Hi Dirk, I have a bit more time in the coming months, being working half time, and I'm willing to help to the extent of my competence, of course.
Let me know where I can help. Thanks, Emmanuel On 2022/03/29 09:31:58 Dirk-Willem van Gulik wrote: > Dear All, > > We received the request below from the European Commission. > > Whom would be willing to volunteer to address this ? I think this splits into > 3 chunks: > > - Help explain (just like the hearing in the US, etc) what we do already; > around releases, scrutiny, governance, CVE's, etc. > > - Help explain the limits of what a professional body of engineers as > individuals collectively can do (versus industry or the public sector) > > - Collectively discuss where we can improve; or what can be done to > improve things for the industry. > > And finally - I think we should also discuss here if it makes sense to do > some specific effort on our attic/orphaned projects -- but I'll post that as > a separate message. > > As a next step - it would be helpful to have peoples thoughts on these > questions - so we can then summarise them in a document/email. > > With kind regards, > > Dw. > > > > ARORA Saranjit Singh <[email protected]> wrote: > > Dear Sally and Dear DW > > I am currently working on a new open source programme called FOSSEPS, this > time externally focussed towards European Public Services, or public > administrations. Here we are (i) building an open source EU Business > Applications catalogue, pulling together data from a number of national > catalogues. This way people can reuse, rather than re-build the same > application all over again! (ii) We are also asking European Public Services > and selected others (this includes yourselves, the ASF) to help us identify > software projects that are in a state of critical health… i.e. in ICU, and > may not survive. So, they are also critical, in that we rely on their > continued existence, to run our other systems. (iii) we want to encourage > European public administrations to work together on open source matters, i.e. > on GovFoss. > > Today, I am writing to you re #2 – Identifying Critical Software Projects. > This is particularly relevant to you, given your recent experience of having > to deal with the Log4shell incident. We read your position paper with great > interest. We have sent out a survey and a help Guide to public > administrations, but for open source experts we are holding 45 minute calls. > We would be very interested in discussing your views on critical software, > long-term FOSS maintenance/sustainability, and looking at security and other > issues. > > Sally/Dirk, would you be kind enough to identify the right people and/or send > us the right information? We are looking to (i) hold a session with ASF, and > so request a date/time after 28th of March, and (ii) request your list of > critical software that you would have identified? In due course, we are also > looking at remedies to remove such criticality and see how we can nurse these > projects back to health. > > ------- Sample questions for the session ----------------- > > - Are there specific processes to identify projects with maintenance or > security problems among Apache Software Foundation projects? > > - Do you have a specific policy regarding the sustainability of the > *dependencies* of projects hosted by the Apache Foundation? > > - According to your experience, what are currently the main challenges or > problems related to FOSS maintenance/sustainability? > > - What are the most promising initiatives for finding solutions to those > problems or taking up those challenges today? (both from a security point of > view and from a maintainers' financial/mental health sustainability point of > view?) > > - Do you feel that there is a need for more commonly agreed metrics or > publicly available sources of data to assess the health of open Source > projects? > > - As seen from the outside, it seems to us that the Executive Order on > Improving the Nation’s Cybersecurity had a key role in the progress currently > being made: in your opinion was the political decision actually decisive or > was it just one amongst many converging factors? > > - More generally, would you consider that governments/public bodies should > take specific actions on this topic? > > ---------------- end ---------------------------------------------- > > > Regards > > Saranjit ARORA > Senior Consultant/Project Manager (Working Mon-Thu) > Member of the European Commission OSPO (Open Source Programme Office) > Project Manager of FOSSEPS (Free and Open Source Software for European Public > Services) Pilot Project > Previously Project Manager of the EU-FOSSA 2 Project and the project dealing > with Open Source Software Inventory, Security, Sustainability and Funding > Initiatives for European Public Services within the 2020 ISA2 Sharing and > Re-use action (2016.31) > > European Commission > DG Informatics, Unit B.3 – Reusable Solutions, MO15 06/P010, B-1049 > Brussels/Belgium (phone # / signal / telegram redacted) > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
