Moving sourceware to the Linux Foundation? No thanks.
Mon Sep 26 17:05:10 GMT 2022
On Mon, Sep 26, 2022 at 07:07:20AM -0700, Ian Lance Taylor wrote:
>I see two important points that ought to be discussed on this topic.
>The first is succession planning. Sourceware is essentially a community
>project with a relatively small number of people keeping it going. It
>needs trusted and capable people to step it to continue to maintain it.
>Where are those people going to come from? We shouldn't simply hope
>that it will keep carrying on as before.
The "GTI" debacle has shown fche, mjw, and me that there needs to be
some way to formalize the management of sourceware. I think that the
SFC proposal helps with that since we will need some sort of official
governing board when we move forward. Those people should be a hedge
against the hit-by-a-bus problem.
Personally, I feel more comfortable with a group of formalized
volunteers who will presumably listen to input than with a corporate
entity which dictates what (sometimes non-free) software *must* be used
to adhere to their corporate guidelines.
"You want a mailing list? Sure! That will be $157. We'll have it for
you in about six weeks and it *will* be groups.io."
>The second, mentioned in Mark's e-mail, is security. I hope that we can
>all agree that there are highly intelligent, highly motivated people
>seeking to break security on GNU/Linux and other free operating systems.
>Years ago Ken Thompson laid out the roadmap for attacking an operating
>system via the compiler and other code generation tools. These days
>these are known as supply chain attacks. I think that the free software
>community should reasonably insist that sourceware be defended against
>these kinds of attacks with mechanisms for prevention and detection and
>restoration. This is a hard job.
It's a hard job but I think it is only partly sourceware's job. We can
provide the tools and guidance, but it has got to be up to the projects
(gcc, glibc, cygwin) to implement the protocols which enhance security.
One thing we've talked about is hiring someone to do a security audit
once sourceware has some funding.
More information about the Overseers