From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.pdinc.us (mail2.pdinc.us [67.90.184.28]) by sourceware.org (Postfix) with ESMTPS id D1A003840C0B for ; Thu, 18 Jun 2020 03:42:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D1A003840C0B Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=pdinc.us Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=jpyeron@pdinc.us Received: from blackfat (nsa1.pdinc.us [67.90.184.2]) (authenticated bits=0) by mail2.pdinc.us (8.14.4/8.14.4) with ESMTP id 05I3gUip025746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 17 Jun 2020 23:42:31 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.pdinc.us 05I3gUip025746 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pdinc.us; s=default; t=1592451751; bh=U83/1d1d9Zjvd87dlf/r3pFXG25lYo+HbLzOVm7efss=; h=From:To:Cc:Subject:Date:From; b=nHZRcAjgydKs5P4Ua1nEB/IYiX5H8Y5jMB+bT8UgUaKIo0l1JYk9S+nTQ/+96K2e3 JRBMGSzTcgoPbX61IjtBnComt/rXq5muuHNOmwSV39etZjbSyCd9vNjc6s9p24u5tD OTSBbgDgTyRozoREzm/erpC3s5V2EuzvYi7hHRJh+t9ghGt+iRV86Rc5V49yMvaAWf DfdPT+y+y5pjX8E8U8m2Vi/cHgLaU3MJy3a4ZbCdB1vZAHKBQJlq7X6EWFg3opP0Yc NR7g2uyb4/fxpekCWJRrU72ZnaOXgY7pJdXe5fc71D8SGWlfstNCUVs5sEvGzI7Z6t jWHbkZMzjcB0g== From: "Jason Pyeron" To: Cc: "'Watson, Christian M. \(GRC-V000\)[Peerless Technologies Corp.]'" , "'Pesich, Justin M. \(GRC-LTF0\)'" Subject: [off topic] RE: [cygwin] Re: Country Of Origin Verification - 8944 Date: Wed, 17 Jun 2020 23:42:41 -0400 Organization: PD Inc Message-ID: <18ca01d64522$85307b80$8f917280$@pdinc.us> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us thread-index: AdZFH4v04jm86w6uQNm3nug1gdXRvA== X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_INFOUSMEBIZ, KAM_NUMSUBJECT, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2020 03:42:33 -0000 > -----Original Message----- > From: Brian Inglis > Sent: Wednesday, June 17, 2020 11:17 PM >=20 > On 2020-06-11 11:19, Brian Inglis wrote: > > On 2020-06-11 09:59, Watson, Christian M. (GRC-V000)[Peerless = Technologies > > Corp.] via Cygwin wrote: > >> My name is Christian Watson and I am a Supply Chain Risk Management = Coordinator at NASA Glenn > Research Center As such, I ensure that all NASA Headquarter IT = purchase requests comply with Section > 514 of the Consolidated Appropriations Act, 2018, Public Law 115-141 = (amended), enacted February 28, > 2018. To do so, the country of origin information must be obtained = from the company that develops, > produces, manufactures, or assembles the product(s). Specifically, = identify the country where each of > the following products were developed, manufactured, and assembled: >=20 > Just checked the basis of what you are asking. >=20 > Section 514 is about use of funds for acquisition: > Cygwin is free software so these criteria *do not apply*! Unless Cygwin and its packages are never to be used by business = and government, these are legitimate concerns. Just because some of the = users and volunteers do not care or understand does not mean it is not = important. Supply Chain Risk is a real issue. It has nothing to do with did you pay for it or get it for free. In the = case of the OP they have a Law/Regulation/Policy to comply with - which = states they cannot expend money (for labor to use and install software, = to operate systems with software, to supply electricity to operate the = software, to pay a human to download and install, etc) unless all the = parts have been evaluated. Now, in the OPs case the "investigator" was not informed by their = technical POC about "what Cygwin" is. They are evaluating it like they = would evaluate Microsoft Office 2016 or Microsoft Windows XP. In those = cases, the vendor has warrantied the product. This approach even scales = to open source software provided by a "company" like Red Hat Enterprise = Linux 7. Here the packages bundled with RHEL are curated, supported, and = (hopefully) reviewed by the Red Hat company. This approach also works = for single open source software projects (e.g. PuttyCAC). But this approach cannot work for Centos, Cygwin, and other collections = of open source. Normally the easiest path is to=20 1. demonstrate that there is an active and responsive community to = security issues (e.g. how often are updates made, is there a security = announcement list) 2. there is source code available implement security fixes if community = support is unavailable - or in the alternative obtain a support contract 3. (this is critical) enumerate EACH package to be authorized, typically = with a justification for each. 4. "security scan" it. With this a waiver is easily achieved. Cygwin, Centos, etc are used in = sensitive environments, successfully. In some cases we have had to go an extra mile, perform actual source = code review. I personally feel it would be worthwhile to assist users like this, and = I am happy to do so. I have helped write US Government policy to help = adopt the usage of open source more, but it is an up hill battle. Respectfully, Jason Pyeron