[off topic] RE: [cygwin] Re: Country Of Origin Verification - 8944

["Jason Pyeron" <jpyeron@pdinc.us>]

> -----Original Message-----
> From: Brian Inglis
> Sent: Wednesday, June 17, 2020 11:17 PM
> 
> On 2020-06-11 11:19, Brian Inglis wrote:
> > On 2020-06-11 09:59, Watson, Christian M. (GRC-V000)[Peerless Technologies
> > Corp.] via Cygwin wrote:
> >> My name is Christian Watson and I am a Supply Chain Risk Management Coordinator at NASA Glenn
> Research Center  As such, I ensure that all NASA Headquarter IT purchase requests comply with Section
> 514 of the Consolidated Appropriations Act, 2018, Public Law 115-141 (amended), enacted February 28,
> 2018.  To do so, the country of origin information must be obtained from the company that develops,
> produces, manufactures, or assembles the product(s).  Specifically, identify the country where each of
> the following products were developed, manufactured, and assembled:
> 
> Just checked the basis of what you are asking.
> 
> Section 514 is about use of funds for acquisition:
> Cygwin is free software so these criteria *do not apply*!

<rant>Unless Cygwin and its packages are never to be used by business and government, these are legitimate concerns. Just because some of the users and volunteers do not care or understand does not mean it is not important.</rant>

Supply Chain Risk is a real issue.

It has nothing to do with did you pay for it or get it for free. In the case of the OP they have a Law/Regulation/Policy to comply with - which states they cannot expend money (for labor to use and install software, to operate systems with software, to supply electricity to operate the software, to pay a human to download and install, etc) unless all the parts have been evaluated.

Now, in the OPs case the "investigator" was not informed by their technical POC about "what Cygwin" is. They are evaluating it like they would evaluate Microsoft Office 2016 or Microsoft Windows XP. In those cases, the vendor has warrantied the product. This approach even scales to open source software provided by a "company" like Red Hat Enterprise Linux 7. Here the packages bundled with RHEL are curated, supported, and (hopefully) reviewed by the Red Hat company. This approach also works for single open source software projects (e.g. PuttyCAC).

But this approach cannot work for Centos, Cygwin, and other collections of open source.

Normally the easiest path is to 

1. demonstrate that there is an active and responsive community to security issues (e.g. how often are updates made, is there a security announcement list)
2. there is source code available implement security fixes if community support is unavailable - or in the alternative obtain a support contract
3. (this is critical) enumerate EACH package to be authorized, typically with a justification for each.
4. "security scan" it.

With this a waiver is easily achieved. Cygwin, Centos, etc are used in sensitive environments, successfully.

In some cases we have had to go an extra mile, perform actual source code review.

I personally feel it would be worthwhile to assist users like this, and I am happy to do so. I have helped write US Government policy to help adopt the usage of open source more, but it is an up hill battle.

Respectfully,

Jason Pyeron