Hi Carlos, On Wed, 2024-10-30 at 08:32 -0400, Carlos O'Donell wrote: > I can get down to specific requirements and possible solutions for them, > including > things like securing logins with 2FA etc. Which *could* be solved by > Sourceware > today possibly using Nitrokeys (open hardware and FOSS), for example.
Yes, a nitrokey distribution scheme is part of the Secure Sourceware Project Goals: https://sourceware.org/sourceware-security-vision.html We discussed this with OpenSSF and submitted a funding request to OpenSSF Alpha Omega for this particular part. OpenSSF initially was supportive to funding these kinds of security plans, but they have been silent for the last couple of months. If you have contacts to get this going forward again that would be great. > Having all the details spelled out would allow Sourceware to make progress on > the > same issues raised, and I can even file infrastructure bugs if that helps. Yes, please file bugzilla reports against the Sourceware Infrastructure project: https://sourceware.org/bugzilla/buglist.cgi?product=sourceware&component=Infrastructure Or bring it up on the overseers list or during the Sourceware open office hours. https://sourceware.org/mission.html#organization > My deepest concerns here is that Sourceware PLC cannot convince larger > sponsors > to provide the funding to do what needs to be done to scale out and improve > our > services. Thanks for your concern. The whole idea of setting up Sourceware as an organization with Conservancy as a fiscal sponsor is precisely to make these kind of sponsorships easy. And to expand funding to be able to accept community donations and grants: https://sourceware.org/donate.html > I'm excited that the GNU Toolchain community is looking at different > workflows and > solutions, but if I'm honest the same question of funding and service/workload > isolation applies. > > I'm *more* excited to pay Codeberg directly to support the GNU Toolchain to > support > the development of Forgejo, particularly given that larger groups like Fedora > are > considering Forgejo. Yes, we did already discuss this. But it is too early for that. Richard setup a wiki page for the Forge Experiment that includes a list of various bugs/issues in Forgejo that we would like to see resolved before we can call the experiment an success. https://gcc.gnu.org/wiki/ForgeExperiment When we are a bit further into the experiment to know which ones are real blockers, we could fund the work to get those done. Cheers, Mark
