Re: Core Toolchain Infrastructure - October 2024 update

[Carlos O'Donell via Gdb <gdb@sourceware.org>]

On 10/30/24 6:39 AM, Mark Wielaard wrote:
> Hi Carlos,
> 
> On Tue, Oct 29, 2024 at 06:02:03PM -0400, Carlos O'Donell via Gcc wrote:
>> Recent discussions on the glibc mailing list make it clear
>> that we need to expand and discuss more about our "why" along with
>> the "what" and "how" of these changes.
> 
> Zoe wrote a good summary of that discussion back in July:
> https://inbox.sourceware.org/f20ce996-e9c6-4b6c-856d-eec6e14af26e@fsf.org/
> Has anything changed since then to address the issues raised by her
> and others?

Yes, that the CTI TAC needs to expand the discussion of the "why" to the broader
list of the project, and that starts by writing up (something I'm in the progress
of doing) the detailed notes for glibc, particularly why we would want to meet
any of the requirements (and which specific ones) for a secure software development
framework. I'm writing these notes up for the community to continue our discussion.

Then once we have the full "why" written down, list the pros and the cons of an
LF IT-based solution and alternatives, including Sourceware, and again "why" the
TAC recommends one solution over the other.

I can get down to specific requirements and possible solutions for them, including
things like securing logins with 2FA etc. Which *could* be solved by Sourceware
today possibly using Nitrokeys (open hardware and FOSS), for example.

Having all the details spelled out would allow Sourceware to make progress on the
same issues raised, and I can even file infrastructure bugs if that helps.

> I don't believe the community is helped by trying to set up yet
> another, corporate controlled, organization or doing some highly
> disruptive move of some parts of the services our projects are using.

My position here is that the costs of running secure and robust infrastructure are
quite high, and engaging directly with corporate sponsors like we have done before
is the simplest way to pay for FOSS infrastructure. CTI is exactly the same model
we have today, but with broader corporate involvement, instead of just IBM paying
for the current services. This engagement happens in a place where the larger
contributors are already engaged at the Linux Foundation.

Have you discussed with IBM and other larger sponsors to pay Sourceware PLC to 
fund expanding the current services?

My deepest concerns here is that Sourceware PLC cannot convince larger sponsors
to provide the funding to do what needs to be done to scale out and improve our
services.
 
> I noticed you attended the Infrastructure BoF at the Cauldron and seem
> to be experimenting with the new Forge we setup. I hope you will be
> happy to work with the existing community and the existing
> organizations that support the GNU toolchain and the Sourceware
> infrastructure, instead of trying to setup yet another organization
> that would split our efforts.

I'm excited that the GNU Toolchain community is looking at different workflows and
solutions, but if I'm honest the same question of funding and service/workload
isolation applies.

I'm *more* excited to pay Codeberg directly to support the GNU Toolchain to support
the development of Forgejo, particularly given that larger groups like Fedora are
considering Forgejo.

Thanks for your feedback. We can continue the discussion once I post more to the
overseers list.

-- 
Cheers,
Carlos.