From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id /KoZCrpUImcIsB8AWB0awg (envelope-from ) for ; Wed, 30 Oct 2024 11:46:02 -0400 Received: by simark.ca (Postfix, from userid 112) id 0BC601E5A1; Wed, 30 Oct 2024 11:46:02 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-6.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,URIBL_BLOCKED, URIBL_DBL_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=4.0.0 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id D94C11E35A for ; Wed, 30 Oct 2024 11:45:56 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8883B385773A for ; Wed, 30 Oct 2024 15:45:56 +0000 (GMT) Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 694F0385841E; Wed, 30 Oct 2024 15:45:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 694F0385841E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 694F0385841E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.83.234.184 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1730303121; cv=none; b=hBFJM5ZTnm44T8NFQbj+Gun6QksKPqBKEzXMx1+hkNJFgz3gHC4jmw/R7OSv0gmODbgf6jj406GB5BuBdLg2ji5jUatVDdVWObPMq42p+aX2uxnwM3jyLSWfaKArnJHleD1XFxK3Lfayz7FP8IOiXLH0bxFi+3Uyg8XJMjEQ1Nk= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1730303121; c=relaxed/simple; bh=k8wzKaTcggOcc0FQ02sI41wdw2tQVskdWbS1TZEw1TQ=; h=Message-ID:Subject:From:To:Date:MIME-Version; b=s+UcCNv+C4620DYRYmmQxMifNPvLeAzXeITmZD7ZZkDiR8d73TTyrc6lKsL9OpEeznLtBhL/hJp814eZ8dx9gawSaG88yWavLc+ZoqGhXjMd5DyvnFrv3BAdyOh2tTkehdrB71aPCaeZhBjNiPiUQqNFTyW35+NAYppvmfni1PM= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl [82.217.174.174]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 35D973032F85; Wed, 30 Oct 2024 16:45:12 +0100 (CET) Received: by r6.localdomain (Postfix, from userid 1000) id DB32D3403A8; Wed, 30 Oct 2024 16:45:11 +0100 (CET) Message-ID: Subject: Re: Core Toolchain Infrastructure - October 2024 update From: Mark Wielaard To: Carlos O'Donell Cc: gcc developers , glibc developers , gdb developers , binutils developers , Overseers mailing list , cti-tac@lists.linuxfoundation.org, =?ISO-8859-1?Q?Zo=EB?= Kooyman , "Karen M. Sandler" Date: Wed, 30 Oct 2024 16:45:11 +0100 In-Reply-To: <3a2c2d35-3b86-4286-a393-5ec166659f92@redhat.com> References: <9ee5b9e1-3f84-4d9e-8249-7a4bf8080bb0@redhat.com> <20241030103912.GD28606@gnu.wildebeest.org> <3a2c2d35-3b86-4286-a393-5ec166659f92@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.52.4 (3.52.4-1.fc40) MIME-Version: 1.0 X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-bounces~public-inbox=simark.ca@sourceware.org Sender: "Gdb" Hi Carlos, On Wed, 2024-10-30 at 08:32 -0400, Carlos O'Donell wrote: > I can get down to specific requirements and possible solutions for them, = including > things like securing logins with 2FA etc. Which *could* be solved by Sour= ceware > today possibly using Nitrokeys (open hardware and FOSS), for example. Yes, a nitrokey distribution scheme is part of the Secure Sourceware Project Goals: https://sourceware.org/sourceware-security-vision.html We discussed this with OpenSSF and submitted a funding request to OpenSSF Alpha Omega for this particular part. OpenSSF initially was supportive to funding these kinds of security plans, but they have been silent for the last couple of months. If you have contacts to get this going forward again that would be great. > Having all the details spelled out would allow Sourceware to make progres= s on the > same issues raised, and I can even file infrastructure bugs if that helps= . Yes, please file bugzilla reports against the Sourceware Infrastructure project: https://sourceware.org/bugzilla/buglist.cgi?product=3Dsourceware&component= =3DInfrastructure Or bring it up on the overseers list or during the Sourceware open office hours. https://sourceware.org/mission.html#organization > My deepest concerns here is that Sourceware PLC cannot convince larger sp= onsors > to provide the funding to do what needs to be done to scale out and impro= ve our > services. Thanks for your concern. The whole idea of setting up Sourceware as an organization with Conservancy as a fiscal sponsor is precisely to make these kind of sponsorships easy. And to expand funding to be able to accept community donations and grants: https://sourceware.org/donate.html > I'm excited that the GNU Toolchain community is looking at different work= flows and > solutions, but if I'm honest the same question of funding and service/wor= kload > isolation applies. >=20 > I'm *more* excited to pay Codeberg directly to support the GNU Toolchain = to support > the development of Forgejo, particularly given that larger groups like Fe= dora are > considering Forgejo. Yes, we did already discuss this. But it is too early for that. Richard setup a wiki page for the Forge Experiment that includes a list of various bugs/issues in Forgejo that we would like to see resolved before we can call the experiment an success. https://gcc.gnu.org/wiki/ForgeExperiment When we are a bit further into the experiment to know which ones are real blockers, we could fund the work to get those done. Cheers, Mark