From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tkoenig@netcologne.de>
Received: from cc-smtpout1.netcologne.de (cc-smtpout1.netcologne.de
 [89.1.8.211])
 by sourceware.org (Postfix) with ESMTPS id C35AA38582BF;
 Sun, 17 Jul 2022 08:55:11 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C35AA38582BF
Received: from cc-smtpin2.netcologne.de (cc-smtpin2.netcologne.de [89.1.8.202])
 by cc-smtpout1.netcologne.de (Postfix) with ESMTP id F1A3512893;
 Sun, 17 Jul 2022 10:55:09 +0200 (CEST)
Received: from [IPV6:2001:4dd6:3a42:0:7285:c2ff:fe6c:992d]
 (2001-4dd6-3a42-0-7285-c2ff-fe6c-992d.ipv6dyn.netcologne.de
 [IPv6:2001:4dd6:3a42:0:7285:c2ff:fe6c:992d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 by cc-smtpin2.netcologne.de (Postfix) with ESMTPSA id 854A511DFD;
 Sun, 17 Jul 2022 10:55:07 +0200 (CEST)
Message-ID: <a72955e2-7ff2-a3ad-d6e8-20d933a2b789@netcologne.de>
Date: Sun, 17 Jul 2022 10:55:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Subject: Re: Inquiry: Country of Origin for gfortran
Content-Language: en-US
To: "Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP]"
 <cynthia.x.zhang@nasa.gov>, "fortran@gcc.gnu.org" <fortran@gcc.gnu.org>,
 gcc mailing list <gcc@gcc.gnu.org>
References: <PH0PR09MB8537FABCA9ECD14246013F45D58B9@PH0PR09MB8537.namprd09.prod.outlook.com>
From: Thomas Koenig <tkoenig@netcologne.de>
In-Reply-To: <PH0PR09MB8537FABCA9ECD14246013F45D58B9@PH0PR09MB8537.namprd09.prod.outlook.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-NetCologne-Spam: L
X-Rspamd-Queue-Id: 854A511DFD
X-Spamd-Bar: --
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_40, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_SHORT, NICE_REPLY_A,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc mailing list <gcc.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <mailto:gcc-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jul 2022 08:55:13 -0000


Hi Cynthia,

 > Hello, my name is Cynthia and I am a Supply Chain Risk Management
 > Analyst at NASA. NASA is currently conducting a supply chain
 > assessment of gfortran. As stated in Sections 208 and 514 of the
 > Consolidated Appropriations Act, 2022, Public Law 117-103,
 > enacted March 15, 2022, a required step of our process is to
 > verify the Country of Origin (CoO) information for the
 > product (i.e., the country where the products were developed,
 > manufactured, and assembled.)

 > As gfortran is open source, we understand that this inquiry is
 > not directly applicable, as contributions may be made from
 > individuals from around the world. In this case, NASA is
 > interested in confirming the following information:

 > 1.  Is there an organization which sponsors/publishes the project, or 
 > a primary developer who audits the code for potential 
vulnerabilities, > errors, or malicious code? Y/N

gfortran is not an independent project, it is part of the Gnu Compiler
Collection, https://gcc.gnu.org/ .  As such, any evaluation you
may already have made of gcc also should also apply to gfortran,
and I am also addressing this mail to the gcc mailing list, where
it is more appropriate, especially since I personally am unclear
about the current relationship with the Free Software Foundation.

Regarding gfortran specifically:  Code changes are reviewed by
the individuals listed in the file

https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=MAINTAINERS;hb=HEAD

(where you can search for Fortran).

 > 2.  Does gfortran have an overseeing organization or individual
 >   along these lines? Y/N

See my previous reply.

 > 1.  If so, please provide the name of the organization and country
 >     they are established in

 > If the information above is unknown or cannot be provided, we
 > request that you provide the country or list of countries where
 > the majority of contributions originate from to satisfy Sections
 > 208 and 514 of the Consolidated Appropriations Act, 2022, Public
 > Law 117-103, enacted March 15, 2022.

Main contributions to gfortran, i.e. the Fortran front end to gcc and
its supporting library, came (in no particular order) from the UK, the
US, France, Finland, Germany, the Netherlands and the Czech Republic.
Up to 2006, there were also some contributors from China.

Best regards

Thomas