0200, Marta Rybczynska wrote:
> > Hello,
> > I've been working recently on collecting what works and what doesn't
> > in YP security processes.
that
> direction.
>
Thank you Alex!
>
> More responses inline.
>
> On 9/13/23 07:52, Marta Rybczynska via lists.openembedded.org wrote:
> > * CVEs: Visibility if YP is vulnerable or not
> >
> > People want to be able to check/look up a specific CVE; it m
Hello,
Is there a plan to have an OE/YP event around FOSDEM? As a reminder,
FOSDEM 2024 is on the 3rd and 4th of February 2024 in Brussels. I'm
asking, because related events are already being scheduled around...
Kind regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to
ool that manages CVE scanning of
> build images, with hooks to a number existing CVE scanners (e.g. Trivy) in
> addition to other vulnerability metrics. This is probably out of scope to YP
> at this time, but it is perhaps something to grow in to.
>
> -Original Message-
t file is part of my code update, so you can get that for free.
>
Thanks!
David
>
> -Original Message-
> From: Marta Rybczynska
> Sent: Wednesday, September 27, 2023 12:18 AM
> To: Reyna, David
> Cc: yocto-secur...@lists.yoctoproject.org; OE-core <
> openembedded-c...@
Hello David,
I haven't encountered this one, but it looks like a race condition.
Could you tell us which exact
version of the YP are you using? What is your configuration, if you
can share (which layers and packages activated, especially).
Kind regards,
Marta
On Thu, Sep 28, 2023 at 4:20 PM David
Hello all,
There's an ongoing work on the YP security and we have had an
interesting discussion during the weekly meeting on September 26.
Slides used are available from the wiki [1]. If you're interested i
security subjects, please comment on the content.
Two processes are currently in the works:
Hello all,
There' a discussion pending on the usage of SRTool and CVE management
for the Yocto project in general. It is related to the need of having
a list of CVEs the project is affected by, those fixed and those that
we know we are not affected.
In the previous episode, we have had a demo of S
Dear all,
Here's the update on our CVE management research work for YP.
Contest: a frequent request is to be able to answer "is YP affected by
this particular CVE". We have a part of an answer in the cve-check,
but not the triage of issues YP is not affected at all.
This research includes two ele
On Wed, Nov 1, 2023 at 6:43 AM Ravi Kumar wrote:
>
> Hi team ,
> Most of the IOT lines have been deployed on Yocto now the new
> trend/requirement is security .
> On yocto we see that we moved away making every one as root and every
> resource on the device tree accessible .
> Where it creat
I will reply here to multiple issues raised in this thread.
On Tue, Jan 2, 2024 at 10:46 PM Adrian Freihofer
wrote:
>
> On Tue, 2024-01-02 at 09:24 +0200, Mikko Rapeli wrote:
> > Hi,
> >
> > On Sat, Dec 23, 2023 at 02:47:36AM -0800, fabian.hanke via
> > lists.yoctoproject.org wrote:
> > > Hello Y
26 matches
Mail list logo
