From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id loVPK0ptR2eSBwIAWB0awg (envelope-from ) for ; Wed, 27 Nov 2024 14:04:42 -0500 Received: by simark.ca (Postfix, from userid 112) id 92D971E097; Wed, 27 Nov 2024 14:04:42 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=4.0.0 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 9EF791E05C for ; Wed, 27 Nov 2024 14:04:41 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 39FA5385841E for ; Wed, 27 Nov 2024 19:04:41 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 39FA5385841E Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 2C2FB3858CDB; Wed, 27 Nov 2024 19:03:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2C2FB3858CDB Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2C2FB3858CDB Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732734226; cv=none; b=ZhgTixhPjdWyKJR/WMeLWfT6wQqnlkDt6e1acPkqZxW8hct0MDDu8KgHxLwmOWXU+Jb7du8ueiiZd3qIqSH8w2hsrk3+WiZfdocusgq4z9jJW1ESAY8jbbSd1DEN5fdzuFEIU6pBjco4nzlt4/yXzvG17PnU1L0gMey/vpCYr0w= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732734226; c=relaxed/simple; bh=7sZSeSMfTaDJs/WH3yeO7hIVlswlNfrRd10lR9ZShV4=; h=Date:From:To:Subject:Message-ID:MIME-Version; b=wiR7JsOptQzDkrhVi4XtFv3Zf6k2I9G9EcWYrHUq51agWFsYoBIWBgKztjQBxiujPc84paN6T7fjo6fBmt0u97up1Zg6BkF/6GTlg8Nuwcj8iy0uK7pnFpHWUnCI/JCreHNRdivP2Rz9vZIMKbU5v6Xup/BowWAA30n+kS4Hea4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2C2FB3858CDB Received: by gnu.wildebeest.org (Postfix, from userid 1000) id 42035301BC1B; Wed, 27 Nov 2024 20:03:45 +0100 (CET) Date: Wed, 27 Nov 2024 20:03:45 +0100 From: Mark Wielaard To: Jeffrey Walton Cc: overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, libc-alpha@sourceware.org, gdb@sourceware.org Subject: Re: Sourceware Cyber Security FAQ Message-ID: <20241127190345.GC13608@gnu.wildebeest.org> References: <5f6e7deb0c8c38dabb02bd38eb3efba1eb65807c.camel@klomp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-bounces~public-inbox=simark.ca@sourceware.org Sender: "Gdb" Hi Jeffrey, On Wed, Nov 27, 2024 at 12:27:14PM -0500, Jeffrey Walton wrote: > On Wed, Nov 27, 2024 at 11:35 AM Mark Wielaard wrote: > > After lots of discussions at some of our Open Office hours, at the > > Cauldron, with other Software Freedom organizations and some of our > > hardware and services providers we now have a Sourceware Cyber Security > > FAQ explaining topics like the "US Improving the Nation's Cybersecurity > > Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure > > Software Development Framework (NIST SP 800-218)". > > > > https://sourceware.org/cyber-security-faq.html > > s/so they share security threads/so they share security threats/g Thanks, fixed. Other feedback we got (channel #overseers on irc.libera.chat) was: "I don't see any questions on that page :)" Which is correct. Sorry. It was originally phrased as concrete questions, What is ...? Could you explain ...? But then the ... just became the headings or just the start of a paragraph explaining ... The reason for this is that we realized all these "regulations" are really "meta" proposals. The documents discussed describe recommendations and directives which might ultimately become implemented in regulations and requirements (if they even are, many of the items do look like they may just permanently remain recommendations and suggestions). So it really should have been called an "explainer" instead of "faq". But if you have any concrete questions after reading the "explainer" please ask them and we'll try to add them and provide an concrete answer. > > We would like to extend this with some recommended practices for > > projects to adopt. Although it is clear that these regulations are > > mainly aimed at commercial entities, who bear the brunt of these > > requirements. We believe this is an opportunity for projects to get > > more (corporate) contributions since these guidelines and requirements > > strongly suggest/mandate to make all their work public and contribute > > (security issues) back upstream. So any policies documenting how to > > clearly report issues and documenting the contributing and release > > practices should be helpful. > > > > Please let us know if you have any questions or suggestions. Cheers, Mark