Re: Moving sourceware to the Linux Foundation? No thanks.

[Mark Wielaard <mark@klomp.org>]

Hi Chris,

On Sun, Sep 18, 2022 at 03:42:38PM -0400, Christopher Faylor via Overseers wrote:
> The LF proposal, on the other hand, is for a wholesale move of the
> sourceware domain and services to a system wholly owned and controlled
> by Linux Foundation IT.

We talked a bit at the Cauldron about it and agreed to continue the
conversation on this list. There is somewhat of an overview of the
plan in this lwn article:
https://lwn.net/SubscriberLink/908638/567de0001d86662c/

I hope they will post the whole proposal to this list, but I think it
really is a couple of separate proposals. Each proposal is connected
to the LF or a subsidiary which makes it sound like it is one big LF
takeover. It was kind of presented as a package deal, but I think we
can mix and match the separate proposals once we better understand the
separate parts. Also different parts seem to have the same or similar
names "GTI", which sometimes seem to stand for GNU Toolchain
Initiative or GNU Toolchain Infrastructure. I'll try to explain as far
as I understand it.

First there is a proposal from the LF/OpenSSF to provide money to help
with solving certain cybersecurity requirements. Some of these seem to
be related to actual infrastructure requirements, others seem to be
related to project policies around using signed commits and patch
attestation and following things like https://slsa.dev/

It wasn't really clear which security issue was really an
infrastructure issue. I tried to separate some concerns in this email:
https://sourceware.org/pipermail/overseers/2022q3/018849.html

The LF/OpenSSF has a ten point plan:
https://openssf.org/oss-security-mobilization-plan/

Some of which do seem interesting, but will need a lot of work to turn
into concrete things we can do with the infrastructure and policies to
adapt for the projects.

I think for concrete infrastructure related ideas the Conservancy
could accept the money and we can decide how to use it to implement
them.

Secondly they would like to setup a fund at the Linux Foundation which
would collect money from sponsors. This is (also) called GTI. These
sponsors then decide how to spend their money to best help the GNU
Toolchain (which seems to extend to all Sourceware projects).

This LF/GTI would then hire the LF/IT to provide some managed services
for some sourceware projects.

Another idea was to use the fund to setup a BBB server. It wasn't
clear whether the LF/IT would then also be asked to set that up.

Finally they would setup an advisory board, which advises the LF/IT
how to run the managed services and which would also have one seat on
the LF/GTI for spending money on other initiatives.

It isn't completely clear yet how all this mixes-and-matches with
Sourceware being a Conservancy member project. But I think we should
be able to figure out how to combine the best parts of the community
driven approach with the corporate sponsor approach once more details
become clear.

> If you're satisfied in the way sourceware has been run and are confident
> that the people running it know what they're doing, and have your best
> interests at heart, then please speak up.  If you don't really know
> what's going on here and don't want to take my word for it that
> something smells fishy then *please* listen carefully to to the proposal
> if/when this is finally publicly announced.  I would not be surprised if
> alarms start going off in your head when you hear what's being proposed
> - like they did for me.
> 
> For those who don't know, I've been helping keep sourceware running
> since I was at Cygnus (and then Red Hat) starting in 1999.  I've
> continued to offer my volunteer services since I left Red Hat in 2003.

I am really sorry your huge influence on Sourceware wasn't more
prominently mentioned during the BoF.

Cheers,

Mark