On 10/16/2014 11:27 AM, Otavio Salvador wrote:
On Thu, Oct 16, 2014 at 1:45 PM, Burton, Ross <ross.bur...@intel.com> wrote:
On 15 October 2014 16:31, Burton, Ross <ross.bur...@intel.com> wrote:
There's a openssl 1.0.1j out now (fixing FOUR (!) CVEs, including
"disabling SSLv3 didn't work"...). I think considering the situation
we'd take the upgrade for dizzy, even though we've frozen. Anyone
volunteering to take lead of upgrading dizzy to 1.0.1j and backporting
the relevant patches to the previous releases? (eg daisy is on
1.0.1g).
For anyone else interested, I've currently got 1.0.1j patches for
dizzy in testing. There's been debate over whether we backport the
fixes to daisy's 1.0.1g, or upgrade as the number of fixes is
growing...
I think the upgrade is the way to go. We are likely to break 1.0.1g
someday during backporting of security fixes.
In this case I would agree. Updating daisy makes sense as we are only
dealing with a minor version update.
- Armin
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
