From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from frog.ash.relay.mailchannels.net (frog.ash.relay.mailchannels.net [23.83.222.63]) by sourceware.org (Postfix) with ESMTPS id 8734D3858D38 for ; Mon, 3 Oct 2022 13:27:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8734D3858D38 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D46A97E0E71; Mon, 3 Oct 2022 13:26:59 +0000 (UTC) Received: from pdx1-sub0-mail-a304 (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5C6FE7E0E35; Mon, 3 Oct 2022 13:26:59 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1664803619; a=rsa-sha256; cv=none; b=12JWjByiw9XThBWHYg8iErn5WoehTre2j/o5wyUwA4KRWhl6GsRPV5SgL9lXFbQpztJ7zg F97ZTWjd2wCPaJmFcunQ6QfQ7NK6Tk38CAtnc++TLvMB+fj0UlPILKj5XdSM/qWdRv7M+N cMNMALfqVwOeyNIODg1d8P4yMK5hAGcyF6rYOWGw7wE3mmNJI30zmR7f8ZDLcgEf1LI6i8 5tRcwc4kJyVhabrK9fGX+T3RuHrgpB787KSw48rFUWFLE7cBuU54xJh/FVgQs4WOzPVHwb H9JWCV1BaKQ1CEh8H8BwMQRJdpNbWNNJneYNbGYIfQDMeMOtS7+F0eS7CCkDNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1664803619; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TweEe5oWrZxr1ZqoKzyASAyky+DQTNjSryH+Y7qlhnY=; b=+L1PadkK0Q7fVr5bYS2jPwzWZ60KuIC2Fge6XCL/sf6asx2v55uvUv/tWDEO1RYVua/rDf p7bg7F7eEnFicEZi/Mwr0X4VDw6QKlhux1JiLNRxI62GEHV261mFSh9zG9dx0CbxcKMhTw ycIE9rlv+k6hnPm4WyQ7sW8pREr6BbNi2CoKQNTRdHt6+Vb47Jx35sY+C0xWgGvgbjQz93 YY7IoNio1B/uYAt1gTUcZwXzIxSyEfcoMmka0sK0wrkmM91Iv8A05ZeNiUrMOtTejzaUHM DuyIsGP0RChIU5VRdKTPYkvsxjnwz77/cvjYyOaITnZMgjJA3aK9l7QOc1mGYQ== ARC-Authentication-Results: i=1; rspamd-7c485dd8cf-2p4bd; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Illustrious-Cure: 5f2094554431c775_1664803619681_3208585722 X-MC-Loop-Signature: 1664803619681:2244904115 X-MC-Ingress-Time: 1664803619681 Received: from pdx1-sub0-mail-a304 (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.126.129.213 (trex/6.7.1); Mon, 03 Oct 2022 13:26:59 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-16-184-147-84-238.dsl.bell.ca [184.147.84.238]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a304 (Postfix) with ESMTPSA id 4Mh1pB4QQ1z1P; Mon, 3 Oct 2022 06:26:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1664803619; bh=TweEe5oWrZxr1ZqoKzyASAyky+DQTNjSryH+Y7qlhnY=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=XhYMskU5kIaJOkh0viMwTDOwdJDH4et1KekMJxey/bokJuCm7RqE3vtS+o5pHJSBg uWSb4z743tEtaJ9e6YqGxS4lCtcC8NF/dUd1vNA0RFR+UIN0qImX29yOmrbFH20DfC sWqSjB0YWKlPmYy2jHtNXru/C80Ak5rCwHYD8G9dFP3/EGMWxAQzReiFEDVjBVd7aa hZMj4nkeC3NvWSx5SMfdBGmQPvhPlB29EKAE3uWET6OOV+ssKgRvi2NTNHXAELhM5D 4i5iAbcbQZHuzAsnHm7do7rSTgj1xB/sha5f+Omy9trYu9Ehg1u7jFPmNb0lZS7zvH yY5cI0+E86pRQ== Message-ID: <95f2c79d-1dbc-4e52-0d89-d3babdae66c5@gotplt.org> Date: Mon, 3 Oct 2022 09:26:57 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: Sourceware / GNU Toolchain at Cauldron Content-Language: en-US To: Overseers mailing list , Carlos O'Donell Cc: "Frank Ch. Eigler" , Mark Wielaard References: <20220918162733.GB27812@gnu.wildebeest.org> <20220918213842.GC27812@gnu.wildebeest.org> <2db869b5-5724-18c0-e356-9e5df8f7cb4d@redhat.com> <940b60c6-54fe-d4d2-22d1-d93dcf2aaf79@redhat.com> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3032.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2022-10-02 10:55, Frank Ch. Eigler via Overseers wrote: > I don't quite see the "more opportunity". If someone wants to take > out a particular source hosting site, they'll go after it, whether or > not the target site is sharing resources with others. The point is that targeting all of sourceware would be easy with shared resources; compromising a single service leaves every other service on the machine vulnerable. In fact we've seen this in action multiple times in the past (although I doubt if they're actual exploit attempts, just load issues) with sourceware where one bogged down service ends up worsening experience for other services. It's pretty much standard practice today to isolate services into separate machines and/or containers depending on their criticality. > We are fortunate to use fully decentralized source control systems, > where full clones at developers - and at other services like github > etc. - are routine, and permit work to continue. I'd be surprised to > hear of any organization hoping to hurt free software development by > DoS'ing the sites - it'd be a futile gesture. At least for GNU toolchain we have never really blessed other clones. The only blessed way to get sources is via sourceware. Also a DoS is the least of our concerns. An unauthorized access could potentially end up compromising the integrity of *all* data on the system, which means multiple projects get affected in one fell swoop. Sid