From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 61EBB3858D38 for ; Mon, 3 Oct 2022 13:53:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 61EBB3858D38 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664805202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iV0oN4Hc0B5Rfv+2eOh8Qqdx9UBw3dxOHTnM+x2ViFQ=; b=auTmHKW0ux4kV2RohDRmc9GIb2U9glIhCbZr80TepWgGYuheYFd3YeMANlaJHyksQHV3yT OyWZ0cXhfz/W7mnYD1YSKZWy9V6kQzs+RA+/iL1srw5tqvnZgDNYqnAnQFoamGySdjyR95 Fs1N3oR3J8es9n/QelEkou1LeiJWmSI= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-60-3PAgRjI8MZmj9F5rDp79oQ-1; Mon, 03 Oct 2022 09:53:19 -0400 X-MC-Unique: 3PAgRjI8MZmj9F5rDp79oQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AF45185A59D; Mon, 3 Oct 2022 13:53:18 +0000 (UTC) Received: from redhat.com (unknown [10.2.17.198]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8538440C2143; Mon, 3 Oct 2022 13:53:18 +0000 (UTC) Received: from fche by redhat.com with local (Exim 4.94.2) (envelope-from ) id 1ofLsj-0002db-EF; Mon, 03 Oct 2022 09:53:17 -0400 Date: Mon, 3 Oct 2022 09:53:17 -0400 From: "Frank Ch. Eigler" To: Overseers mailing list Cc: Carlos O'Donell , Siddhesh Poyarekar , Mark Wielaard Subject: Re: Sourceware / GNU Toolchain at Cauldron Message-ID: <20221003135317.GJ7916@redhat.com> References: <20220918162733.GB27812@gnu.wildebeest.org> <20220918213842.GC27812@gnu.wildebeest.org> <2db869b5-5724-18c0-e356-9e5df8f7cb4d@redhat.com> <940b60c6-54fe-d4d2-22d1-d93dcf2aaf79@redhat.com> <95f2c79d-1dbc-4e52-0d89-d3babdae66c5@gotplt.org> MIME-Version: 1.0 In-Reply-To: <95f2c79d-1dbc-4e52-0d89-d3babdae66c5@gotplt.org> User-Agent: Mutt/1.12.0 (2019-05-25) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-8.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi - > > We are fortunate to use fully decentralized source control systems, > > where full clones at developers - and at other services like github > > etc. - are routine, and permit work to continue. I'd be surprised to > > hear of any organization hoping to hurt free software development by > > DoS'ing the sites - it'd be a futile gesture. > > At least for GNU toolchain we have never really blessed other clones. The > only blessed way to get sources is via sourceware. This is easily corrected. Git mirrors at the FSF and other hosting systems can be stood up, today, at the projects' individual discretion. > Also a DoS is the least of our concerns. (And yet it was the example brought up.) > An unauthorized access could potentially end up compromising the > integrity of *all* data on the system, which means multiple projects > get affected in one fell swoop. We've discussed -integrity- previously, via git's native resistance, plus hypothetical per-project adoption of gpg signing & verification of hosted source content. https://sourceware.org/PR29615 - FChE