From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 4A8263858CDA for ; Mon, 26 Sep 2022 22:04:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 4A8263858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664229847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mWXKuhO8VKsNOUwarrhsJ+Z48SJBVgbg/ZKvj8OLYiY=; b=KJcm+nc08G4+InWrgmJImxbjnUVGw9uc6xhf6169JzMcB1ONjOKVeGT2LpfDaf/X33k7cX M0KprcMLbHZdoblIJXjURwjGu24oBHnMDAVUP9dm0rxahjq90RAB9LgwED9paXJDk7SE5X hcjKOSuhtz4mWKSd4fwzhaVFBEfzNNY= Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-299-jN5kTlCWPCSTREMNR46kZw-1; Mon, 26 Sep 2022 18:04:06 -0400 X-MC-Unique: jN5kTlCWPCSTREMNR46kZw-1 Received: by mail-io1-f72.google.com with SMTP id 23-20020a5ea517000000b006a496fee582so2743144iog.5 for ; Mon, 26 Sep 2022 15:04:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date; bh=mWXKuhO8VKsNOUwarrhsJ+Z48SJBVgbg/ZKvj8OLYiY=; b=kQKIopxmqArPpohPFwkR54KwFNCWZaVfOQTJxVTfX+tpGmYSVNPyfi0TNZdEjCPy+v QpAcbVUWp00ExOBZGVGNXrkzSKsflM7BAaY05BfwnR7C1gcwXUoHLr8Hf7yCRsA6o+jW QehplZiI3I1orAOakqwRcv5sROUYb4pJNXf7vyyc1SRWLvVSIKWNhEZqfqZ9pmzLqPSS G/mtxidtt/BJ6RIgha+lNhlc4o3LB7nvKTjm9Tj2DwCeqeNrHjYJywNsfsXXEOnlPGO/ wTEMMehHfIxyzGaP1iI1G4oM0BrrXndDGfOHzsuZFn5IYpU+TomrFnUZC/7ImRORSldz LUCA== X-Gm-Message-State: ACrzQf0L8zh0FIY/lelRbgDfzrPW5mum6O6wV3dPcAW9HjPJiIdAojG9 VUDFIhgHx/zBihLl58rDw/MnY2VdPYuFm37nUnGEsH/HTesKL1KhEaBlCWormtvcdp1qaZaxjm+ 0lfg4WC0mMySnrp1Nd8H5yOdN4uaYVSR4rx0cp09mD7d8+/33fhBP5CJXQNYi4Yw91q6v X-Received: by 2002:a05:6602:2a45:b0:6a4:43dc:40ef with SMTP id k5-20020a0566022a4500b006a443dc40efmr6831299iov.64.1664229845641; Mon, 26 Sep 2022 15:04:05 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4jg6z7xATRLbUnZp5okVfPUXaHbscRe5sz87Oc6eYDd7Qfg82I+sC8sWCjZohCu4J3rT0T5Q== X-Received: by 2002:a05:6602:2a45:b0:6a4:43dc:40ef with SMTP id k5-20020a0566022a4500b006a443dc40efmr6831277iov.64.1664229845187; Mon, 26 Sep 2022 15:04:05 -0700 (PDT) Received: from [192.168.0.241] (192-0-145-146.cpe.teksavvy.com. [192.0.145.146]) by smtp.gmail.com with ESMTPSA id q205-20020a6b2ad6000000b006a13b263315sm8098497ioq.43.2022.09.26.15.04.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Sep 2022 15:04:04 -0700 (PDT) Message-ID: <2db869b5-5724-18c0-e356-9e5df8f7cb4d@redhat.com> Date: Mon, 26 Sep 2022 18:04:03 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Sourceware / GNU Toolchain at Cauldron To: Overseers mailing list Cc: Mark Wielaard References: <20220918162733.GB27812@gnu.wildebeest.org> <20220918213842.GC27812@gnu.wildebeest.org> From: Carlos O'Donell Organization: Red Hat In-Reply-To: <20220918213842.GC27812@gnu.wildebeest.org> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 9/18/22 17:38, Mark Wielaard via Overseers wrote: > - There were several different kind of "security concerns" which would > be good to untangle: > > - There is the concern of he security of the sourceware server > itself. We discussed that in one of the public chats with the SFC > and the recommendation was to see if we could maybe hire a > penetration testing firm to see if we missed anything. Discussed in the BoF were a few additional items: - Defense in depth - Multiple servers, each with distinct services. - Multiple servers for one service where possible. - If governments want to use FOSS tools directly, do we need to comply with security standards like a contractor would? - Does NIST SP 800 53r5 apply to Sourceware.org? - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf > - There is the "hardening" concern of separating unix user accounts > for separate services like running git hooks. This is one of the > things that the buildbot service offers. We could also adopt > something like gitolite. ... and run them on a distinct machine (which requires machine resources, and admin time, etc). Adopting gitolite is also a great step in the direction of not having real accounts for users of a services. > - There is the secure software supply chain idea. This is one of the > things I wanted to discuss now that we have services like > public-inbox and tools like b4 for patch attestation. Sourceware > offers the services for that, but it really is a policy question > for the guest projects whether they use that (and for example > whether to use signed git commits). I agree these are going to be policy questions for each project to discuss. Though the proposal to use managed services with the LF IT would align us with exactly the groups doing public-inbox, b4, patatt, and other work for the Kernel. We would be leveraging everything they've been doing, which we could also do, but the proposal is about having them support us instead. > - Although it is true that there is a GNU Toolchain with the FSF as > fiscal sponsor and that the separate GNU projects work together > using that name, it wasn't clear to me when in this discussion we > were talking about the gdb, binutils, glibc and gcc projects > collectively. From other discussions during Cauldron it was very > clear that although each project is hosted on sourceware and using > some of the same services, each one has its own policies which make > sense for their separate communities. Correct. The core GNU Toolchain projects in this case are gcc, binutils, glibc and gdb. We work to try and support each other as the "GNU Toolchain." We adopt best practices from each other, attend BoFs together, and discuss solutions to common problems using FOSS tooling that we could all adopt. > - I wasn't really sure what to make of this LF/GTI proposal. It seemed > to conflate separate concerns that we were explicitly trying to > avoid with our Sourceware as Conservancy member proposal. It seemed > to mix explicit fundraising with advocating for a certain "managed > services at the LF/IT" technical proposal for using those funds. And > setting up yet another fiscal sponsor? It is two proposals. A fiscal sponsor for infrastructure in the OpenSSF via the GNU Toolchain Infrastructure project at the Linux Foundation. A proposal to use managed services with the Linux Foundation IT for projects currently at sourceware.org. Technically speaking, I think the Linux Foundation IT, with their existing work with public-inbox (ahead of its time), b4, patatt, and more, means they are globally the best positioned to keep solving these problems and supporting the development of these FOSS tools for the linux kernel and others. Even more so for a distributed development model that we use for the GNU Toolchain. -- Cheers, Carlos.