Re: Core Toolchain Infrastructure - October 2024 update

[Carlos O'Donell via Gdb <gdb@sourceware.org>]

On 10/30/24 11:45 AM, Mark Wielaard wrote:
> Hi Carlos,
> 
> On Wed, 2024-10-30 at 08:32 -0400, Carlos O'Donell wrote:
>> I can get down to specific requirements and possible solutions for them, including
>> things like securing logins with 2FA etc. Which *could* be solved by Sourceware
>> today possibly using Nitrokeys (open hardware and FOSS), for example.
> 
> Yes, a nitrokey distribution scheme is part of the Secure Sourceware
> Project Goals: https://sourceware.org/sourceware-security-vision.html

Have you broken down those project goals into actionable steps that could be taken?

For example filing Sourceware Infrastructure bugs for each service that needs to be
migrated into a VM and isolated (with a top level tracker for "Increased isolation")?

If you're going to ask for funding, having a list of concrete goals the funding
will solve, broken down to the level at which you can write an SOW, is very very
beneficial.
 
> We discussed this with OpenSSF and submitted a funding request to
> OpenSSF Alpha Omega for this particular part. OpenSSF initially was
> supportive to funding these kinds of security plans, but they have been
> silent for the last couple of months. If you have contacts to get this
> going forward again that would be great.

I do have contacts at the OpenSSF and I'd be glad to help. We just met with one of
their team members today as part of the CTI TAC meeting.

Do you have your funding request anywhere that I can read it?

>> Having all the details spelled out would allow Sourceware to make progress on the
>> same issues raised, and I can even file infrastructure bugs if that helps.
> 
> Yes, please file bugzilla reports against the Sourceware Infrastructure
> project:
> https://sourceware.org/bugzilla/buglist.cgi?product=sourceware&component=Infrastructure
> Or bring it up on the overseers list or during the Sourceware open
> office hours. https://sourceware.org/mission.html#organization

For tracking purposes I'll file them as Sourceware Infrastructure bugs and
we can go from there.

>> My deepest concerns here is that Sourceware PLC cannot convince larger sponsors
>> to provide the funding to do what needs to be done to scale out and improve our
>> services.
> 
> Thanks for your concern. The whole idea of setting up Sourceware as an
> organization with Conservancy as a fiscal sponsor is precisely to make
> these kind of sponsorships easy. And to expand funding to be able to
> accept community donations and grants:
> https://sourceware.org/donate.html

What you have done is make it *possible* for an organization to place money at the
fiscal sponsor for the mission you've set out, and while this is a measure of ease,
the hardest step is still to come. You need to convince sponsors to donate.

David, Joel and I have been the trustees of the GNU Toolchain Fund since we worked
with the FSF to set it up in 2017. Since then the hardest step is getting larger
sponsors to support.

How have your fund raising activities been going for the Sourceware fund at the SFC?

Have you allocated and spent any of that funding to move the project goals forward?
 
>> I'm excited that the GNU Toolchain community is looking at different workflows and
>> solutions, but if I'm honest the same question of funding and service/workload
>> isolation applies.
>>
>> I'm *more* excited to pay Codeberg directly to support the GNU Toolchain to support
>> the development of Forgejo, particularly given that larger groups like Fedora are
>> considering Forgejo.
> 
> Yes, we did already discuss this. But it is too early for that. Richard
> setup a wiki page for the Forge Experiment that includes a list of
> various bugs/issues in Forgejo that we would like to see resolved
> before we can call the experiment an success.
> https://gcc.gnu.org/wiki/ForgeExperiment
> When we are a bit further into the experiment to know which ones are
> real blockers, we could fund the work to get those done.

Yes, I agree we're too early.

Fedora has commented publicly that Codeberg's informal position was that they
probably did not have the capacity to host a project of Fedora's size.

https://discussion.fedoraproject.org/t/a-vote-in-favor-of-forgejo/112059/5

-- 
Cheers,
Carlos.