Maintenance and Security of a Yocto Project-based Distribution: A Year of Experiences
11-30, 14:40–15:10 (UTC), Langdale

In this talk, Marta will share experiences with the maintenance and security of a Yocto Project-based distribution, the Oniro project. The stories will include: best practices and caveats when following official YP branches, running cve-check and SPDX generation on the whole distribution, and experiences with the yocto-check-layer tool. Marta will also share stories of blocked updates caused by a regression, deciding to fork or not of a 3rd party layer, and more.

Oniro is a distribution designed for product usage, and because of that, it is following Yocto Project LTS branches. First, it was the dunfell branch; now it is following kirkstone. During the last year, the team has implemented several quality and maintenance functions working with and on top of what YP does. That has led to some challenges, from fixing the world build on all included layers to running cve-check regularly on the whole distribution. As a result, the team has faced regressions, corner cases, and more. Marta will share some of the experiences and best practices to apply to your project.

See also: Presentation slides (449.2 KB)

Marta Rybczynska has a network security background, and 20 years of experience in Open Source including 15 years in embedded development.

She has been working with embedded operating systems like Linux and various real-time ones, system libraries, and frameworks up to user interfaces. Her specialties are architecture-specific parts of the Linux kernel. In the past, Marta served as Vice-President and treasurer for KDE e.V. She has been involved in various Open Source projects and also contributed kernel-related guest articles for

In 2021, she founded Syslinbit, an Open Source consulting company. She has been contributing to the Eclipse Oniro project since April 2021 as a consultant.

She has experience with presentations at both scientific and free software conferences, including LinuxCon, Open Source Summit, Embedded Linux Conference, Akademy, FOSDEM, and FOSS-north.