* [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53?
@ 2022-09-28 12:48 carlos at redhat dot com
2022-09-28 13:14 ` [Bug Infrastructure/29629] " fche at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: carlos at redhat dot com @ 2022-09-28 12:48 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
Bug ID: 29629
Summary: Does the server need to meet NIST SP 800-53?
Product: sourceware
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: Infrastructure
Assignee: overseers at sourceware dot org
Reporter: carlos at redhat dot com
Target Milestone: ---
This was raised at GNU Tools Cauldron 2022 in the discussions around increasing
secure supply chain requirements.
Do the upstream servers providing sources for projects need to meet
requirements like NIST SP 800-53?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
Even if we don't need to meet the requirements, does meeting them help expand
the usage of FOSS for organizations that adopt the standards?
Note that github does meet a variety of NIST standards as part of their service
offerings:
https://government.github.com/fedramp-faq
Gitlab also provides projects with the ability to comply with various NIST
standards:
https://about.gitlab.com/blog/2022/03/29/comply-with-nist-secure-supply-chain-framework-with-gitlab/
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/29629] Does the server need to meet NIST SP 800-53?
2022-09-28 12:48 [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53? carlos at redhat dot com
@ 2022-09-28 13:14 ` fche at redhat dot com
2022-10-06 17:59 ` mark at klomp dot org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2022-09-28 13:14 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
Frank Ch. Eigler <fche at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fche at redhat dot com
--- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> ---
Answering the "does this apply?" question is a regulatory or legal matter if
anything. Do you know? If not, what is the infrastructure action you propose?
Answering the "would it expand FOSS usage" question is not something we can
know, nor an infrastructure matter.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/29629] Does the server need to meet NIST SP 800-53?
2022-09-28 12:48 [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53? carlos at redhat dot com
2022-09-28 13:14 ` [Bug Infrastructure/29629] " fche at redhat dot com
@ 2022-10-06 17:59 ` mark at klomp dot org
2022-10-14 17:28 ` fche at redhat dot com
2022-10-21 13:25 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2022-10-06 17:59 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
Also note Alexandre's analysis:
https://sourceware.org/pipermail/overseers/2022q3/018881.html
And the actual source releases of the GNU Toolchain projects are primarily done
through the FSF gnu.org servers (with sourceware providing backups/mirrors of
those).
Best would be to move this kind of questions about NIST recommendations to the
FSF or SFC.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/29629] Does the server need to meet NIST SP 800-53?
2022-09-28 12:48 [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53? carlos at redhat dot com
2022-09-28 13:14 ` [Bug Infrastructure/29629] " fche at redhat dot com
2022-10-06 17:59 ` mark at klomp dot org
@ 2022-10-14 17:28 ` fche at redhat dot com
2022-10-21 13:25 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2022-10-14 17:28 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
Frank Ch. Eigler <fche at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/29629] Does the server need to meet NIST SP 800-53?
2022-09-28 12:48 [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53? carlos at redhat dot com
` (2 preceding siblings ...)
2022-10-14 17:28 ` fche at redhat dot com
@ 2022-10-21 13:25 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2022-10-21 13:25 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=29629
Frank Ch. Eigler <fche at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|WAITING |RESOLVED
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-10-21 13:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-28 12:48 [Bug Infrastructure/29629] New: Does the server need to meet NIST SP 800-53? carlos at redhat dot com
2022-09-28 13:14 ` [Bug Infrastructure/29629] " fche at redhat dot com
2022-10-06 17:59 ` mark at klomp dot org
2022-10-14 17:28 ` fche at redhat dot com
2022-10-21 13:25 ` fche at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).