From: Ian Kelling <iank@fsf.org>
To: Overseers mailing list <overseers@sourceware.org>
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>,
gdb@sourceware.org, Mark Wielaard <mark@klomp.org>,
libc-alpha@sourceware.org, binutils@sourceware.org,
gcc@gcc.gnu.org
Subject: Re: Toolchain Infrastructure project statement of support
Date: Sun, 23 Oct 2022 07:33:06 -0400 [thread overview]
Message-ID: <874jvufrqy.fsf@fsf.org> (raw)
In-Reply-To: <9c0a9111-07b1-3617-c5c8-4b12e616f985@gotplt.org>
Siddhesh Poyarekar via Overseers <overseers@sourceware.org> writes:
> I personally do not think the current sourceware infrastructure, even
> with the roadmap it promises is a viable alternative to what LF IT can
> provide. There is a significant resource gap (e.g.
....
> established security and administration practices,
...
> that we seem to disagree about.
Let's consider some "established security and administration practices"
curl -v http://vger.kernel.org | head
...
< Server: Apache/2.0.52 (Red Hat)
< X-Powered-By: PHP/4.3.9
This is RHEL 3, released in 2003, according to
https://people.redhat.com/crunge/RHEL3-package-lists.pdf,
The final end of support for this distro was on 2014-01-30.
There are CVE's for that version of Apache. I assume their apache is not
running in a configuration that makes them actually exploitable, but it
is still better security practice upgrade.
The kernel is likely from RHEL 3 too. I'm reminded of Greg KH beating the
drum that old kernels need upgrades for security, especially because the
kernel devs don't always check if a bug is a security issue and
especially not for really old kernels (
https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/
)
Notice that link is http because https is not supported by the apache
from 2003. Linux kernel development works through patches on mailing
lists, and how do you find the patches if you aren't already subscribed
to a list? You'd naturally go to the lists main webpage,
http://vger.kernel.org, and click "LIST INFO",
http://vger.kernel.org/vger-lists.html, and then click one of the list
archive links, or maybe the subscribe link. So, those vger.kerne.org
pages are an essential part of retrieving upstream kernel patches and
security information for some people. And being http only, my isp or
anyone in my network path could alter them to be malicious urls that
that appear to give the correct result, but actually give malicious
kernel patches, or hides away a security relevant patch. Obviously,
https for security sensitive pages like these is a basic 101 security
practice in 2022.
You might think when kernel.org had a major compromise in 2011, 11 years
later, they would have managed this basic upgrade. The fact is that the
Linux Foundation struggles with getting stuff to current versions and
following good security practices like everyone else does. This
narrative that there is a huge resource gap in security practices
between LF and sourceware is not true, and I don't think the kernel.org
IT team would claim that either. They certainly made no such claims in
their slide deck about the GTI proposal.
If LF IT were to get involved in services for GNU toolchain packages, it
should be more of a collaboration with sourceware instead of taking over
what sourceware is doing.
Competent sysadmin volunteers are rare and valuable to GNU. They help
build community, they help GNU stay independent, and they help GNU
practice what it preaches.
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org
next prev parent reply other threads:[~2022-10-23 16:07 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 16:43 Carlos O'Donell
2022-10-12 18:13 ` Andrew Pinski
2022-10-13 18:25 ` Christopher Faylor
2022-10-14 12:33 ` Siddhesh Poyarekar
2022-10-17 15:10 ` Mark Wielaard
2022-10-17 16:11 ` Siddhesh Poyarekar
2022-10-18 9:50 ` Mark Wielaard
2022-10-18 15:17 ` Siddhesh Poyarekar
2022-10-18 16:42 ` Christopher Faylor
2022-10-18 18:13 ` Siddhesh Poyarekar
2022-10-18 18:14 ` Siddhesh Poyarekar
2022-10-18 18:47 ` Paul Smith
2022-10-21 0:33 ` Alexandre Oliva
2022-10-23 8:59 ` Ian Kelling
2022-10-23 13:27 ` Siddhesh Poyarekar
2022-10-23 15:16 ` Frank Ch. Eigler
2022-10-23 16:07 ` Siddhesh Poyarekar
2022-10-23 16:32 ` Siddhesh Poyarekar
2022-10-23 17:01 ` Jeff Law
2022-10-23 22:35 ` Christopher Faylor
2022-10-23 17:09 ` Frank Ch. Eigler
2022-10-23 17:38 ` Jeff Law
2022-10-24 1:51 ` Siddhesh Poyarekar
2022-10-24 12:40 ` Corinna Vinschen
2022-10-23 20:57 ` Christopher Faylor
2022-10-23 21:17 ` Siddhesh Poyarekar
2022-10-23 21:59 ` Christopher Faylor
2022-10-24 1:29 ` Siddhesh Poyarekar
2022-10-23 11:33 ` Ian Kelling [this message]
2022-10-23 16:17 ` Siddhesh Poyarekar
2022-10-23 18:56 ` Konstantin Ryabitsev
2022-10-23 21:19 ` Alexandre Oliva
2022-10-23 22:07 ` Christopher Faylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jvufrqy.fsf@fsf.org \
--to=iank@fsf.org \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).