On 10/30/24 6:39 AM, Mark Wielaard wrote: > Hi Carlos, > > On Tue, Oct 29, 2024 at 06:02:03PM -0400, Carlos O'Donell via Gcc wrote: >> Recent discussions on the glibc mailing list make it clear >> that we need to expand and discuss more about our "why" along with >> the "what" and "how" of these changes. > > Zoe wrote a good summary of that discussion back in July: > https://inbox.sourceware.org/f20ce996-e9c6-4b6c-856d-eec6e14af...@fsf.org/ > Has anything changed since then to address the issues raised by her > and others?
Yes, that the CTI TAC needs to expand the discussion of the "why" to the broader list of the project, and that starts by writing up (something I'm in the progress of doing) the detailed notes for glibc, particularly why we would want to meet any of the requirements (and which specific ones) for a secure software development framework. I'm writing these notes up for the community to continue our discussion. Then once we have the full "why" written down, list the pros and the cons of an LF IT-based solution and alternatives, including Sourceware, and again "why" the TAC recommends one solution over the other. I can get down to specific requirements and possible solutions for them, including things like securing logins with 2FA etc. Which *could* be solved by Sourceware today possibly using Nitrokeys (open hardware and FOSS), for example. Having all the details spelled out would allow Sourceware to make progress on the same issues raised, and I can even file infrastructure bugs if that helps. > I don't believe the community is helped by trying to set up yet > another, corporate controlled, organization or doing some highly > disruptive move of some parts of the services our projects are using. My position here is that the costs of running secure and robust infrastructure are quite high, and engaging directly with corporate sponsors like we have done before is the simplest way to pay for FOSS infrastructure. CTI is exactly the same model we have today, but with broader corporate involvement, instead of just IBM paying for the current services. This engagement happens in a place where the larger contributors are already engaged at the Linux Foundation. Have you discussed with IBM and other larger sponsors to pay Sourceware PLC to fund expanding the current services? My deepest concerns here is that Sourceware PLC cannot convince larger sponsors to provide the funding to do what needs to be done to scale out and improve our services. > I noticed you attended the Infrastructure BoF at the Cauldron and seem > to be experimenting with the new Forge we setup. I hope you will be > happy to work with the existing community and the existing > organizations that support the GNU toolchain and the Sourceware > infrastructure, instead of trying to setup yet another organization > that would split our efforts. I'm excited that the GNU Toolchain community is looking at different workflows and solutions, but if I'm honest the same question of funding and service/workload isolation applies. I'm *more* excited to pay Codeberg directly to support the GNU Toolchain to support the development of Forgejo, particularly given that larger groups like Fedora are considering Forgejo. Thanks for your feedback. We can continue the discussion once I post more to the overseers list. -- Cheers, Carlos.
