Hi, On Wed, Nov 27, 2024 at 05:35:00PM +0100, Mark Wielaard via Overseers wrote: > After lots of discussions at some of our Open Office hours, at the > Cauldron, with other Software Freedom organizations and some of our > hardware and services providers we now have a Sourceware Cyber Security > FAQ explaining topics like the "US Improving the Nation's Cybersecurity > Executive Order 14028", "EU Cyber Resilience Act (EU CRA)" and "Secure > Software Development Framework (NIST SP 800-218)". > > https://sourceware.org/cyber-security-faq.html > > We would like to extend this with some recommended practices for > projects to adopt. Although it is clear that these regulations are > mainly aimed at commercial entities, who bear the brunt of these > requirements. We believe this is an opportunity for projects to get > more (corporate) contributions since these guidelines and requirements > strongly suggest/mandate to make all their work public and contribute > (security issues) back upstream. So any policies documenting how to > clearly report issues and documenting the contributing and release > practices should be helpful.
Thanks to all the input during some of the Sourceware Open Office hours earlier this year, feedback given at Fosdem and discussions with the Software Freedom Conservancy we have update the Sourceware Cyber Security FAQ (really an explainer) with updates to the current state of the US Improving the Nation's Cybersecurity Executive Order and EU Cyber Resilience Act. We also added a section with Recommendations for Sourceware hosted projects. And a list of suggested secure development policies. https://sourceware.org/cyber-security-faq.html If you want help with implementing some of the suggested secure development policies, defining a secure software development framework for your project or just want to provide feedback on the Sourceware Cyber Security or Sourceware infrastructure security https://sourceware.org/sourceware-security-vision.html please join the Sourceware Open Office hour tomorrow. Sourceware Open Office hour Friday 11 April at 16:00 UTC #overseers on irc.libera.chat Check local time with: $ date -d "Fri 11 Apr 2025 16:00 UTC" Cheers, Mark Wielaard (for the Sourceware PLC) https://sourceware.org/mission.html#plc
