From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dje.gcc@gmail.com>
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com
 [IPv6:2607:f8b0:4864:20::531])
 by sourceware.org (Postfix) with ESMTPS id 5F28E3858C53;
 Sun, 17 Jul 2022 16:05:10 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5F28E3858C53
Received: by mail-pg1-x531.google.com with SMTP id o18so8614694pgu.9;
 Sun, 17 Jul 2022 09:05:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=tdnRJNovZGf1zKiYdGcubMF5pdSomizKgNJ9fMZKsYc=;
 b=0Up14sFueZaGVVKEXqJxCpmrcYqUBsYQWjZfilBjlhhP1MnE83ftufFWSUUo409+Bs
 zdYIFcRoQUwSZAlzyUAHYgNRtaAoSvQey1Y1qNzeUDEKWk5h6fl/JGPZC7mbeRJ5lYwi
 4IAkAJB8dvuorf7sMfukwtXZoSsNWI0lVDfJipD69+PD+VQ1JHsco82nv831PTRDPVDa
 35Jdjz2ddvDPA80KpqOHgukcnofJa1t15V1l65mV8GDvl8GXb1X703GPoysT8sv169yM
 nmNlLwoJrF0qZBdKY2/S0bO/goWytKI1bKOxNizS1QWW3g+wyrrCODCsEAV4RSn3KZ08
 nMsw==
X-Gm-Message-State: AJIora+CnV7SYxle7SCxlxeTkr6djTHMw4uXded1VTWFipc0xZisbkz2
 PWz7ZBkEJoVVoTN8R2CYzUfrdy0bSdyp6oqe9dk=
X-Google-Smtp-Source: AGRyM1vcep4vJi2JTvwu9dK2FnodbAsPMwuk5hw/xGW2kmsO1dikYGslpXXjfr0GaqhvxOHv+/Z4BNVhjcrvSUIgSmQ=
X-Received: by 2002:a63:4711:0:b0:415:ff46:ba5 with SMTP id
 u17-20020a634711000000b00415ff460ba5mr21448304pga.133.1658073908932; Sun, 17
 Jul 2022 09:05:08 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR09MB8537FABCA9ECD14246013F45D58B9@PH0PR09MB8537.namprd09.prod.outlook.com>
 <a72955e2-7ff2-a3ad-d6e8-20d933a2b789@netcologne.de>
In-Reply-To: <a72955e2-7ff2-a3ad-d6e8-20d933a2b789@netcologne.de>
From: David Edelsohn <dje.gcc@gmail.com>
Date: Sun, 17 Jul 2022 12:04:52 -0400
Message-ID: <CAGWvnynXNsyf3CDonSEA=zO_1aOzWsmiANUEk1W5weTrQ=FvKg@mail.gmail.com>
Subject: Re: Inquiry: Country of Origin for gfortran
To: Thomas Koenig <tkoenig@netcologne.de>, 
 "Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP]" <cynthia.x.zhang@nasa.gov>
Cc: "fortran@gcc.gnu.org" <fortran@gcc.gnu.org>,
 gcc mailing list <gcc@gcc.gnu.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_SHORT,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc mailing list <gcc.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <mailto:gcc-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jul 2022 16:05:12 -0000

Should this question be posed to the Linux distribution that NASA is using?

Thanks, David

On Sun, Jul 17, 2022 at 4:56 AM Thomas Koenig via Gcc <gcc@gcc.gnu.org> wro=
te:
>
> Hi Cynthia,
>
>  > Hello, my name is=E2=80=AFCynthia=E2=80=AFand I am a Supply Chain Risk=
 Management
>  > Analyst at NASA. NASA is currently conducting a supply chain
>  > assessment of gfortran. As stated in Sections 208 and 514 of the
>  > Consolidated Appropriations Act, 2022, Public Law 117-103,
>  > enacted March 15, 2022, a required step of our process is to
>  > verify the Country of Origin (CoO) information for the
>  > product (i.e., the country where the products were developed,
>  > manufactured, and assembled.)
>
>  > As gfortran is open source, we understand that this inquiry is
>  > not directly applicable, as contributions may be made from
>  > individuals from around the world. In this case, NASA is
>  > interested in confirming the following information:
>
>  > 1.  Is there an organization which sponsors/publishes the project, or
>  > a primary developer who audits the code for potential
> vulnerabilities, > errors, or malicious code? Y/N
>
> gfortran is not an independent project, it is part of the Gnu Compiler
> Collection, https://gcc.gnu.org/ .  As such, any evaluation you
> may already have made of gcc also should also apply to gfortran,
> and I am also addressing this mail to the gcc mailing list, where
> it is more appropriate, especially since I personally am unclear
> about the current relationship with the Free Software Foundation.
>
> Regarding gfortran specifically:  Code changes are reviewed by
> the individuals listed in the file
>
> https://gcc.gnu.org/git/?p=3Dgcc.git;a=3Dblob_plain;f=3DMAINTAINERS;hb=3D=
HEAD
>
> (where you can search for Fortran).
>
>  > 2.  Does gfortran have an overseeing organization or individual
>  >   along these lines? Y/N
>
> See my previous reply.
>
>  > 1.  If so, please provide the name of the organization and country
>  >     they are established in
>
>  > If the information above is unknown or cannot be provided, we
>  > request that you provide the country or list of countries where
>  > the majority of contributions originate from to satisfy Sections
>  > 208 and 514 of the Consolidated Appropriations Act, 2022, Public
>  > Law 117-103, enacted March 15, 2022.
>
> Main contributions to gfortran, i.e. the Fortran front end to gcc and
> its supporting library, came (in no particular order) from the UK, the
> US, France, Finland, Germany, the Netherlands and the Czech Republic.
> Up to 2006, there were also some contributors from China.
>
> Best regards
>
> Thomas
>