From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id UACUDLg3WGYP+iAAWB0awg (envelope-from ) for ; Thu, 30 May 2024 04:24:24 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=A2ToI4bE; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 2DD3D1E0C1; Thu, 30 May 2024 04:24:24 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 16F0D1E092 for ; Thu, 30 May 2024 04:24:22 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6ACB3385B52B for ; Thu, 30 May 2024 08:24:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6ACB3385B52B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1717057461; bh=+XpQkFBSn+hdP1dUPjEEiazSros1HRCnq7/Tp2rKESg=; h=Subject:In-Reply-To:Date:Cc:References:To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=A2ToI4bEUbNrcA2HpgNPMy9lPXzaEJqE3B0bC6gFIbV4vyGJUWjP9XDZWR7RU4vLu +4uLmvYJn2VYvmJwGNNvehYfatl2eewGFuATzi8wFuq0Bh0U0TMpiv9/CkyG9FDhee X6CgfZ4RwknyUFg2eZKXCWDAwCae9/APIBui24Cw= Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by sourceware.org (Postfix) with ESMTPS id D88A2385E836 for ; Thu, 30 May 2024 08:18:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D88A2385E836 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D88A2385E836 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1717057155; cv=none; b=N5f6qd8WuIy2Ec8YMC7hwwGdmhEyXNEtLfSCec/AfdFHOaKhSB1n3F2IDh32vMCE1pfM7lkrCxEn27GRrNfasyhXNWqn4ioOmOTp4Nwpdg5uQT+TKh4McBCvVCm3BODwPzrbCjkIFtw1l4UPp4mWkShMfFRQG2Pg/c4lgWgjeXM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1717057155; c=relaxed/simple; bh=et3fDPxwR/WzJKX0+Yt08Z1tSE2jplSrIQ5I2b7QZgk=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=vW8hjpZ2cL+08ABB46V3QuAiB1+0YEImPr8IuBw54UtITVcaA+Y+rTEkLElQ4/Ge9zlKrcpK1Q6I8me+nia3xBPU6Ohk3VzkJuLwHUdYAJUwep9s8bx5r6u5EOaDDjKIYHWb+ZFocKBxQ5pHj2Ovzj+wPIzzsACAcf8IxUuql4U= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-579edae6888so91967a12.3 for ; Thu, 30 May 2024 01:18:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717057132; x=1717661932; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+XpQkFBSn+hdP1dUPjEEiazSros1HRCnq7/Tp2rKESg=; b=UJOMezD6wE5YThnrdlolrjS19kXk/ugyzgDOVPLY48CnIaJ6Zwp5UrsjCoWuE/SRNg O0PAN+BNnJ+pCVYlSINlHTeCj3/1ZXEV81CQZ48FVZf1WsxyVq97ettnJAMrO28vhYc6 ZgtBLwnDuw6NBVf+4UnNXgSWVJweKcr00Xp9BGigNudoeYqxO6iN/Y8Dr96JGOm9PvxX iIK3G7e8wxLp8j+j2p7AU0Zw0OodqcfTfG52m8gvsOV8KmDTTeEEYR/P2RbZJnnnkYqa 1yBmgsa8EOnomWtbAHmaqFlvKKUdS+2YpcBOsaV8xmeC2W2kRUP/0a7pxVBAvk0QR3bp aoag== X-Forwarded-Encrypted: i=1; AJvYcCXpHftz21Et+5BWobUEg8Kc5k3DZQnMjdGKzOAN1clidQrQjkoDpLySd2Z/ubCelrXCTGyp9PHEz56ZFmQVTf6TYTM= X-Gm-Message-State: AOJu0YzFAlTOOTHVCOtyqN/abIIlrg9PB9GPAKod6cuITBBuoqn8LiNB ZW01/ujr0OCOcMYJpPgak9bsrbrS+zIQLktPCbDl+CpIowY4Egk+ShcfH0d6yg== X-Google-Smtp-Source: AGHT+IHNWYnynsSSzsFyy7vrA02neyBQyBOVzeGE9BHfvc6tJzDh08KU7gT/qPDM20A8Tl0zQAB8/Q== X-Received: by 2002:a50:d7da:0:b0:57a:2069:e99 with SMTP id 4fb4d7f45d1cf-57a206910b1mr612031a12.4.1717057131888; Thu, 30 May 2024 01:18:51 -0700 (PDT) Received: from smtpclient.apple ([37.252.95.114]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-579c2026406sm6693360a12.37.2024.05.30.01.18.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 May 2024 01:18:51 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: Sourceware @ Conservancy - Year One In-Reply-To: <20240529190215.GA26515@gnu.wildebeest.org> Date: Thu, 30 May 2024 12:18:38 +0400 Cc: overseers@sourceware.org, gcc@gcc.gnu.org, libc-alpha , binutils@sourceware.org, gdb@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <1E2BED27-9721-4729-8785-F6047EE6C646@linaro.org> References: <20240529190215.GA26515@gnu.wildebeest.org> To: Mark Wielaard X-Mailer: Apple Mail (2.3774.600.62) X-Spam-Status: No, score=2.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_SHORT, LIKELY_SPAM_BODY, LOTS_OF_MONEY, MONEY_NOHTML, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Maxim Kuvyrkov via Gdb Reply-To: Maxim Kuvyrkov Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" > On May 29, 2024, at 23:02, Mark Wielaard wrote: >=20 > Sourceware joined Conservancy as member project on May 15 2023. > https://sfconservancy.org/news/2023/may/15/sourceware-joins-sfc/ >=20 > It was a busy year and we would like to give an overview of various > topics. >=20 > - Communications > - New and updated services > - Security > - New and upgraded hardware > - Finances > - Next year plans > - Conclusion >=20 > =3D Communications >=20 > In the last year we organized 12 Open Office meetings on IRC. >=20 > And posted Sourceware infrastructure community quarterly updates for > 23Q2 = https://inbox.sourceware.org/20230605090950.GI16634@gnu.wildebeest.org > 23Q3 = https://inbox.sourceware.org/20230830081253.GB26251@gnu.wildebeest.org > 23Q4 = https://inbox.sourceware.org/20231128101132.GE4214@gnu.wildebeest.org > 24Q1 = https://inbox.sourceware.org/20240227091935.GK17722@gnu.wildebeest.org >=20 > We also published the Sourceware 25 Roadmap. Preparing Sourceware for > the next 25 years. https://sourceware.org/sourceware-25-roadmap.html >=20 > Various members of the Sourceware Project Leadership Committee and > Conservancy staff attended the GNU Tools Cauldron in 2023 and FOSDEM > in 2024 to meet in person. >=20 > The Software Freedom Conservancy extended the use of their Big Blue > Button instance https://bbb.sfconservancy.org/ to Sourceware projects > that want to host video meetings. >=20 > And Sourceware joined the fediverse at @sourceware@fosstodon.org > https://fosstodon.org/@sourceware >=20 > =3D New and updated services >=20 > https://snapshots.sourceware.org/ >=20 > Thanks to OSUOSL we now have a snapshots server to publish static > artifacts from current git repos created in isolated containers. > It can be used as alternative to git hooks or cron jobs to generate > snapshots for things like: >=20 > glibc code and manual snapshots: > https://snapshots.sourceware.org/glibc/trunk/latest/ > GNU poke code and doc snapshots: > https://snapshots.sourceware.org/gnupoke/trunk/latest/ > elfutils code coverage: > https://snapshots.sourceware.org/elfutils/coverage/latest/ > libabigail website, manuals and api docs: > https://snapshots.sourceware.org/libabigail/html-doc/latest/ > Valgrind snapshots and manuals: > https://snapshots.sourceware.org/valgrind/trunk/latest/ > DWARF draft spec: > https://snapshots.sourceware.org/dwarfstd/dwarf-spec/latest/ > GDB code snapshots: > https://snapshots.sourceware.org/gdb/trunk/latest/src/ > Binutils code snapshots: > https://snapshots.sourceware.org/binutils/trunk/latest/src/ >=20 > The container files and build steps are defined through the builder > project. >=20 > The Software Heritage project https://www.softwareheritage.org/ > started archiving the active git repos and the (historic) subversion > and cvs archives. This is in addition to the mirrors at SourceHut > https://sr.ht/~sourceware/ >=20 > Email. No more =46rom rewriting for patches mailinglists. > Sourceware mailinglists used =46rom rewriting. No more! We upgraded > mailman, gave up subject prefixes, mail footers, html stripping and > reply-to mangling. >=20 > This includes the libc-alpha and gcc-patches mailinglists. The gcc > patches lists for libstdc++, libgccjit, fortran and gcc-rust. And the > lists for projects that use patchwork, newlib, elfutils, libabigail > and gdb. >=20 > Thanks to the FSF tech-team for walking us through their setup for > lists.gnu.org >=20 > https://inbox.sourceware.org/ now also "handles" HTML emails (by > stripping the HTML part) and was reindexed to include any missing > (HTML) emails. >=20 > Various projects were still creating their project homepages from > CVS. We upgraded both glibc and binutils to have a public git htdocs > repository now to which the whole community can contribute. >=20 > https://sourceware.org/cgit/binutils-htdocs/ > https://sourceware.org/cgit/glibc-htdocs/ >=20 > And a special thanks to ARM who have been using > https://patchwork.sourceware.org/ to provide a pre-commit testing > service for various projects. Hi Mark, Thanks for the great update! Minor nitpick: pre-commit testing for AArch64 and AArch32 architectures = is provided by Linaro Toolchain Working Group (Linaro TCWG). -- Maxim Kuvyrkov https://www.linaro.org >=20 > =3D Security >=20 > Sourceware introduced gitsigur for protecting git repo integrity. With > comparisons, developer workflow examples and composition possibilities > for gitsigur, b4 and sigstore. > https://inbox.sourceware.org/ZJ3Tihvu6GbOb8%2FR@elastic.org/ >=20 > Sourceware now also allows signed git pushes > (in addition to signed git commits). >=20 > The Common Vulnerabilities and Exposures (CVE) system seems broken and > has been issuing more and more questionable advisories. Various hosted > projects have been writing security policies to help users know which > bugs might have security implications. >=20 > https://sourceware.org/cgit/elfutils/tree/SECURITY > https://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt > https://gcc.gnu.org/cgit/gcc/tree/SECURITY.txt >=20 > The glibc project even setup their own security mailing list and CNA > (CVE Numbering Authority) publishing their own advisories: > https://sourceware.org/glibc/security.html > https://sourceware.org/cgit/glibc/tree/advisories >=20 > To double check that generated files in source repositories are really > what was intended the container builders now have an autotools > generated files checker, autoregen, for gcc, binutils and gdb: > = https://inbox.sourceware.org/20231115194803.GW31613@gnu.wildebeest.org/ >=20 > Sourceware hosts were not affected by the xz-backdoor. But we did > reset the https://builder.sourceware.org containers of debian-testing, > fedora-rawhide and opensuse-tumbleweed. These containers however > didn't have ssh installed, were running on isolated VMs on separate > machines from our main hosts, snapshots and backup servers. >=20 > We introduced an "aging inactive users" policy. Accounts are now > automatically disabled when not used for a year (after a warning). > https://inbox.sourceware.org/overseers/ZhCho2hjRACDztxy@elastic.org >=20 > =3D New and upgraded hardware >=20 > There have been complaints about overloaded builders on > https://builder.sourceware.org. So OSUOSL have provided us with > another arm64 and x86_64 server. The new servers do the larger gcc and > glibc builds so the other builders can do quicker (smaller) CI builds > without having to wait on the big jobs. >=20 > StarFive has donated 4 VisionFive-2 RISC-V boards with 8GB, 4-core > JH7110 supporting the RV64GC ISA for https://builder.sourceware.org/ > Which has allowed us to setup CI (and try) builders for various > projects: annobin, binutils(+try), bzip2, debugedit, dwz, > elfutils(+try), glibc, gdb, poke, and libabigail(+try). >=20 > One of the drives in server2 broke down. It was part of a 10 drive > raid6 setup, which can take 2 bad disks before full failure. We also > have a full mirror on server3, which has a similar raid6 setup. We > ordered 3 new disks, one as replacement for the bad disk and a spare > for server2 and server3 in case of future drive failures. The drive > has been replaced and everything is running smoothly again. >=20 > Thanks to Red Hat server2 got a RAM upgrade to 512G. >=20 > =3D Finances >=20 > To create a hardware replacement fund we setup > https://sourceware.org/donate.html >=20 > There were $5.500+ in individual donations in the last year. >=20 > And Valgrind was picked for a FUTO https://futo.org Microgrant, which > has been donated to Sourceware through the Software Freedom > Conservancy for maintaining and expanding the infrastructure for > Valgrind and other core toolchain and developer tool projects. > FUTO then doubled their contribution to $2.000. >=20 > Thanks to our hardware and services partners we didn't have much > direct expenses. We spend ~$300 on the replacement disks and $20 on > domain registration. >=20 > Total income was $7,611.73, total expenses were $321.76. > Note that income is after currency conversions and administration = costs. >=20 > Which leaves us with $7,289.97 for our current hardware replacement = fund. >=20 > =3D Next year plans >=20 > To prepare for next year we held various open office and public email > discussions with the community and made plans for Sourceware and the > hosted projects secure software development frameworks. >=20 > https://inbox.sourceware.org/20240325100226.GL5673@gnu.wildebeest.org > https://inbox.sourceware.org/20240401150617.GF19478@gnu.wildebeest.org > https://inbox.sourceware.org/20240417232725.GC25080@gnu.wildebeest.org >=20 > After the xz-backdoor incident obviously a lot of discussions focused > on various security aspects. The Sourceware Project Leadership > Committee turned those ideas into concrete plans for next year: >=20 > Secure Sourceware Project Goals > https://sourceware.org/sourceware-security-vision.html Secure >=20 > More isolation of existing services. Modernizing account > processes. Release upload process improvements. Hardware keys for > administrators, release managers and developers. Pull-request > server. Part time junior system administrator. >=20 > We are currently working with the Conservancy to fund these plans. >=20 > =3D Conclusion >=20 > This first year as a Conservancy Member Project has been really good > for Sourceware and we hope to continue the relationship for many years > to come. We urge the community to support the Software Freedom > Conservancy by becoming a Conservancy Sustainer > https://sfconservancy.org/sustainer