From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 959FB3858D1E for ; Fri, 30 Sep 2022 13:38:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 959FB3858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664545127; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ntUif1gxwip5q5f/SEQB7AtQg9mCm5RPHY8EKGaIjGA=; b=cseectliyVlG/9zrvQvlSnQHeLOYrjFaRcY6+ivlEb88I01F1GkXGCOmzvdsuQnVg0kNgq H+QlBYjowkmzMv4HM66vHjjjAlYohMqnEuz/CWqrLUY99EQvwmqIWABNEhBUzx7oxnf2X2 9YL1nX/x5xljrIyeODIFJFoCwSrwBYk= Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-146-DL1gjXdFMSmWZ8WIsOn8Lw-1; Fri, 30 Sep 2022 09:38:46 -0400 X-MC-Unique: DL1gjXdFMSmWZ8WIsOn8Lw-1 Received: by mail-il1-f197.google.com with SMTP id i13-20020a056e02152d00b002f58aea654fso3476911ilu.20 for ; Fri, 30 Sep 2022 06:38:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date; bh=ntUif1gxwip5q5f/SEQB7AtQg9mCm5RPHY8EKGaIjGA=; b=l6z5iUXitSc3LJPRKEICW7lMSD/I/Pqu4UOSPTEoCtM5wa4X06Yn3MjyW23sPUMiA9 3s31cGdVrhmb6iO9N+7ekS1sG2TTjoTkQzWm9gzTL2/vFk25gErouDtRNsMaHvuflx0M 1IUMaboDQrK69zpA0qwSrL4dot99YWIOHxJvoMIrFL/dqCu8QvgGksVsrEHkGdk5xfTo c5Lz6VvCOQZW7d2GYlE0zHLcGOE6VXdx0h0CJtnjHPgFYduduMPRG9F+m74op7koxbys o4Ht6I87cx+xJ4w2r19ZjWKTwFI6HRvf9EU+2suOSMMTUJYsloSCqAI7YLu4Gefkmr0j LYmw== X-Gm-Message-State: ACrzQf0PGbkhd8GmWB3F51XO2Sg0jUG9lY2V2q+4MKKLxSIPms2y88hZ D8ZlDk6wHQa75VzvxfVc1duK583vw4tfsSaQ1eO0DGBEBAd6IYevbmMTfaGF6ekDA5N5YZ6UpVa aHt9f5YQ3AWerlsq7k5k= X-Received: by 2002:a05:6638:300b:b0:341:d28e:871 with SMTP id r11-20020a056638300b00b00341d28e0871mr4947558jak.140.1664545125331; Fri, 30 Sep 2022 06:38:45 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5ERxn224D3GA/Gbb/OCIqHzey0dtPnztY0B3tKqN6+JNi/oPVFxWH+eupSytt9Iv6/QVMkig== X-Received: by 2002:a05:6638:300b:b0:341:d28e:871 with SMTP id r11-20020a056638300b00b00341d28e0871mr4947549jak.140.1664545125093; Fri, 30 Sep 2022 06:38:45 -0700 (PDT) Received: from [192.168.0.241] (192-0-145-146.cpe.teksavvy.com. [192.0.145.146]) by smtp.gmail.com with ESMTPSA id w14-20020a0566022c0e00b006a4aee2e1aesm1111686iov.9.2022.09.30.06.38.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 30 Sep 2022 06:38:44 -0700 (PDT) Message-ID: <940b60c6-54fe-d4d2-22d1-d93dcf2aaf79@redhat.com> Date: Fri, 30 Sep 2022 09:38:43 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Sourceware / GNU Toolchain at Cauldron To: "Frank Ch. Eigler" , Overseers mailing list Cc: Mark Wielaard References: <20220918162733.GB27812@gnu.wildebeest.org> <20220918213842.GC27812@gnu.wildebeest.org> <2db869b5-5724-18c0-e356-9e5df8f7cb4d@redhat.com> From: Carlos O'Donell Organization: Red Hat In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 9/28/22 07:14, Frank Ch. Eigler wrote: > Hi - > > >> - Defense in depth >> - Multiple servers, each with distinct services. >> - Multiple servers for one service where possible. > > Depends on the threat model. Which one are you concerned about? Completely agree. Consider an attacker simply looking to disrupt services (DoS, DDos) using another service on the current system. The more services present on the system the more the opportunity to do this kind of attack. This isn't a full threat model, but they are prevalent enough that it is expected risk decreases as the number of services on the system decreases. The cost to manage goes up too, so there is a tradeoff that the projects using the service must decide is acceptable. >> - If governments want to use FOSS tools directly, do we need to >> comply with security standards like a contractor would? >> - Does NIST SP 800 53r5 apply to Sourceware.org? >> [...] > > If we don't have evidence that it does, what is the purpose of bringing it up? Two downstream users of our sources have cited NIST SP 800-53 as something they had to comply with, and I want to dig more into two possible scenarios: (a) Is there an expectation that upstream source control repositories need to meet this regulation as well as the downstreams? (b) If we met the regulation would it improve FOSS adoption and support downstream users? With the new "infrastructure" bugs in bugzilla I filed this: https://sourceware.org/bugzilla/show_bug.cgi?id=29629 I noted that gitlab and github both have slightly different technical answers to this question. >> It is two proposals. >> >> A fiscal sponsor for infrastructure in the OpenSSF via the GNU >> Toolchain Infrastructure project at the Linux Foundation. >> >> A proposal to use managed services with the Linux Foundation IT for >> projects currently at sourceware.org. > > Are they separable? They are, the fund is designed to support more than just managed services. The details are posted here: https://sourceware.org/pipermail/overseers/2022q3/018896.html -- Cheers, Carlos.