From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by sourceware.org (Postfix) with ESMTPS id 13D79385C400 for ; Thu, 29 Sep 2022 21:13:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 13D79385C400 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-x102e.google.com with SMTP id q15-20020a17090a304f00b002002ac83485so2523372pjl.0 for ; Thu, 29 Sep 2022 14:13:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=+oUK/7CFz87Wg/UaTXGRwNmzkRvfAQ1G8khvG6jXQIs=; b=UvE1fcqoz5YSGOWXFiYo9RpebUBVw00t6sYV6CnqXdzUrqcFUmVD2km4Hz1kLabADV CMC49HXJehYvAbFA2QojNKjqtGXe9l3wI1VGMDu+bEqc9HwsQOccneQR5MmNFdvb3E4o E7wSmuJkvJWwpvMpjDIJj2vR0M7JjQvpPxUISwppWqtoEWARjLfD7O8T+dupY5CQnABO JpL9rABNC1noN4RZtQN6cMK5flx7UwifJBjaMrB1+2fp0UcTRMRkiYaJpa3MMWOLR13s u6ew954/PFzSN81nNfrPGBtASLEM6cB6Xy1HEWYe/2XtwKfagFPluxc4Sdfteup+V5Ac 5XJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=+oUK/7CFz87Wg/UaTXGRwNmzkRvfAQ1G8khvG6jXQIs=; b=fFzTIVjM0KBpCPK2GXucJna0klzhFFINtNmlhDwpCsVmjTwsrQY0nrGEWcO+PM/bC9 Id9vnXWp9aO06aN5cuX8t4y+muSApYsJi8t5YsKQ4EoK3Ezu7syDce2S0iCd5nSFZWXN Xd3Nw46d01mDm6l5fCQJII8n1HqPybscc7gfD7YRRPPlsZBbB6zw8Epvpn/p+bisf+oC S5r91M7ryHXyh9+rHkHa32KQFOhNPtHMvwgpljKGWDYd+GnzsDKZ0zHUQtFTHfmlss9O jt/nN5QX9SPNIEffnzDQPgvgRDjN8ksXJ0TeV0YOhj3V8wUS3M2Q5gyyR87TeRk9fTGd WMNg== X-Gm-Message-State: ACrzQf3Wpb3WiikmW5FXd1d/kyHUPTpSzKU0l/m9WfxxcUqOmB4EvuBj Je2WUCixx1fdQbc2j4ZT9dpvVNHRKCbYwoYdqLyLl6BmOrY= X-Google-Smtp-Source: AMsMyM7Xy+KR6zYU9vj5ELuNHFhx9cmYRVi3Ob2wE/AUxP2NmE68fH+v92MctwjGMG/74FNYHoXNn6adIjyCho5FvaU= X-Received: by 2002:a17:902:d2c7:b0:176:c8a4:2f2 with SMTP id n7-20020a170902d2c700b00176c8a402f2mr5388694plc.119.1664486022503; Thu, 29 Sep 2022 14:13:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Andrew Pinski Date: Thu, 29 Sep 2022 14:13:29 -0700 Message-ID: Subject: Re: The GNU Toolchain Infrastructure Project To: Overseers mailing list Cc: "Carlos O'Donell" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_05,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: I think the whole GTI was revealed to the world is lost of trust from On Tue, Sep 27, 2022 at 12:59 PM Carlos O'Donell via Overseers wrote: > > The GNU Toolchain is a critical foundation of trust for the GNU/Linux eco= system > and the demands on its infrastructure, services, and security requirement= s have > grown over time. The trend of increasing complexity to support its develo= pment > and associated financial demands will not abate. Different projects have > different risk tolerances and the GNU Toolchain must meet more stringent > expectations to maintain the trust of the ecosystem. It is with this cont= ext in > mind that the following proposal has been developed. > > During the Sourceware / Infrastructure BoF sessions at GNU Cauldron, the = GNU > Toolchain community in collaboration with the Linux Foundation and OpenSS= F, > announced the GNU Toolchain Infrastructure project (GTI). The way this announcement was handled was done in a bogus way and loses trust of many smaller/independent developers. It makes many folks feel like this was done in a hosital way and even more is LF and OpenSSF the correct groups to collaborate with here? I feel like LF and OpenSSF is actually not the right folks to get involved with sourceware and even more with the compiler. LF is very much Linux centric and while the GNU Toolchain and other projects on sourceware are not even related at all to the Linux and even more there are many embedded developers who like not to even to be associated with Linux. GitHub sits on the board of OpenSSF which seems to run counter to what GTI is trying to do. I get the feeling also there is too many corporations trying to push the way forward with this proposal rather than a true open source community. > The collaboration > includes a fund for infrastructure and software supply chain security, wh= ich > will allow us to utilize the respected Linux Foundation IT (LF IT) servic= es > that host kernel.org and to fund other important projects. > The key > stakeholders of the GNU Toolchain community have been proactively briefed= and No they were not and I have a problem with the word "key" here because I was not briefed at all. I get the feeling what you define as key is not the same as myself. > included in community conversations during the process of developing this > proposal with incorporation of their feedback. The key stakeholders consu= lted > include GNU Toolchain project leadership, GNU Toolchain project release > managers, GNU Toolchain project core developers, major vendors, active > Sourceware / Overseers administrators, and both John Sullivan and Zo=C3= =AB Kooyman > of the Free Software Foundation. I see when people say major vendors in this list, I get the vibe that this is a corporate take over and pushing out the community and small developers in general. Rather than having open discussions about this, everything was done in private. > > The GNU Toolchain Infrastructure project includes a Governing Board and a > Technical Advisory Council[1]. The Governing Board is composed of > representatives of the major donors and a representative from the GTI Tec= hnical > Advisory Council. I think the governing board should NOT have major donors at all. That is bad just like a way to buy a seat to shut down other converstations. That is very anti-democratic and very much anti-open/free source ideals. This has been a huge problem in politics in general so why extend it to open source? Also what is the definition of major donors? Since it is not given here. Is it 1% of the total donated or is it 10k USD donated? > The board will have fiscal accountability for spending, as > other, similar foundations are organized. The Technical Advisory Council= will > provide technical guidance and recommendations, and set the technical dir= ection > for the infrastructure project, in consultation with the GNU Toolchain > community. All meetings of the Governing Board and the Technical Advisor= y > Council are open to non-member observers. GTI welcomes all donors whose = vision > for GTI aligns with the GNU Toolchain and its role in the Free Software > ecosystem. The leadership and governance of the GNU Toolchain projects a= re not > affected by the creation of GTI. But both projects have a relationship and even overlap in goveernance. That overlap and relationship is not even described on how it will work. > > The Linux Foundation IT services have a long and respected history of hos= ting > kernel.org for the Linux community with a robust set of infrastructure. = The > GNU Toolchain serves a similar, critical role and has similar requirement= s to > ensure its resiliency. The Linux Foundation IT team has the experience a= nd > infrastructure to efficiently provide those services, and the Linux Found= ation > has graciously offered its assistance. > > Linux Foundation IT services plans for the GNU Toolchain include Git > repositories, mailing lists, issue tracking, web sites, and CI/CD, implem= ented > with strong authentication, attestation, and security posture. I don't doubt LF technical experience. I am just thinking back to the hack of kernel.org back in 2011 and how it was the IT folks who got hacked rather than the developers .... I wonder if LF and kernel.org learned their leasons from that hack. > Utilizing the > experience and infrastructure of the LF IT team that is already used by t= he > Linux kernel community will provide the most effective solution and best > experience for the GNU Toolchain developer community. By utilizing the sa= me > infrastructure, the resources of donors who support Free Software can be > targeted at projects that provide unique value to the Free Software commu= nity. The problem with LF is it is more controlled by corporations who do the donatations rather than the community. The governorance of LF is still pushed by donation controls rather than folks on the ground. > The GNU Toolchain projects are currently hosted on sourceware.org, funded= and > maintained by Red Hat, for which we are grateful. Actually it is not maintained by RH at all. This is wrong describtion of sourceware really. In fact this is a huge disservice to the folks who have been maintaining sourceware. Most have not been Redhat employees for years now. > Sourceware.org includes the > core GNU Toolchain projects (GCC, GLIBC, GDB, and Binutils) as well as ma= ny > other active and inactive projects. The other projects hosted on > sourceware.org are welcome to join the proposed services at LF IT, in who= le or > in part as would best suit their needs > > As with kernel.org, GTI has requested from the Linux Foundation IT that a= ll > software implementing the infrastructure for the GNU Toolchain projects m= ust be > Free Software. If Free Software versions of necessary security tools are > missing, GTI will work with Free Software supporters to develop Free Soft= ware > alternatives. > > If ever the GNU Toolchain leadership determines that GTI and LF IT are no= t the > appropriate partners for the project, the Linux Foundation has agreed tha= t the > GNU Toolchain is free to seek alternative financial support and/or > infrastructure services, taking all assets with it. "If ever" this seems too vague here and plus it seems like this was planned without being in the open. And it gives off this is my project and I want to control it only. There are a few other issues I want to raise about infrastructure projects going forward here: * supply chain security ** This seems to push out the small developers and even developers who don't want to do public key signing (I am included here). ** I get where corporations want to do this because they can track where things come from. But this is very much anti-open/free source ideals and very much anti-small developers * bug tracking ** as I mentioned in my other email, bugzilla right now is the best and only bug tracking system which statisfies the issue tracking for GCC because of the fields/meta data ** Providing funding to folks working on (and releasing) bugzilla might be a good resource for donations to go towards * automated builds ** I see the sourceware folks have been getting a good automated build system up and running * Dejagnu improvements ** This would be another area where funding could go into and is very much lacking ** There has been some effects in years past to improve there but things have stalled or just died. * Patch mangement ** this has always been a hot topic but many of the patch mangement tools don't work with email systems ** Many new ones don't even touch emails and require people to use git or a web page directly ** This could be an area where funding should go into * Sourceware maintaince/security enchements ** hot topic: there seems like there are some decent plans proposed already so I am not going to rehash them * New ways of doing communication besides email and IRC ** BBB: seems like there are some decent plans proposed there so I am not going to rehash them I think in summary; "Where's the beef?" is all I can think of when I read the GTI proposal. And how this was done in the private and in a very anti-democratic way. Thanks, Andrew Pinski PS I am not representing Marvell here at all and these are all of my own thoughts. > > The GNU Toolchain Infrastructure project welcomes cooperation with other > efforts to fund and improve the GNU Toolchain infrastructure. > > This proposal is an exciting opportunity for the GNU Toolchain and helps = to > ensure its continued vitality. > > Happy Hacking! > > Carlos O=E2=80=99Donell > David Edelsohn > > [1] Current GTI TAC members are: > Joel Brobecker > Nick Clifton > David Edelsohn > Frank Ch. Eigler > Jeff Law > Martin Li=C5=A1ka > Jose Marchesi > Simon Marchi > Joseph Myers > Carlos O'Donell > Siddhesh Poyarekar >