From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-bounces~public-inbox=simark.ca@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id OK89NW5KR2d74AEAWB0awg
	(envelope-from <gdb-bounces~public-inbox=simark.ca@sourceware.org>)
	for <public-inbox@simark.ca>; Wed, 27 Nov 2024 11:35:58 -0500
Received: by simark.ca (Postfix, from userid 112)
	id D36391E097; Wed, 27 Nov 2024 11:35:58 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on simark.ca
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no
	version=4.0.0
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id BE07D1E05C
	for <public-inbox@simark.ca>; Wed, 27 Nov 2024 11:35:57 -0500 (EST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 5F1923858C62
	for <public-inbox@simark.ca>; Wed, 27 Nov 2024 16:35:57 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5F1923858C62
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
 by sourceware.org (Postfix) with ESMTPS id 4D2CE3858D33;
 Wed, 27 Nov 2024 16:35:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4D2CE3858D33
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4D2CE3858D33
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=45.83.234.184
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732725303; cv=none;
 b=GBjsMgR35fJEaR1XItoVrBaJRdtuDiF1zJLqfqZPpjex0xGSM6jjbF7vb7Dc9wqckCZwZFIka6QQS1q/+ZEHV6ywdvceKfDiPx68ZquCCvWFQ+2UfWQUZuEDhnY6VZOaM3pUuopmJt5AyksesVCUysxX2N3YGXmbvIjJh8tYJDw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1732725303; c=relaxed/simple;
 bh=zlcSuBU5eeYkWfZjPFDNhzHlThXW0V+Sbo7k6Rq8zY4=;
 h=Message-ID:Subject:From:To:Date:MIME-Version;
 b=QajPvYPq2pZJ+QkkTixPCEG+2YIE5qmYaCCsv1ea1CP10fku5H/onMx7c/TGc7xPgMpeqi9GaufkDtlBaJ9rbHvRrpb7YKG0LxB4YdR+hKXJHO1bWMs3wTojE9Ix5eGRPXAulu8O+jtLd3zk+X6j9Xl7dVPGltuutIgWRvGSyvY=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4D2CE3858D33
Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl
 [82.217.174.174])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by gnu.wildebeest.org (Postfix) with ESMTPSA id D4F01301BC1B;
 Wed, 27 Nov 2024 17:35:01 +0100 (CET)
Received: by r6.localdomain (Postfix, from userid 1000)
 id B89DA340519; Wed, 27 Nov 2024 17:35:00 +0100 (CET)
Message-ID: <5f6e7deb0c8c38dabb02bd38eb3efba1eb65807c.camel@klomp.org>
Subject: Sourceware Cyber Security FAQ
From: Mark Wielaard <mark@klomp.org>
To: overseers@sourceware.org
Cc: gcc@gcc.gnu.org, binutils@sourceware.org, libc-alpha@sourceware.org, 
 gdb@sourceware.org
Date: Wed, 27 Nov 2024 17:35:00 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.54.1 (3.54.1-1.fc41) 
MIME-Version: 1.0
X-BeenThere: gdb@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gdb mailing list <gdb.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb>,
 <mailto:gdb-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb/>
List-Post: <mailto:gdb@sourceware.org>
List-Help: <mailto:gdb-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb>,
 <mailto:gdb-request@sourceware.org?subject=subscribe>
Errors-To: gdb-bounces~public-inbox=simark.ca@sourceware.org
Sender: "Gdb" <gdb-bounces~public-inbox=simark.ca@sourceware.org>

Hi all,

After lots of discussions at some of our Open Office hours, at the
Cauldron, with other Software Freedom organizations and some of our
hardware and services providers we now have a Sourceware Cyber Security
FAQ explaining topics like the "US Improving the Nation's Cybersecurity
Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure
Software Development Framework (NIST SP 800-218)".

https://sourceware.org/cyber-security-faq.html

We would like to extend this with some recommended practices for
projects to adopt. Although it is clear that these regulations are
mainly aimed at commercial entities, who bear the brunt of these
requirements. We believe this is an opportunity for projects to get
more (corporate) contributions since these guidelines and requirements
strongly suggest/mandate to make all their work public and contribute
(security issues) back upstream. So any policies documenting how to
clearly report issues and documenting the contributing and release
practices should be helpful.

Please let us know if you have any questions or suggestions.

Cheers,

Mark Wielaard
(for the Sourceware PLC)
https://sourceware.org/mission.html#plc