From: Carlos O'Donell <carlos@redhat.com>
To: "Frank Ch. Eigler" <fche@elastic.org>,
Overseers mailing list <overseers@sourceware.org>
Cc: Mark Wielaard <mark@klomp.org>
Subject: Re: Sourceware / GNU Toolchain at Cauldron
Date: Fri, 30 Sep 2022 09:38:43 -0400 [thread overview]
Message-ID: <940b60c6-54fe-d4d2-22d1-d93dcf2aaf79@redhat.com> (raw)
In-Reply-To: <YzQsfNZALGqqk8pK@elastic.org>
On 9/28/22 07:14, Frank Ch. Eigler wrote:
> Hi -
>
>
>> - Defense in depth
>> - Multiple servers, each with distinct services.
>> - Multiple servers for one service where possible.
>
> Depends on the threat model. Which one are you concerned about?
Completely agree.
Consider an attacker simply looking to disrupt services (DoS, DDos) using another
service on the current system. The more services present on the system the more
the opportunity to do this kind of attack.
This isn't a full threat model, but they are prevalent enough that it is expected
risk decreases as the number of services on the system decreases. The cost to
manage goes up too, so there is a tradeoff that the projects using the service
must decide is acceptable.
>> - If governments want to use FOSS tools directly, do we need to
>> comply with security standards like a contractor would?
>> - Does NIST SP 800 53r5 apply to Sourceware.org?
>> [...]
>
> If we don't have evidence that it does, what is the purpose of bringing it up?
Two downstream users of our sources have cited NIST SP 800-53 as something they
had to comply with, and I want to dig more into two possible scenarios:
(a) Is there an expectation that upstream source control repositories need to meet this
regulation as well as the downstreams?
(b) If we met the regulation would it improve FOSS adoption and support downstream users?
With the new "infrastructure" bugs in bugzilla I filed this:
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
I noted that gitlab and github both have slightly different technical answers to this
question.
>> It is two proposals.
>>
>> A fiscal sponsor for infrastructure in the OpenSSF via the GNU
>> Toolchain Infrastructure project at the Linux Foundation.
>>
>> A proposal to use managed services with the Linux Foundation IT for
>> projects currently at sourceware.org.
>
> Are they separable?
They are, the fund is designed to support more than just managed services.
The details are posted here:
https://sourceware.org/pipermail/overseers/2022q3/018896.html
--
Cheers,
Carlos.
next prev parent reply other threads:[~2022-09-30 13:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-16 20:57 Zoë Kooyman
2022-09-16 21:10 ` Ian Kelling
2022-09-18 16:27 ` Mark Wielaard
2022-09-18 21:38 ` Mark Wielaard
2022-09-19 21:09 ` Mark Wielaard
2022-09-26 22:04 ` Carlos O'Donell
2022-09-27 1:31 ` Alexandre Oliva
2022-09-27 11:02 ` Mark Wielaard
2022-09-28 11:14 ` Frank Ch. Eigler
2022-09-30 13:38 ` Carlos O'Donell [this message]
2022-10-02 14:55 ` Frank Ch. Eigler
2022-10-03 13:26 ` Siddhesh Poyarekar
2022-10-03 13:53 ` Frank Ch. Eigler
2022-10-03 19:16 ` Mark Wielaard
2022-10-03 15:55 ` Christopher Faylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=940b60c6-54fe-d4d2-22d1-d93dcf2aaf79@redhat.com \
--to=carlos@redhat.com \
--cc=fche@elastic.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).