From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48]) by sourceware.org (Postfix) with ESMTPS id A51973858D39; Sun, 23 Oct 2022 16:17:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A51973858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5FC2F26159E; Sun, 23 Oct 2022 16:17:40 +0000 (UTC) Received: from pdx1-sub0-mail-a304 (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 48ED9261583; Sun, 23 Oct 2022 16:17:39 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1666541859; a=rsa-sha256; cv=none; b=kCVPqLZDyF57VyaxFDXwDiADbYhNhIEd4QBIm4ihoP4/Ds5tY+ZlGOFKgCrSPiqTtjC2vl mRIYKIuzvARwZUbNE7mC1Sn3dHgNyKHBDgz2uR7cDHeyb4vsGv7qgry/ftOEwYCGVYLLhB 71bVNMBI8lZGkskw4r0+t3Jj9X2zmJCSSXfdZZTdOlpN1ACYrc5nTY9eKjDNBx0r/m5nXk RxRtEkYDMKES3dGXsHJfqw1lSwl1TOt0RJOTWCADhRrQKLvXpMK+C5Kn0M2cdaWrIS+Twm BfqLbdJpHJddFXArLKchuQN2KYdW6qvKf0vqxy+kp8QLUWEb6nMnjoAg+lTpxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1666541859; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/I476opyt+gZK+PIyKCRRVuys05KeMTF+VCV4m74398=; b=p/P3kt6rOYUm0RVGkstuDxYoTTth0CbwQilOTb3mXCRF9EY2paIubr9OU1OKJ7sKiAKNo1 auyHZ5/+sHY2g2eS/DU/kVv0k8VuY9xEEVFTDdbFSs6LZRMGFEfWSO2DNRvCWXOOIfylI7 iGmCmPq4dNDuCXivTIivHQdt30fYTb99cV/IgBibb2+10LaE0J6tI0uUfOU6WNe66lIO8p rX4Q8O9hV3nH3pbNf8grlA8yfLT2nqgBhzjfc6btrPrd7S/qfr56E9Yk6dCIFMiSzfFN+s I99tR6MIijdwrKTGFJhVaEOmc6jke893wbMKuk26DGYsgTVIexW+qzKbBq8n1A== ARC-Authentication-Results: i=1; rspamd-7fb88f4dd5-crcnf; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Skirt-Trade: 7359fced5d86a039_1666541859592_1255092166 X-MC-Loop-Signature: 1666541859592:4110716374 X-MC-Ingress-Time: 1666541859592 Received: from pdx1-sub0-mail-a304 (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.122.72.98 (trex/6.7.1); Sun, 23 Oct 2022 16:17:39 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-05-174-93-41-34.dsl.bell.ca [174.93.41.34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a304 (Postfix) with ESMTPSA id 4MwNdt1K3CzPZ; Sun, 23 Oct 2022 09:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1666541858; bh=/I476opyt+gZK+PIyKCRRVuys05KeMTF+VCV4m74398=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=vJmTTSgNieoDP9JlltRcIlcNUruRVolLHU7nH13WEWYpS3rvBMLt33NdnBCd+TPnw lcvPIqDdndBQPrf5WY5gSsePogmgwTrEmvcs8+aRyL+zGhotMMH/c5nmN4Hgj+z59A 8kACmnUFy2vlK0HR3sezwI4RQP17wBVIPvl/0tPQKFp/JBSU0C3XsnVqL7NU16PmqH NYxr24X/DIhKpL9lKuD5XMoA9q9quc98sx5AU0XpYMG4C3VLEDL6GVy0uNhpRSIrg5 70NOyb2aYF0kIfMjzzfJGRinjbCJgrJXA3xn7mObJ2o4no1xS7Smw07FML5XtFf0x9 S16BkMRc7hWWg== Message-ID: <58918ca9-70dd-8724-82e0-684350e2207e@gotplt.org> Date: Sun, 23 Oct 2022 12:17:36 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: Toolchain Infrastructure project statement of support Content-Language: en-US To: Ian Kelling , Overseers mailing list Cc: gdb@sourceware.org, Mark Wielaard , libc-alpha@sourceware.org, binutils@sourceware.org, gcc@gcc.gnu.org, Konstantin Ryabitsev References: <2513b668-9ebd-9e78-7263-dc24f4a9558a@redhat.com> <20221013182529.sm76fysq37sv754x@cgf.cx> <9c0a9111-07b1-3617-c5c8-4b12e616f985@gotplt.org> <874jvufrqy.fsf@fsf.org> From: Siddhesh Poyarekar In-Reply-To: <874jvufrqy.fsf@fsf.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2022-10-23 07:33, Ian Kelling wrote: > Siddhesh Poyarekar via Overseers writes: > >> I personally do not think the current sourceware infrastructure, even >> with the roadmap it promises is a viable alternative to what LF IT can >> provide. There is a significant resource gap (e.g. > .... >> established security and administration practices, > ... >> that we seem to disagree about. > > > Let's consider some "established security and administration practices" > > curl -v http://vger.kernel.org | head > ... > < Server: Apache/2.0.52 (Red Hat) > < X-Powered-By: PHP/4.3.9 > > This is RHEL 3, released in 2003, according to > https://people.redhat.com/crunge/RHEL3-package-lists.pdf, > > The final end of support for this distro was on 2014-01-30. > > There are CVE's for that version of Apache. I assume their apache is not > running in a configuration that makes them actually exploitable, but it > is still better security practice upgrade. > > The kernel is likely from RHEL 3 too. I'm reminded of Greg KH beating the > drum that old kernels need upgrades for security, especially because the > kernel devs don't always check if a bug is a security issue and > especially not for really old kernels ( > https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/ > ) > > Notice that link is http because https is not supported by the apache > from 2003. Linux kernel development works through patches on mailing > lists, and how do you find the patches if you aren't already subscribed > to a list? You'd naturally go to the lists main webpage, > http://vger.kernel.org, and click "LIST INFO", > http://vger.kernel.org/vger-lists.html, and then click one of the list > archive links, or maybe the subscribe link. So, those vger.kerne.org > pages are an essential part of retrieving upstream kernel patches and > security information for some people. And being http only, my isp or > anyone in my network path could alter them to be malicious urls that > that appear to give the correct result, but actually give malicious > kernel patches, or hides away a security relevant patch. Obviously, > https for security sensitive pages like these is a basic 101 security > practice in 2022. +Konstantin from LF IT since he's better equipped to speak to this, although ISTM that they started migrating off vger last year[1]. Sid [1] https://www.kernel.org/lists-linux-dev.html Sid