The Hidden Cost of Scaling Your Prototype


Hi Reader,

As someone who has managed IoT devices at scale at Screenly, I wish I knew what I know now when I first started. Learning about Yocto early on would have saved me a lot of pain. That’s what this episode is about."

“This is why I wanted to do an episode on Yocto: to save people the time and agony we wasted trying to solve this ourselves.”

Why this matters

Here’s the common story. You build a prototype on a Raspberry Pi (or similar). It works. Maybe you launch a Kickstarter. You get traction. Suddenly, you’re shipping real devices.

And here’s the mistake: you take the prototype and try to scale it as-is. That works for a handful of units. It does not work for thousands. Updating them becomes a nightmare. One bad update and you’re stuck pushing fixes in the middle of the night. Or worse, you have fleet of bricked devices on your hands.

Yocto helps you avoid all that. You build a Linux image tailored to your hardware. It’s minimal, locked down, and built for updates. You ship with fewer bugs and fewer regrets.

Why now

The EU’s Cyber Resilience Act (CRA) is now law. Starting in 2027, connected products sold in Europe must follow strict rules for security and updates.

That may sound far off, but it’s not. If you’re designing hardware in 2025, there’s a good chance it will launch after the CRA kicks in. What you build now decides if your product ships on time or not.

Yocto makes CRA compliance easier. You get reproducible builds, long-term support, and solid tooling for SBOMs (see my blog post) and OTA updates through multiple tools.

Also worth noting: the Linux Foundation now offers a CRA training course. I’ve heard from a few people that it’s solid.

Episode summary

In this episode, I talk with Joshua Watt from Garmin and Ross Burton from Arm. We break down what Yocto is and how to use it in real products.

  • What Yocto is: a way to build your own Linux distro from scratch
  • Why updates matter: "apt update && apt upgrade" works fine on your laptop, not on a fleet of IoT devices in the wild
  • Support windows: Yocto LTS builds get four years of fixes. Some vendors offer ten
  • Reproducible builds: run it today or two years from now and get the same result
  • What CRA demands: SBOMs, OTA and more.

You'll find the episode embedded below, or on the episode home page.

Watch on YouTube

Watch on Spotify

show
Inside the Yocto Project’s E...
May 7 · Nerding Out With Viktor
50:37
Spotify Logo
 

Other news

If you have any questions, comments or just want to catch up - just reply to this email.

Many thanks,
Viktor

Social: Connect with me on Twitter, LinkedIn or Mastadon.
Podcast: Subscribe on YouTube, Spotify or Apple Podcast.

Nerding Out with Viktor

This podcast and newsletter focus on clear conversations about technology, security, and modern software. Experts share insights on DevOps tips, open source projects, cybersecurity, and Europe's move toward its own cloud services. You will hear about continuous integration, airplane hacking, and new laws that affect the tech industry. Each show explores real problems and fresh solutions in the digital world. By subscribing, you will keep up with the latest trends in software, gain helpful advice from pros, and stay current in a fast-changing environment. We also talk about supply chain security, IoT, and the details of building strong systems. This blend of technical ideas with real-world viewpoints is a great resource if you want to grow your skills, learn about new technology, and connect with others who love all things tech.

Read more from Nerding Out with Viktor

Hi Reader, I just got back home after a week in Las Vegas for what’s arguably the biggest cybersecurity event of the year: Hacker Summer Camp. For those who haven’t been, it’s basically two legendary conferences back-to-back: Black Hat and DEF CON plus countless side events and parties where vendors try to outshine each other. If you work in security, you’re there. After a few years away, I decided it was time to pay homage again. The week was packed with meetings, great talks, and, of...

Hi Reader, This week we have yet-another episode on the topic of supply chain security. This time, I sit down with Niklas Düster, the co-lead of Dependency-Track (the creator and other co-lead being Steve Springett that I've had on the show before). Why does this matter? I build every app on top of other people’s code. Those outside pieces can hide holes that bad actors love. Dependency-Track shines a bright light on every part I borrow. It finds weak spots fast, so I can fix them before...

Hi Reader, Why does this matter? Last year I launched Viktopia Studio, my tiny one-man-army startup studio that runs on an open-core plan. I have loved the studio idea ever since Kevin Rose tried it with Milk. I even played with this model back in 2009. My co-founder and I built WireLoad as a software lab that could spin out many products. We scored some early hits with Blotter, once a top-10 productivity app for macOS, and YippieMove, an email-migration tool. Both later faded, but Screenly...