Thanks, Sam. I think the bullets below are good for the meat, but based
on David's summary of the CISA conversation and various public posts, I
think there is some important background / educational material that we
need to communicate. The points that Mark makes about the lack of
"upgrade agility" across the supply chain are not obvious to people who
don't do this every day, which is pretty much 100% of the audience
here. If what we are collectively trying to solve is a supply chain
issue, we really need a better level set on how exactly the supply chain
works. We have a fairly nicely encapsulated piece of it at the ASF and
explaining how that piece works is good background and good context for
how "help" can meaningfully applied in our communities. It also sets us
up to ensure that the consequences of any external actions, regs, etc.
on our part of the supply chain are understood.
So I would suggest that the meat below follows a brief backgrounder on
ASF structure, governance, release and security processes and policies,
emphasizing the points where we connect to different software supply
chains and how we accept and manage security issues. Probably a lot of
that can come from existing web pages, e.g [0-3]. It is probably also a
good idea to ask Sally to help review any docs we provide that are not
just links to the web site.
The key thing to keep reminding ourselves is that a) the WH and other US
gov ppl want to act and b) their understanding of root causes and
practical solutions likely contains large gaps that can only be
addressed by getting a fuller understanding of how OSS is made,
distributed, consumed and maintained.
Phil
[0] https://www.apache.org/security/
[1] https://www.apache.org/foundation/how-it-works.html
[2] https://www.apache.org/theapacheway/index.html
[3] https://www.apache.org/dev/
On 12/31/21 12:06 PM, Sam Ruby wrote:
In addition to the in-person meeting next month, we are invited to
send read-ahead material and there will be a brief phone call. Given
that the call will only last 30 minutes, I presume that call will be
consumed by introductions, logistics, and perhaps questions about the
read-ahead material. That call will be on Wednesday, so I would like
to send any read-ahead material that we might have late morning EST on
Monday.
My thoughts are to lead with a summary/bulletized version of what has
been discussed recently on this list, followed by actual pointers to
the original emails. Here's a first draft... additions/corrections
welcome, both to the bullet points and new posts (preferably to this
list) that should be added.
Key bullet points
* This will require collective action
o There are things we can do, both individually and together, to
reduce the number of vulnerabilities.
o There are things, such as SBOMs, that can help identify what is
affected once a vulnerability is found.
o Much of this is moot if patches are never applied.
* Volunteers/community/participation
o Out contributors tend to be seasoned software professionals
whose employers include ASF releases in their commercial products.
o Our communities are healthy, open, and transparent.
o Companies an government agencies that want to help don't need
money or formal contracts to do so. Join our mailing lists,
review our code, contribute fixes.
Background reading:
* EO - Mark Cox - https://s.apache.org/3nctr
* SBOM - David Nalley - https://s.apache.org/hccur
* Applying updates - Mark Thomas - https://s.apache.org/5jqab
* Collective action - Phil Steitz - https://s.apache.org/ljzn0
* Volunteers - Sam Ruby - https://s.apache.org/3vkpr
* Contributors/maintenance - Dominik Psenner -
https://s.apache.org/3lrk1
* CISA - David Nalley - https://s.apache.org/1gr1c
* Get Involved - https://www.apache.org/foundation/getinvolved.html
- Sam Ruby
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
