2025-12-03 –, Walnascar
Meeting EU RED GEC-1 compliance requires a stronger focus on identifying and addressing vulnerabilities in embedded Linux systems. This talk shares lessons learned from building a practical CVE monitoring and remediation workflow using Yocto’s cve-check and related tooling.
As regulatory frameworks like EU RED introduce stricter cybersecurity requirements, maintaining visibility into vulnerabilities has become critical for embedded Linux developers. This talk walks through the process of improving a security posture to meet GEC-1 compliance goals using the Yocto Project’s cve-check tool and related workflows.
Topics include:
* How to use and extend cve-check for ongoing vulnerability tracking
* Challenges of applying security updates in long-lived products
* Strategies for prioritizing fixes and handling false positives
* Lessons learned integrating compliance requirements into a Yocto-based workflow
* The role of meta-lts-collab in supporting long-term maintenance
While specific implementation details will remain high-level, the goal is to share actionable insights for teams working toward stronger security and compliance practices with Yocto.
Colin McAllister is a software engineer at Garmin, where he focuses on advancing the security, core infrastructure, and development tooling that power Garmin Marine’s diverse range of Embedded Linux products. His passion for embedded Linux began in 2017 while working on a telematics project in college, sparking a deep interest in building reliable and efficient systems. Colin has contributed to the Yocto Project, along with various third-party meta-layers, SWUpdate, U-Boot, and BusyBox.