Last week, we participated in the Yocto Project Summit 2023.11, held online from November 28 to 30, with several interesting presentations regarding the Yocto Project itself and various use cases.
Marta Rybczynska led two sessions. The first one explained the procedure for submitting fixes for known security issues to the Yocto Projects, CVE (Common Vulnerability Enumeration) fixes. Developers can learn about them from multiple sources, like the runs of cve-check. In “stable” branches, the fix usually requires the backport of an upstream patch. Most of the submission process is the same as for any other bug, but there are small but significant differences to accommodate the cve-check tool. The developer should name the patch based on the CVE number and add a “CVE:” tag inside with that information. Marta has also shared submission hints like the usage of devtool if the original upstream patch does not apply and requires modifications. Refer to the slides below; the video link will be posted when available.
The second session concentrated on the changes in the Yocto Project security area in 2023, with the important impact of the founding of the Sovereign Tech Fund.
Do you know that it has a security team now? The project also recommends that all layers have a SECURITY.md file with information for security researchers to contact the right people in case of a security issue.
Marta also explained the work in progress. CVE synchronization work aims to avoid duplication of work when fixing CVE issues. A team is looking into the usage of SRTool for triage. A proof-of-concept implementation of the upcoming SPDX3 standard is in the works, too.
Everyone can participate in all those security initiatives; you can check slides for pointers to wiki pages and discussions.
Slides from this session are available, too.