On 2024-10-30 11:45, Mark Wielaard wrote:
Hi Carlos,
On Wed, 2024-10-30 at 08:32 -0400, Carlos O'Donell wrote:
I can get down to specific requirements and possible solutions for
them, including
things like securing logins with 2FA etc. Which *could* be solved by
Sourceware
today possibly using Nitrokeys (open hardware and FOSS), for example.
Yes, a nitrokey distribution scheme is part of the Secure Sourceware
Project Goals: https://sourceware.org/sourceware-security-vision.html
We discussed this with OpenSSF and submitted a funding request to
OpenSSF Alpha Omega for this particular part. OpenSSF initially was
supportive to funding these kinds of security plans, but they have been
silent for the last couple of months. If you have contacts to get this
going forward again that would be great.
Having all the details spelled out would allow Sourceware to make
progress on the
same issues raised, and I can even file infrastructure bugs if that
helps.
Yes, please file bugzilla reports against the Sourceware Infrastructure
project:
https://sourceware.org/bugzilla/buglist.cgi?product=sourceware&component=Infrastructure
Or bring it up on the overseers list or during the Sourceware open
office hours. https://sourceware.org/mission.html#organization
My deepest concerns here is that Sourceware PLC cannot convince larger
sponsors
to provide the funding to do what needs to be done to scale out and
improve our
services.
Thanks for your concern. The whole idea of setting up Sourceware as an
organization with Conservancy as a fiscal sponsor is precisely to make
these kind of sponsorships easy. And to expand funding to be able to
accept community donations and grants:
https://sourceware.org/donate.html
Yes, SFC is already set up to receive donations from most of the large
companies that are consistent funders in this space (we're registered in
their vendor systems). Similarly, we regularly have fundraising meetings
with them across our member projects. If you have a particular lead or
suggestion for Sourceware, please let me/us know and we'll follow up!
karen
I'm excited that the GNU Toolchain community is looking at different
workflows and
solutions, but if I'm honest the same question of funding and
service/workload
isolation applies.
I'm *more* excited to pay Codeberg directly to support the GNU
Toolchain to support
the development of Forgejo, particularly given that larger groups like
Fedora are
considering Forgejo.
Yes, we did already discuss this. But it is too early for that. Richard
setup a wiki page for the Forge Experiment that includes a list of
various bugs/issues in Forgejo that we would like to see resolved
before we can call the experiment an success.
https://gcc.gnu.org/wiki/ForgeExperiment
When we are a bit further into the experiment to know which ones are
real blockers, we could fund the work to get those done.
Cheers,
Mark
