From patchwork Wed Oct 26 13:12:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 14431 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5C7FFA3741 for ; Wed, 26 Oct 2022 13:12:23 +0000 (UTC) Received: from mail.kapsi.fi (mail.kapsi.fi [91.232.154.25]) by mx.groups.io with SMTP id smtpd.web10.7305.1666789937019180280 for ; Wed, 26 Oct 2022 06:12:17 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: lakka.kapsi.fi, ip: 91.232.154.25, mailfrom: mcfrisk@lakka.kapsi.fi) Received: from kapsi.fi ([2001:67c:1be8::11] helo=lakka.kapsi.fi) by mail.kapsi.fi with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ongCc-00CFsd-ST; Wed, 26 Oct 2022 16:12:15 +0300 Received: from mcfrisk by lakka.kapsi.fi with local (Exim 4.94.2) (envelope-from ) id 1ongCc-00FLhS-DK; Wed, 26 Oct 2022 16:12:14 +0300 From: mikko.rapeli@linaro.org To: docs@lists.yoctoproject.org Cc: Mikko Rapeli Subject: [PATCH 3/4] common-tasks.rst: add regular updates and CVE scans to security best practices Date: Wed, 26 Oct 2022 16:12:06 +0300 Message-Id: <20221026131207.3655961-4-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.26.1 In-Reply-To: <20221026131207.3655961-1-mikko.rapeli@linaro.org> References: <20221026131207.3655961-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 X-Rspam-Score: -1.2 (-) X-Rspam-Report: Action: no action Symbol: RCVD_TLS_LAST(0.00) Symbol: ARC_NA(0.00) Symbol: DMARC_POLICY_SOFTFAIL(0.10) Symbol: TO_DN_SOME(0.00) Symbol: R_MISSING_CHARSET(0.50) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: MIME_GOOD(-0.10) Symbol: RCPT_COUNT_TWO(0.00) Symbol: FROM_NO_DN(0.00) Symbol: MID_CONTAINS_FROM(1.00) Symbol: NEURAL_HAM(-0.00) Symbol: R_SPF_NA(0.00) Symbol: FORGED_SENDER(0.30) Symbol: R_DKIM_NA(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: FROM_NEQ_ENVFROM(0.00) Symbol: BAYES_HAM(-3.00) Symbol: RCVD_COUNT_TWO(0.00) Message-ID: 20221026131207.3655961-4-mikko.rapeli@linaro.org X-SA-Exim-Connect-IP: 2001:67c:1be8::11 X-SA-Exim-Mail-From: mcfrisk@lakka.kapsi.fi X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 26 Oct 2022 13:12:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3408 From: Mikko Rapeli Regular security scans and updates to fix issues and updates from upstream maintainers are best practices. Signed-off-by: Mikko Rapeli --- documentation/dev-manual/common-tasks.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index 53e7686633..dff7e1fd5c 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst @@ -6231,6 +6231,13 @@ more secure: vulnerabilities discovered in the future. This consideration especially applies when your device is network-enabled. +- Regularly scan and apply fixes for CVE security issues affecting + all SW components in the product, see ":ref:`dev-manual/common-tasks:checking for vulnerabilities`". + +- Regularly update your version of Poky and OE-Core from their upstream + developers, e.g. to apply updates and security fixes from stable + and LTS branches. + - Ensure you remove or disable debugging functionality before producing the final image. For information on how to do this, see the ":ref:`dev-manual/common-tasks:considerations specific to the openembedded build system`"