From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cgf.cx (external.cgf.cx [107.170.62.102]) by sourceware.org (Postfix) with ESMTPS id 8D6EC3858C62 for ; Mon, 26 Sep 2022 17:05:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8D6EC3858C62 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cgf.cx X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 cgf.cx F0D16E45CC X-Spam-Level: X-Spam-CGF-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,TXREP autolearn=ham autolearn_force=no version=3.4.6 spammy=Tokens not available. Date: Mon, 26 Sep 2022 13:05:10 -0400 From: Christopher Faylor To: overseers@sourceware.org Subject: Re: Moving sourceware to the Linux Foundation? No thanks. Message-ID: <20220926170510.g6byftdaown4fnta@cgf.cx> Mail-Followup-To: overseers@sourceware.org References: <87ler4qcmo.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-100.3 required=5.0 tests=BAYES_05,HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.6 List-Id: On Mon, Sep 26, 2022 at 07:07:20AM -0700, Ian Lance Taylor wrote: >I see two important points that ought to be discussed on this topic. > >The first is succession planning. Sourceware is essentially a community >project with a relatively small number of people keeping it going. It >needs trusted and capable people to step it to continue to maintain it. >Where are those people going to come from? We shouldn't simply hope >that it will keep carrying on as before. The "GTI" debacle has shown fche, mjw, and me that there needs to be some way to formalize the management of sourceware. I think that the SFC proposal helps with that since we will need some sort of official governing board when we move forward. Those people should be a hedge against the hit-by-a-bus problem. Personally, I feel more comfortable with a group of formalized volunteers who will presumably listen to input than with a corporate entity which dictates what (sometimes non-free) software *must* be used to adhere to their corporate guidelines. "You want a mailing list? Sure! That will be $157. We'll have it for you in about six weeks and it *will* be groups.io." >The second, mentioned in Mark's e-mail, is security. I hope that we can >all agree that there are highly intelligent, highly motivated people >seeking to break security on GNU/Linux and other free operating systems. >Years ago Ken Thompson laid out the roadmap for attacking an operating >system via the compiler and other code generation tools. These days >these are known as supply chain attacks. I think that the free software >community should reasonably insist that sourceware be defended against >these kinds of attacks with mechanisms for prevention and detection and >restoration. This is a hard job. It's a hard job but I think it is only partly sourceware's job. We can provide the tools and guidance, but it has got to be up to the projects (gcc, glibc, cygwin) to implement the protocols which enhance security. One thing we've talked about is hiring someone to do a security audit once sourceware has some funding. cgf