Friday news: finally the most secure way of writing code arrived: https://github.com/kelseyhightower/nocode
czw., 7 kwi 2022, 16:48 użytkownik Dirk-Willem van Gulik < [email protected]> napisał: > Agreed. So I think that covers their first point and to some extend the > second point. > > Then there is the point of general improvements of the industry. I've > seen many points floating around - but has this been collected as a > wishlist/roadmap somewhere ? > > And as to the final point (attic and post-ASF life cycle mngt) - I'll try > to start that in a separate email. > > Dw > > > On 29 Mar 2022, at 17:16, Mark J Cox <[email protected]> wrote: > > > > Thanks Dirk; > > > > A good way forward would be to have us enhance and update and generalise > > what we prepared in the wiki[1] for the WH as this will be useful not > just > > for the specific questions from the EU, but for other similar enquiries. > > Perhaps starting with a couple of new pages there. While any official > ASF > > communication back to enquiring entities should come from the Security > > Committee, as we did with the WH meeting we'd refer to the public docs. > > > > [1] > > > https://cwiki.apache.org/confluence/display/COMDEV/White+House+Software+Security+Meeting%2C+January+13%2C+2022 > > > > Regards, Mark > > > > > > On Tue, Mar 29, 2022 at 10:32 AM Dirk-Willem van Gulik < > [email protected]> > > wrote: > > > >> Dear All, > >> > >> We received the request below from the European Commission. > >> > >> Whom would be willing to volunteer to address this ? I think this splits > >> into 3 chunks: > >> > >> - Help explain (just like the hearing in the US, etc) what we do > >> already; around releases, scrutiny, governance, CVE's, etc. > >> > >> - Help explain the limits of what a professional body of engineers > >> as individuals collectively can do (versus industry or the public > sector) > >> > >> - Collectively discuss where we can improve; or what can be done > to > >> improve things for the industry. > >> > >> And finally - I think we should also discuss here if it makes sense to > do > >> some specific effort on our attic/orphaned projects -- but I'll post > that > >> as a separate message. > >> > >> As a next step - it would be helpful to have peoples thoughts on these > >> questions - so we can then summarise them in a document/email. > >> > >> With kind regards, > >> > >> Dw. > >> > >> > >> > >> ARORA Saranjit Singh <[email protected]> wrote: > >> > >> Dear Sally and Dear DW > >> > >> I am currently working on a new open source programme called FOSSEPS, > this > >> time externally focussed towards European Public Services, or public > >> administrations. Here we are (i) building an open source EU Business > >> Applications catalogue, pulling together data from a number of national > >> catalogues. This way people can reuse, rather than re-build the same > >> application all over again! (ii) We are also asking European Public > >> Services and selected others (this includes yourselves, the ASF) to > help us > >> identify software projects that are in a state of critical health… i.e. > in > >> ICU, and may not survive. So, they are also critical, in that we rely > on > >> their continued existence, to run our other systems. (iii) we want to > >> encourage European public administrations to work together on open > source > >> matters, i.e. on GovFoss. > >> > >> Today, I am writing to you re #2 – Identifying Critical Software > Projects. > >> This is particularly relevant to you, given your recent experience of > >> having to deal with the Log4shell incident. We read your position paper > >> with great interest. We have sent out a survey and a help Guide to > public > >> administrations, but for open source experts we are holding 45 minute > >> calls. We would be very interested in discussing your views on critical > >> software, long-term FOSS maintenance/sustainability, and looking at > >> security and other issues. > >> > >> Sally/Dirk, would you be kind enough to identify the right people and/or > >> send us the right information? We are looking to (i) hold a session > with > >> ASF, and so request a date/time after 28th of March, and (ii) request > your > >> list of critical software that you would have identified? In due > course, we > >> are also looking at remedies to remove such criticality and see how we > can > >> nurse these projects back to health. > >> > >> ------- Sample questions for the session ----------------- > >> > >> - Are there specific processes to identify projects with maintenance or > >> security problems among Apache Software Foundation projects? > >> > >> - Do you have a specific policy regarding the sustainability of the > >> *dependencies* of projects hosted by the Apache Foundation? > >> > >> - According to your experience, what are currently the main challenges > or > >> problems related to FOSS maintenance/sustainability? > >> > >> - What are the most promising initiatives for finding solutions to those > >> problems or taking up those challenges today? (both from a security > point > >> of view and from a maintainers' financial/mental health sustainability > >> point of view?) > >> > >> - Do you feel that there is a need for more commonly agreed metrics or > >> publicly available sources of data to assess the health of open Source > >> projects? > >> > >> - As seen from the outside, it seems to us that the Executive Order on > >> Improving the Nation’s Cybersecurity had a key role in the progress > >> currently being made: in your opinion was the political decision > actually > >> decisive or was it just one amongst many converging factors? > >> > >> - More generally, would you consider that governments/public bodies > should > >> take specific actions on this topic? > >> > >> ---------------- end ---------------------------------------------- > >> > >> > >> Regards > >> > >> Saranjit ARORA > >> Senior Consultant/Project Manager (Working Mon-Thu) > >> Member of the European Commission OSPO (Open Source Programme Office) > >> Project Manager of FOSSEPS (Free and Open Source Software for European > >> Public Services) Pilot Project > >> Previously Project Manager of the EU-FOSSA 2 Project and the project > >> dealing with Open Source Software Inventory, Security, Sustainability > and > >> Funding Initiatives for European Public Services within the 2020 ISA2 > >> Sharing and Re-use action (2016.31) > >> > >> European Commission > >> DG Informatics, Unit B.3 – Reusable Solutions, MO15 06/P010, B-1049 > >> Brussels/Belgium (phone # / signal / telegram redacted) > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: > [email protected] > >> For additional commands, e-mail: > >> [email protected] > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
