Sourceware Cyber Security FAQ

Sourceware Cyber Security FAQ

[Mark Wielaard]

Hi all,

After lots of discussions at some of our Open Office hours, at the
Cauldron, with other Software Freedom organizations and some of our
hardware and services providers we now have a Sourceware Cyber Security
FAQ explaining topics like the "US Improving the Nation's Cybersecurity
Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure
Software Development Framework (NIST SP 800-218)".

https://sourceware.org/cyber-security-faq.html

We would like to extend this with some recommended practices for
projects to adopt. Although it is clear that these regulations are
mainly aimed at commercial entities, who bear the brunt of these
requirements. We believe this is an opportunity for projects to get
more (corporate) contributions since these guidelines and requirements
strongly suggest/mandate to make all their work public and contribute
(security issues) back upstream. So any policies documenting how to
clearly report issues and documenting the contributing and release
practices should be helpful.

Please let us know if you have any questions or suggestions.

Cheers,

Mark Wielaard
(for the Sourceware PLC)
https://sourceware.org/mission.html#plc

Re: Sourceware Cyber Security FAQ

[Jeffrey Walton via Gdb]

On Wed, Nov 27, 2024 at 11:35 AM Mark Wielaard <mark@klomp.org> wrote:
>
> Hi all,
>
> After lots of discussions at some of our Open Office hours, at the
> Cauldron, with other Software Freedom organizations and some of our
> hardware and services providers we now have a Sourceware Cyber Security
> FAQ explaining topics like the "US Improving the Nation's Cybersecurity
> Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure
> Software Development Framework (NIST SP 800-218)".
>
> https://sourceware.org/cyber-security-faq.html

   s/so they share security threads/so they share security threats/g

> We would like to extend this with some recommended practices for
> projects to adopt. Although it is clear that these regulations are
> mainly aimed at commercial entities, who bear the brunt of these
> requirements. We believe this is an opportunity for projects to get
> more (corporate) contributions since these guidelines and requirements
> strongly suggest/mandate to make all their work public and contribute
> (security issues) back upstream. So any policies documenting how to
> clearly report issues and documenting the contributing and release
> practices should be helpful.
>
> Please let us know if you have any questions or suggestions.

Jeff

Re: Sourceware Cyber Security FAQ

[Mark Wielaard]

Hi Jeffrey,

On Wed, Nov 27, 2024 at 12:27:14PM -0500, Jeffrey Walton wrote:
> On Wed, Nov 27, 2024 at 11:35 AM Mark Wielaard <mark@klomp.org> wrote:
> > After lots of discussions at some of our Open Office hours, at the
> > Cauldron, with other Software Freedom organizations and some of our
> > hardware and services providers we now have a Sourceware Cyber Security
> > FAQ explaining topics like the "US Improving the Nation's Cybersecurity
> > Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure
> > Software Development Framework (NIST SP 800-218)".
> >
> > https://sourceware.org/cyber-security-faq.html
> 
>    s/so they share security threads/so they share security threats/g

Thanks, fixed.

Other feedback we got (channel #overseers on irc.libera.chat) was:
"I don't see any questions on that page :)"

Which is correct. Sorry. It was originally phrased as concrete
questions, What is ...? Could you explain ...? But then the ... just
became the headings or just the start of a paragraph explaining ...

The reason for this is that we realized all these "regulations" are
really "meta" proposals. The documents discussed describe
recommendations and directives which might ultimately become
implemented in regulations and requirements (if they even are, many of
the items do look like they may just permanently remain
recommendations and suggestions).

So it really should have been called an "explainer" instead of "faq".

But if you have any concrete questions after reading the "explainer"
please ask them and we'll try to add them and provide an concrete
answer.

> > We would like to extend this with some recommended practices for
> > projects to adopt. Although it is clear that these regulations are
> > mainly aimed at commercial entities, who bear the brunt of these
> > requirements. We believe this is an opportunity for projects to get
> > more (corporate) contributions since these guidelines and requirements
> > strongly suggest/mandate to make all their work public and contribute
> > (security issues) back upstream. So any policies documenting how to
> > clearly report issues and documenting the contributing and release
> > practices should be helpful.
> >
> > Please let us know if you have any questions or suggestions.

Cheers,

Mark

Re: Sourceware Cyber Security FAQ

[Mark Wielaard]

Hi,

On Wed, Nov 27, 2024 at 05:35:00PM +0100, Mark Wielaard via Overseers wrote:
> After lots of discussions at some of our Open Office hours, at the
> Cauldron, with other Software Freedom organizations and some of our
> hardware and services providers we now have a Sourceware Cyber Security
> FAQ explaining topics like the "US Improving the Nation's Cybersecurity
> Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure
> Software Development Framework (NIST SP 800-218)".
> 
> https://sourceware.org/cyber-security-faq.html
> 
> We would like to extend this with some recommended practices for
> projects to adopt. Although it is clear that these regulations are
> mainly aimed at commercial entities, who bear the brunt of these
> requirements. We believe this is an opportunity for projects to get
> more (corporate) contributions since these guidelines and requirements
> strongly suggest/mandate to make all their work public and contribute
> (security issues) back upstream. So any policies documenting how to
> clearly report issues and documenting the contributing and release
> practices should be helpful.

Thanks to all the input during some of the Sourceware Open Office
hours earlier this year, feedback given at Fosdem and discussions with
the Software Freedom Conservancy we have update the Sourceware Cyber
Security FAQ (really an explainer) with updates to the current state
of the US Improving the Nation's Cybersecurity Executive Order and EU
Cyber Resilience Act.

We also added a section with Recommendations for Sourceware hosted
projects. And a list of suggested secure development policies.

https://sourceware.org/cyber-security-faq.html

If you want help with implementing some of the suggested secure
development policies, defining a secure software development framework
for your project or just want to provide feedback on the Sourceware
Cyber Security or Sourceware infrastructure security
https://sourceware.org/sourceware-security-vision.html please join the
Sourceware Open Office hour tomorrow.

Sourceware Open Office hour
Friday 11 April at 16:00 UTC
#overseers on irc.libera.chat

Check local time with:
$ date -d "Fri 11 Apr 2025 16:00 UTC"

Cheers,

Mark Wielaard
(for the Sourceware PLC)
https://sourceware.org/mission.html#plc