Toolchain Infrastructure project statement of support

Siddhesh Poyarekar
Sun Oct 23 16:17:36 GMT 2022

On 2022-10-23 07:33, Ian Kelling wrote:
> Siddhesh Poyarekar via Overseers <> writes:
>> I personally do not think the current sourceware infrastructure, even
>> with the roadmap it promises is a viable alternative to what LF IT can
>> provide.  There is a significant resource gap (e.g.
> ....
>> established security and administration practices,
> ...
>> that we seem to disagree about.
> Let's consider some "established security and administration practices"
> curl -v | head
> ...
> < Server: Apache/2.0.52 (Red Hat)
> < X-Powered-By: PHP/4.3.9
> This is RHEL 3, released in 2003, according to
> The final end of support for this distro was on 2014-01-30.
> There are CVE's for that version of Apache. I assume their apache is not
> running in a configuration that makes them actually exploitable, but it
> is still better security practice upgrade.
> The kernel is likely from RHEL 3 too. I'm reminded of Greg KH beating the
> drum that old kernels need upgrades for security, especially because the
> kernel devs don't always check if a bug is a security issue and
> especially not for really old kernels (
> )
> Notice that link is http because https is not supported by the apache
> from 2003. Linux kernel development works through patches on mailing
> lists, and how do you find the patches if you aren't already subscribed
> to a list? You'd naturally go to the lists main webpage,
>, and click "LIST INFO",
>, and then click one of the list
> archive links, or maybe the subscribe link. So, those
> pages are an essential part of retrieving upstream kernel patches and
> security information for some people. And being http only, my isp or
> anyone in my network path could alter them to be malicious urls that
> that appear to give the correct result, but actually give malicious
> kernel patches, or hides away a security relevant patch. Obviously,
> https for security sensitive pages like these is a basic 101 security
> practice in 2022.

+Konstantin from LF IT since he's better equipped to speak to this, 
although ISTM that they started migrating off vger last year[1].




More information about the Gdb mailing list