Hi Jeffrey, On Wed, Nov 27, 2024 at 12:27:14PM -0500, Jeffrey Walton wrote: > On Wed, Nov 27, 2024 at 11:35 AM Mark Wielaard <m...@klomp.org> wrote: > > After lots of discussions at some of our Open Office hours, at the > > Cauldron, with other Software Freedom organizations and some of our > > hardware and services providers we now have a Sourceware Cyber Security > > FAQ explaining topics like the "US Improving the Nation's Cybersecurity > > Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure > > Software Development Framework (NIST SP 800-218)". > > > > https://sourceware.org/cyber-security-faq.html > > s/so they share security threads/so they share security threats/g
Thanks, fixed. Other feedback we got (channel #overseers on irc.libera.chat) was: "I don't see any questions on that page :)" Which is correct. Sorry. It was originally phrased as concrete questions, What is ...? Could you explain ...? But then the ... just became the headings or just the start of a paragraph explaining ... The reason for this is that we realized all these "regulations" are really "meta" proposals. The documents discussed describe recommendations and directives which might ultimately become implemented in regulations and requirements (if they even are, many of the items do look like they may just permanently remain recommendations and suggestions). So it really should have been called an "explainer" instead of "faq". But if you have any concrete questions after reading the "explainer" please ask them and we'll try to add them and provide an concrete answer. > > We would like to extend this with some recommended practices for > > projects to adopt. Although it is clear that these regulations are > > mainly aimed at commercial entities, who bear the brunt of these > > requirements. We believe this is an opportunity for projects to get > > more (corporate) contributions since these guidelines and requirements > > strongly suggest/mandate to make all their work public and contribute > > (security issues) back upstream. So any policies documenting how to > > clearly report issues and documenting the contributing and release > > practices should be helpful. > > > > Please let us know if you have any questions or suggestions. Cheers, Mark
