Phil, I'm pleased to see that the links you curated are almost exactly the ones I picked: https://s.apache.org/3vkpr. And I'll add a link that we both missed: https://apache.org/
I'm not of the opinion that we should be creating new content for background material, nor do we have adequate time to do so. But I do take to heart the suggestion that these links should not be buried, but rather put front and center. What do you think about adding the following --- The best place to get started to know what the ASF is is here: https://apache.org/. That page is full of statistics, videos, and links. The following links in particular are important background to this discussion: * https://www.apache.org/foundation/how-it-works.html * https://www.apache.org/dev/ * https://www.apache.org/dev/pmc.html * https://apache.org/security/ * https://apache.org/theapacheway/index.html --- What still is missing is the concept of a "supply chain". Perhaps something along the lines of the following, which applies to log4j but also applies to much of what the ASF produces: * Software developed at the ASF is made available at no cost and without warranty * Commercial products may include this software without entering into any form of contract with the ASF, or even notifying us * End users may purchase these products but have little interest or ability to apply fixes - Sam Ruby On Fri, Dec 31, 2021 at 3:10 PM Phil Steitz <[email protected]> wrote: > > Thanks, Sam. I think the bullets below are good for the meat, but based > on David's summary of the CISA conversation and various public posts, I > think there is some important background / educational material that we > need to communicate. The points that Mark makes about the lack of > "upgrade agility" across the supply chain are not obvious to people who > don't do this every day, which is pretty much 100% of the audience > here. If what we are collectively trying to solve is a supply chain > issue, we really need a better level set on how exactly the supply chain > works. We have a fairly nicely encapsulated piece of it at the ASF and > explaining how that piece works is good background and good context for > how "help" can meaningfully applied in our communities. It also sets us > up to ensure that the consequences of any external actions, regs, etc. > on our part of the supply chain are understood. > > So I would suggest that the meat below follows a brief backgrounder on > ASF structure, governance, release and security processes and policies, > emphasizing the points where we connect to different software supply > chains and how we accept and manage security issues. Probably a lot of > that can come from existing web pages, e.g [0-3]. It is probably also a > good idea to ask Sally to help review any docs we provide that are not > just links to the web site. > > The key thing to keep reminding ourselves is that a) the WH and other US > gov ppl want to act and b) their understanding of root causes and > practical solutions likely contains large gaps that can only be > addressed by getting a fuller understanding of how OSS is made, > distributed, consumed and maintained. > > Phil > > [0] https://www.apache.org/security/ > [1] https://www.apache.org/foundation/how-it-works.html > [2] https://www.apache.org/theapacheway/index.html > [3] https://www.apache.org/dev/ > > On 12/31/21 12:06 PM, Sam Ruby wrote: > > In addition to the in-person meeting next month, we are invited to > > send read-ahead material and there will be a brief phone call. Given > > that the call will only last 30 minutes, I presume that call will be > > consumed by introductions, logistics, and perhaps questions about the > > read-ahead material. That call will be on Wednesday, so I would like > > to send any read-ahead material that we might have late morning EST on > > Monday. > > > > My thoughts are to lead with a summary/bulletized version of what has > > been discussed recently on this list, followed by actual pointers to > > the original emails. Here's a first draft... additions/corrections > > welcome, both to the bullet points and new posts (preferably to this > > list) that should be added. > > > > Key bullet points > > > > * This will require collective action > > o There are things we can do, both individually and together, to > > reduce the number of vulnerabilities. > > o There are things, such as SBOMs, that can help identify what is > > affected once a vulnerability is found. > > o Much of this is moot if patches are never applied. > > * Volunteers/community/participation > > o Out contributors tend to be seasoned software professionals > > whose employers include ASF releases in their commercial products. > > o Our communities are healthy, open, and transparent. > > o Companies an government agencies that want to help don't need > > money or formal contracts to do so. Join our mailing lists, > > review our code, contribute fixes. > > > > Background reading: > > > > * EO - Mark Cox - https://s.apache.org/3nctr > > * SBOM - David Nalley - https://s.apache.org/hccur > > * Applying updates - Mark Thomas - https://s.apache.org/5jqab > > * Collective action - Phil Steitz - https://s.apache.org/ljzn0 > > * Volunteers - Sam Ruby - https://s.apache.org/3vkpr > > * Contributors/maintenance - Dominik Psenner - > > https://s.apache.org/3lrk1 > > * CISA - David Nalley - https://s.apache.org/1gr1c > > * Get Involved - https://www.apache.org/foundation/getinvolved.html > > > > - Sam Ruby > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
