Sourceware / GNU Toolchain at Cauldron
Sun Sep 18 21:38:42 GMT 2022
On Sun, Sep 18, 2022 at 06:27:33PM +0200, Mark Wielaard via Overseers wrote:
> But the discussion at Cauldron seemed really chaotic, I
> have trouble trying to summarize it. I posted my original discussion
> notes and first impressions here:
> We agreed to continue the discussion on this mailinglist. Hopefully
> that will be a little more productive and structured.
I tried to write up some notes from the discussion at Cauldron on my
flight back to the Netherlands.
It is somewhat unfortunate that there were so many interruptions and
that apparently some people had missed some parts of the public
discussions we have had on this list and in the public chats with the
SFC. I thought we had over-communicated, but apparently we still
missed to include people in the conversation. I honestly believed we
had explicitly invited them earlier.
These are somewhat random since I was a bit too flabergasted about
what happened that I didn't make real notes. Please feel free to
correct any misinterpretations.
- Apparently our message of "everything is fine, we don't have any
funding needs at this time, we are just thinking about the future"
made some people think they couldn't sponsor at all. But I am happy
people are so eager to sponsor. I wonder how we can adjust our
messaging to be clear that financial contributions are of course
always welcome. It is certainly not a bad thing to have some backup
money in case of emergency.
- Somewhat similarly there seemed to be the concern that when we do
formulate some technical goals that we could use funding for that
the Conservancy would be unable to help with fundraising events. But
from our discussions with the SFC this is precisely one of the
services the Conservancy offers.
- As far as I understand there is no reason not to try to also raise
funds through the Linux Foundation if that is easier for some
companies. The Conservancy already does help projects that get some
funding through the Linux Foundation.
- There were several different kind of "security concerns" which would
be good to untangle:
- There is the concern of he security of the sourceware server
itself. We discussed that in one of the public chats with the SFC
and the recommendation was to see if we could maybe hire a
penetration testing firm to see if we missed anything.
- There is the "hardening" concern of separating unix user accounts
for separate services like running git hooks. This is one of the
things that the buildbot service offers. We could also adopt
something like gitolite.
- There is the secure software supply chain idea. This is one of the
things I wanted to discuss now that we have services like
public-inbox and tools like b4 for patch attestation. Sourceware
offers the services for that, but it really is a policy question
for the guest projects whether they use that (and for example
whether to use signed git commits).
- Although it is true that there is a GNU Toolchain with the FSF as
fiscal sponsor and that the separate GNU projects work together
using that name, it wasn't clear to me when in this discussion we
were talking about the gdb, binutils, glibc and gcc projects
collectively. From other discussions during Cauldron it was very
clear that although each project is hosted on sourceware and using
some of the same services, each one has its own policies which make
sense for their separate communities.
- I wasn't really sure what to make of this LF/GTI proposal. It seemed
to conflate separate concerns that we were explicitly trying to
avoid with our Sourceware as Conservancy member proposal. It seemed
to mix explicit fundraising with advocating for a certain "managed
services at the LF/IT" technical proposal for using those funds. And
setting up yet another fiscal sponsor?
More information about the Overseers