From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id J5ziF+VI+Gfm3C4AWB0awg (envelope-from ) for ; Thu, 10 Apr 2025 18:40:37 -0400 Received: by simark.ca (Postfix, from userid 112) id 533C71E0C3; Thu, 10 Apr 2025 18:40:37 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=4.0.1 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 7C8E61E0C0 for ; Thu, 10 Apr 2025 18:40:36 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EB77C3856245 for ; Thu, 10 Apr 2025 22:40:35 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EB77C3856245 Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id DE8B6385840F for ; Thu, 10 Apr 2025 22:38:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DE8B6385840F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DE8B6385840F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1744324736; cv=none; b=EkCiivthxD8mDh6jkcli4uQPDbYybFWs49Yga+7i4jL4okgfSEhwW73vWLFGPeW9H96JW322jbrd4l6xYDdpyc+xlE9RAZBvhnSdi9mhtaq8SM/L7DoYKRCoTxvbk2EcY6j1ZCDgztp6VTwtGrBxUlCXUKio5SFm3UCfFOQiqzM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1744324736; c=relaxed/simple; bh=Pc9pSGvmzLt/HYOANwBz92OqotH3bf4jGwXB9qWYfGQ=; h=Date:From:To:Subject:Message-ID:MIME-Version; b=hG4/Td/FGmaMnQQM1XGczjITmMkbk5MEfYpPsxTRNFwigFZm4nmU6AqFgKFChw+hGZA265JTtQ4KHze2Cvkhs6UXQw1mXm3O9Qidosdus31J0buPbGxHsiTx1bdpUqrzTZiDBzDo6HMHNjeCbmpFszN3INTBOxb3ii539lZnP+0= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DE8B6385840F Received: by gnu.wildebeest.org (Postfix, from userid 1000) id 18BC43032F9B; Fri, 11 Apr 2025 00:38:55 +0200 (CEST) Resent-From: Mark Wielaard Resent-Date: Fri, 11 Apr 2025 00:38:55 +0200 Resent-Message-ID: <20250410223855.GD9991@gnu.wildebeest.org> Resent-To: gdb@sourceware.org Date: Fri, 11 Apr 2025 00:12:58 +0200 From: Mark Wielaard To: Mark Wielaard via Overseers Cc: gcc@gcc.gnu.org, binutils@sourceware.org, libc-alpha@sourceware.org, gdb@sourceware.org Subject: Re: Sourceware Cyber Security FAQ Message-ID: <20250410221258.GA9991@gnu.wildebeest.org> References: <5f6e7deb0c8c38dabb02bd38eb3efba1eb65807c.camel@klomp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5f6e7deb0c8c38dabb02bd38eb3efba1eb65807c.camel@klomp.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-bounces~public-inbox=simark.ca@sourceware.org Sender: "Gdb" Hi, On Wed, Nov 27, 2024 at 05:35:00PM +0100, Mark Wielaard via Overseers wrote: > After lots of discussions at some of our Open Office hours, at the > Cauldron, with other Software Freedom organizations and some of our > hardware and services providers we now have a Sourceware Cyber Security > FAQ explaining topics like the "US Improving the Nation's Cybersecurity > Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure > Software Development Framework (NIST SP 800-218)". > > https://sourceware.org/cyber-security-faq.html > > We would like to extend this with some recommended practices for > projects to adopt. Although it is clear that these regulations are > mainly aimed at commercial entities, who bear the brunt of these > requirements. We believe this is an opportunity for projects to get > more (corporate) contributions since these guidelines and requirements > strongly suggest/mandate to make all their work public and contribute > (security issues) back upstream. So any policies documenting how to > clearly report issues and documenting the contributing and release > practices should be helpful. Thanks to all the input during some of the Sourceware Open Office hours earlier this year, feedback given at Fosdem and discussions with the Software Freedom Conservancy we have update the Sourceware Cyber Security FAQ (really an explainer) with updates to the current state of the US Improving the Nation's Cybersecurity Executive Order and EU Cyber Resilience Act. We also added a section with Recommendations for Sourceware hosted projects. And a list of suggested secure development policies. https://sourceware.org/cyber-security-faq.html If you want help with implementing some of the suggested secure development policies, defining a secure software development framework for your project or just want to provide feedback on the Sourceware Cyber Security or Sourceware infrastructure security https://sourceware.org/sourceware-security-vision.html please join the Sourceware Open Office hour tomorrow. Sourceware Open Office hour Friday 11 April at 16:00 UTC #overseers on irc.libera.chat Check local time with: $ date -d "Fri 11 Apr 2025 16:00 UTC" Cheers, Mark Wielaard (for the Sourceware PLC) https://sourceware.org/mission.html#plc