From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 81B7B3858C52 for ; Sun, 25 Sep 2022 22:31:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 81B7B3858C52 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from reform (deer0x0b.wildebeest.org [172.31.17.141]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 0F0543000B37; Mon, 26 Sep 2022 00:31:57 +0200 (CEST) Received: by reform (Postfix, from userid 1000) id 758A12E820D2; Mon, 26 Sep 2022 00:31:57 +0200 (CEST) Date: Mon, 26 Sep 2022 00:31:57 +0200 From: Mark Wielaard To: Overseers mailing list Cc: Christopher Faylor Subject: Re: Moving sourceware to the Linux Foundation? No thanks. Message-ID: References: <87ler4qcmo.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,KAM_SHORT,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Chris, On Sun, Sep 18, 2022 at 03:42:38PM -0400, Christopher Faylor via Overseers wrote: > The LF proposal, on the other hand, is for a wholesale move of the > sourceware domain and services to a system wholly owned and controlled > by Linux Foundation IT. We talked a bit at the Cauldron about it and agreed to continue the conversation on this list. There is somewhat of an overview of the plan in this lwn article: https://lwn.net/SubscriberLink/908638/567de0001d86662c/ I hope they will post the whole proposal to this list, but I think it really is a couple of separate proposals. Each proposal is connected to the LF or a subsidiary which makes it sound like it is one big LF takeover. It was kind of presented as a package deal, but I think we can mix and match the separate proposals once we better understand the separate parts. Also different parts seem to have the same or similar names "GTI", which sometimes seem to stand for GNU Toolchain Initiative or GNU Toolchain Infrastructure. I'll try to explain as far as I understand it. First there is a proposal from the LF/OpenSSF to provide money to help with solving certain cybersecurity requirements. Some of these seem to be related to actual infrastructure requirements, others seem to be related to project policies around using signed commits and patch attestation and following things like https://slsa.dev/ It wasn't really clear which security issue was really an infrastructure issue. I tried to separate some concerns in this email: https://sourceware.org/pipermail/overseers/2022q3/018849.html The LF/OpenSSF has a ten point plan: https://openssf.org/oss-security-mobilization-plan/ Some of which do seem interesting, but will need a lot of work to turn into concrete things we can do with the infrastructure and policies to adapt for the projects. I think for concrete infrastructure related ideas the Conservancy could accept the money and we can decide how to use it to implement them. Secondly they would like to setup a fund at the Linux Foundation which would collect money from sponsors. This is (also) called GTI. These sponsors then decide how to spend their money to best help the GNU Toolchain (which seems to extend to all Sourceware projects). This LF/GTI would then hire the LF/IT to provide some managed services for some sourceware projects. Another idea was to use the fund to setup a BBB server. It wasn't clear whether the LF/IT would then also be asked to set that up. Finally they would setup an advisory board, which advises the LF/IT how to run the managed services and which would also have one seat on the LF/GTI for spending money on other initiatives. It isn't completely clear yet how all this mixes-and-matches with Sourceware being a Conservancy member project. But I think we should be able to figure out how to combine the best parts of the community driven approach with the corporate sponsor approach once more details become clear. > If you're satisfied in the way sourceware has been run and are confident > that the people running it know what they're doing, and have your best > interests at heart, then please speak up. If you don't really know > what's going on here and don't want to take my word for it that > something smells fishy then *please* listen carefully to to the proposal > if/when this is finally publicly announced. I would not be surprised if > alarms start going off in your head when you hear what's being proposed > - like they did for me. > > For those who don't know, I've been helping keep sourceware running > since I was at Cygnus (and then Red Hat) starting in 1999. I've > continued to offer my volunteer services since I left Red Hat in 2003. I am really sorry your huge influence on Sourceware wasn't more prominently mentioned during the BoF. Cheers, Mark