From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 9CE3A3858D37 for ; Mon, 26 Sep 2022 22:21:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 9CE3A3858D37 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664230903; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Uy92BBNMICdvUdBt0ZVprzExzjnxdxnGPVDXPIzYeuY=; b=NS9gxiULIPzHSapcg9ab2RPo/JnbHTcwVGexjOPIBanCqfrgEbkzINkGUnmaMa5A6CnqEO QOL/+wRomoIvBi6GnoumlPiDM0eZuXt6CNL7w+1PNJ/i96/TY4GzvjwipXc62axcUOVqsO fiOS2MXS7k01OTiRoGetwLdhctbq8zo= Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-90-lJsJv0fmMSKT9ZXdv6bI3A-1; Mon, 26 Sep 2022 18:21:42 -0400 X-MC-Unique: lJsJv0fmMSKT9ZXdv6bI3A-1 Received: by mail-il1-f200.google.com with SMTP id w2-20020a056e021c8200b002f5c95226e0so6184416ill.9 for ; Mon, 26 Sep 2022 15:21:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date; bh=Uy92BBNMICdvUdBt0ZVprzExzjnxdxnGPVDXPIzYeuY=; b=WJeEaRJi3YfkY2tcOW4jZaRgrZXTvu+AgKN6NGLNOArQoPA6C7zEruFAm+GluxvLsV eXDgusa/7wpJ0+pOn+WZnEP1X3wyt1euDTjuupt9Jc+/crskkYshSicqhfr+wdOek9Dl CPGaS9ckpgLS4NsiydwdUDCZTE1xV0yRlCft87zDzd1nc5ywDVriFh+mDO1MQaRwh6sq Z9DcX0xqI1e5H4X5WKtOE4kRgtowcnIDlVlZCSxHbmPS9OMFWgRKDJzkssmJNB5S/eEb PTmQUdDi8mjXiN8k0pqnBYQ3icksKPhxesYCYmn5S93xfxAWqbyskk8/6f7wIVNGLwfO MqGw== X-Gm-Message-State: ACrzQf1emzaolM+n/UdxQYhdq+tVmqkIz4ZhgOGjrHZVhBS5KP+lScOX +ZZvkcjHSQ2d1YMh1Y3xlff91+hJMF7L7ct7e4DSlWzayk4OFtFpg72uamIMPCUlXLDMdPEn96r CZEqZBPyGB45SOsILSz8VIHIc7xWJf7YJQwm7uCkH9wjIFS9p0451V74wIt5PqUkh5C9m X-Received: by 2002:a05:6638:2105:b0:35a:79ea:32ed with SMTP id n5-20020a056638210500b0035a79ea32edmr12646607jaj.95.1664230901397; Mon, 26 Sep 2022 15:21:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6vTxz34hQF6ko60LNyyY55n0UzfDKINHwZUHgr9q3APvwm4jEI173EEBaDjiXoydVxYfSWsw== X-Received: by 2002:a05:6638:2105:b0:35a:79ea:32ed with SMTP id n5-20020a056638210500b0035a79ea32edmr12646586jaj.95.1664230901053; Mon, 26 Sep 2022 15:21:41 -0700 (PDT) Received: from [192.168.0.241] (192-0-145-146.cpe.teksavvy.com. [192.0.145.146]) by smtp.gmail.com with ESMTPSA id 3-20020a921803000000b002f4aa150479sm18564ily.9.2022.09.26.15.21.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Sep 2022 15:21:40 -0700 (PDT) Message-ID: <6dc88e78-1de6-7430-8fd6-a36997d69632@redhat.com> Date: Mon, 26 Sep 2022 18:21:38 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Moving sourceware to the Linux Foundation? No thanks. To: Overseers mailing list Cc: Mark Wielaard , Christopher Faylor References: <87ler4qcmo.fsf@gnu.org> From: Carlos O'Donell Organization: Red Hat In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 9/25/22 18:31, Mark Wielaard via Overseers wrote: > Hi Chris, > > On Sun, Sep 18, 2022 at 03:42:38PM -0400, Christopher Faylor via Overseers wrote: >> The LF proposal, on the other hand, is for a wholesale move of the >> sourceware domain and services to a system wholly owned and controlled >> by Linux Foundation IT. > > We talked a bit at the Cauldron about it and agreed to continue the > conversation on this list. There is somewhat of an overview of the > plan in this lwn article: > https://lwn.net/SubscriberLink/908638/567de0001d86662c/ > > I hope they will post the whole proposal to this list, but I think it > really is a couple of separate proposals. Each proposal is connected > to the LF or a subsidiary which makes it sound like it is one big LF > takeover. It was kind of presented as a package deal, but I think we > can mix and match the separate proposals once we better understand the > separate parts. Also different parts seem to have the same or similar > names "GTI", which sometimes seem to stand for GNU Toolchain > Initiative or GNU Toolchain Infrastructure. I'll try to explain as far > as I understand it. GTI stands for GNU Toolchain Infrastructure. I agree that there is some mixing-and-matching that we can do, and that we already do today to a certain degree. > First there is a proposal from the LF/OpenSSF to provide money to help > with solving certain cybersecurity requirements. Some of these seem to > be related to actual infrastructure requirements, others seem to be > related to project policies around using signed commits and patch > attestation and following things like https://slsa.dev/ Correct, along with that the OpenSSF has as a technical vision, making secure development practices the norm. > It wasn't really clear which security issue was really an > infrastructure issue. I tried to separate some concerns in this email: > https://sourceware.org/pipermail/overseers/2022q3/018849.html I've responded to your post there to discuss a few more points. > The LF/OpenSSF has a ten point plan: > https://openssf.org/oss-security-mobilization-plan/ > > Some of which do seem interesting, but will need a lot of work to turn > into concrete things we can do with the infrastructure and policies to > adapt for the projects. > > I think for concrete infrastructure related ideas the Conservancy > could accept the money and we can decide how to use it to implement > them. > > Secondly they would like to setup a fund at the Linux Foundation which > would collect money from sponsors. This is (also) called GTI. These > sponsors then decide how to spend their money to best help the GNU > Toolchain (which seems to extend to all Sourceware projects). > > This LF/GTI would then hire the LF/IT to provide some managed services > for some sourceware projects. > > Another idea was to use the fund to setup a BBB server. It wasn't > clear whether the LF/IT would then also be asked to set that up. > > Finally they would setup an advisory board, which advises the LF/IT > how to run the managed services and which would also have one seat on > the LF/GTI for spending money on other initiatives. > > It isn't completely clear yet how all this mixes-and-matches with > Sourceware being a Conservancy member project. But I think we should > be able to figure out how to combine the best parts of the community > driven approach with the corporate sponsor approach once more details > become clear. Two proposals. The first is that we would seek fiscal sponsorship from the OpenSSF at the Linux Foundation because they are specifically looking to solve secure supply chain issues and many of us would like to see that improved for the core GNU Toolchain and other projects. This involves setting up project, the GNU Toolchain Infrastructure project, and discussing with sponsors to support the project. There is a structure to GTI which we can discuss in another thread (board, TAC, community etc.) The second is that we would migrate to managed services at the Linux Foundation IT. I've highlighted in the other thread why I think this is the best technical choice, but I'll copy it here: ~~~ Technically speaking, I think the Linux Foundation IT, with their existing work with public-inbox (ahead of its time), b4, patatt, and more, means they are globally the best positioned to keep solving these problems and supporting the development of these FOSS tools for the linux kernel and others. Even more so for a distributed development model that we use for the GNU Toolchain. ~~~ >> If you're satisfied in the way sourceware has been run and are confident >> that the people running it know what they're doing, and have your best >> interests at heart, then please speak up. If you don't really know >> what's going on here and don't want to take my word for it that >> something smells fishy then *please* listen carefully to to the proposal >> if/when this is finally publicly announced. I would not be surprised if >> alarms start going off in your head when you hear what's being proposed >> - like they did for me. >> >> For those who don't know, I've been helping keep sourceware running >> since I was at Cygnus (and then Red Hat) starting in 1999. I've >> continued to offer my volunteer services since I left Red Hat in 2003. > > I am really sorry your huge influence on Sourceware wasn't more > prominently mentioned during the BoF. I also really appreciate Chris' efforts and support. Thank you again Chris. -- Cheers, Carlos.