Working with the open source community is very rewarding, and the Linux team at Wind River has helped hundreds of customers tap into open source innovation over many years.
Guest blog by Andreea Volosincu.
This month, efforts culminated in the latest release of Wind River Linux – now in its 9th edition. Wind River Linux 9 is providing a flowing stream of support and risk mitigation services for the latest code from the most important open source projects and most recent technologies.
It comes with technology upgrades, including the adoption of Yocto Project 2.2 release, using the kernel version 4.8 and the toolchain version 6.2. All the latest code – like support for vmapped stacks and Memory Protection Keys (MPK) for greater security – is accessible for customers maintained and protected by Wind River. Customers don’t have to worry about back porting new features to older kernels, or provide maintenance themselves for the packages that are obsolete in the open source community.
This is what allows our customers to leverage the economies of scale from the Open Source community.
The open source landscape has changed quite a bit over the years, but for us, working with the Linux community and filling in the gaps and providing key needs to support and accelerate product development and production have remained constant.
Continuously adapting to the open source community, here are just a few examples, straight from the open source forums and mailing lists:
Protection against security vulnerabilities and zero-day attacks
“We are using eglibc-2.19-svnr25243 within Yocto. Is this version vulnerable by CVE-2015-7547? If yes, is there a patch available for that issue?”
This kind of message shows up on community forums when new security vulnerabilities are announced. Time is always the critical element in these cases, and our solution is to implement a continuous monitoring strategy. All the source code that goes into a Wind River Linux release is carefully monitored against security vulnerabilities. In this latest release, it has also implemented a new searchable Wind River security vulnerabilities database. Not only can you search for specific vulnerabilities, but you can also access the required patches.
This is pretty handy in a world where there are more than 6000 reported vulnerabilities every year. Wind River monitors and fixes all Linux vulnerabilities that affect our products, and that helps to keep our customers from having to randomly search for fixes online, and keeps them protected.
Open Source License Compliance
“…the recipe is partly GPL3+, and partly under this license: https://github.com/rafalmiel/glmark2-wl/blob/master/COPYING.SGI, which is not in this list: https://wiki.yoctoproject.org/wiki/License_Infrastructure_Interest_Group#Licenses. Is there any way to deal with that license? What should I put in the LICENSE field in my recipe?”
For Yocto Project users, there is comprehensive list of commonly used licenses in OE-Core under meta/files/common-licenses. However what do you do if a package has a license that is not available in common-licenses? Look for it? Add it? How can you be sure you are using the right one?
Adherence to licensing compliance and export disclosure requirements is not optional, and not relying on good data can prove costly and painful for downstream customers – exposing them to the risk of fees and fines, business disruption and lawsuits. Standards are emerging that can streamline the process and put all parties on the same page. As software-powered products progress through the development chain, Wind River products are backing them up, providing peace of mind and assurance to all partners in the supply chain.
Open Source Package Maintenance
“Is there a fix for a bug with dpkg-native with sstate-cache?”
Lastly, there will always be bugs to fix, features to add, product enhancements that customers want. If someone is building an image for a commercial product, and adding all sorts of proprietary apps on top of it, there will always be Linux components that need adjusting. Question is – do you want to deal with that alone, or rely on a dependable and steady flow of fixes? The Open Source community moves very fast, often faster than the rate at which users can digest the work. Wind River is a bridge between a commercial, stable platform, and the open source community’s rapid development model. Wind River stays vigilant even after its annual release with monthly product updates that keep the platform fresh and also expands support for new hardware.
The open source release cadence is extraordinary. New Linux kernels are developed roughly every 70 days, and with it come new features and enhancements. Accessing these enhancements means either using the latest code, or backporting, and backporting, and even more backporting. Every project manager out there recognises this for the slippery slope that it is. So working with the latest code supported by a reliable commercial vendor provides the stability that removes a lot of risks and headaches from a customer’s project.
Seeing what issues are being discussed in open source forums is always insightful, and Wind River works with the open source community to address them in a timely manner
Courtesy of Wind River.