1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
.. index::
single: FAQ
FAQ
===
You have questions we have answers!
Can we keep deploying services as we have?
""""""""""""""""""""""""""""""""""""""""""
The GNU Toolchain is a critical foundation of trust for the
GNU/Linux ecosystem and the demands on its infrastructure, services, and
security requirements have grown over time. The trend of increasing complexity
to support its development and associated financial demands will not abate.
Different projects have different risk tolerances and the GNU Toolchain must
meet more stringent expectations to maintain the trust of the ecosystem. It is
with this context in mind that CTI has been formed.
The global focus on security is clear and present and in direct relation to
the effective functioning of economies and societies. The GNU Toolchain plays
a hugely important role in companies and communities of all sizes, providing
tooling for compilation, assembly, linkage, running and debugging of
critical software.
In order to continue to support these communities we must start to adhere to
the modern cybersecurity principles including moving towards zero-trust
architectures with strong application sandboxing for all provided services
e.g. NIST SP.800-207, separate and protect each environment involved
in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor,
risk-based authentication and conditional access for each environment.
Governments around the world have increased their focus on Cybersecurity and
resilience in the face of cybersecurity attacks. In the European Union with
the creation of the Network and Information Security Directive (NIS 2016/1148,
NIS2 2022/2555), the Cybersecurity Act (2019/881), and now the Cyber Resilience
Act (2022/0272). In the United States with the publishing of the Executive
Order 14028 "Improving the Nation's Cybersecurity", with NIST's
Secure Software Development Framework (SSDF SP 800-218A), Cybersecurity
Framework 2.0 (CSF 2.0), and Software Supply Chain Security Guidance.
Several of the components of the GNU Toolchain meet the definition of NIST's
"critical software" since they underpin ICAM (Identity, Credentials and
access management), network control (DNS stub resolver), and key operating
system components. We want to expand and continue to support FOSS in all
of these use cases we should strive to meet the increasing cybersecurity
best practices.
The purpose of CTI is to help meet these requirements now and into the future
to ensure FOSS and the GNU Toolchain can be used by these users and communities.
What concrete steps will CTI help with?
"""""""""""""""""""""""""""""""""""""""
Some of the major goals include:
* Isolating all services in VMs or containers to increase service security and
reduce service resource interference.
* Allow volunteers to focus efforts outside of core infrastructure maintenance.
* Prepare for additional software supply chain requirements from
Why are you currently using Linux Foundation IT as the service provider?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The CTI TAC recommendation is to use Linux Foundation IT services for
core infrastructure. The LF IT team already supports many of the same services
for the Linux kernel and at scale. The migration would involve moving services
from Sourceware.org to LF IT servers. We continue to be thankful and
appreciative of the time spent by Sourceware.org volunteers in support of the
current services.
What is the urgency vs what is the timeline?
""""""""""""""""""""""""""""""""""""""""""""
The GNU Toolchain community should be making consistent forward progress
to improve our infrastructure and cybersecurity position. Showing progress is
important for the ecosystem to trust us as a secure and critical part of the
software supply chain. We should not wait until there are Cybersecurity
regulations that are beyond our ability to comply with as the FOSS ecosystem of
tooling and infrastructure. Projects of similar scope and importance have been
deploying significant resources for the use of the development community.
Sourceware volunteers have fielded requests and organized volunteer efforts that have worked well. Does LF allow volunteers to administer the servers together with them? Have they in the past?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The CTI TAC is the point of contact for volunteers. CTI can fund multiple
activities, by multiple entities, and the way in which the volunteers engage
may differ between them.
How does this project relate to the GNU Project or the Free Software Foundation (FSF)?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Many of the GNU Toolchain components are a part of the GNU Project, and
contribute to the development of the GNU system. The FSF supports the GNU
Project, and in turn supports the GNU Toolchain. The GNU Toolchain community
works with the FSF via a `working together fund
<https://www.fsf.org/working-together/fund>`_ to support the development of the
GNU Toolchain directly. The Core Toolchain Infrastructure project is distinct
from the GNU Project and the FSF.
How does this project relate to the `GCC Compile Farm Project <https://gcc.gnu.org/wiki/CompileFarm>`_?
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The GCC Compiler Farm is a unique resource for the GNU Toolchain and
provides interactive systems for developers to manually test on a wide variety
of hardware and software configurations. This is not exactly the same set of
requirements that the community might have for securing a supply chain, or
using modern CI/CD workflows.
How will the composition of the Core Toolchain infrastructure project reflect the communities it supports?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Members of the GNU Toolchain community will always be invited to become members
of the technical advisory council for the project.
What is the composition of the project steering committee?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The project steering committee will be composed of sponsoring members of
the Linux Foundation and members of the GNU Toolchain community.
What does the project TAC do?
"""""""""""""""""""""""""""""
The TAC takes input from the GNU Toolchain community and works with the
members to, implement, and resolve prioritized requirements.
Is the GNU Toolchain development model going to change?
"""""""""""""""""""""""""""""""""""""""""""""""""""""""
No. The aim of the project is to provide additional infrastructure for
the community that is being made available to support the GNU Toolchain. All
development changes will always be driven by the community.
Is `Sourceware <https://sourceware.org/>`_ going to be deprecated?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The Core Toolchain Infrastructure project is distinct from Sourceware.
The intent is to move critical infrastructure from Sourceware to the Core
Toolchain Infrastructure project to provide paid services.
Who can use the new infrastructure?
"""""""""""""""""""""""""""""""""""
That depends on the requirements given by the GNU Toolchain community.
The requirements from the community are input to the steering committee, and so
the answer depends largely on exactly what was the intended purpose.
What can the new infrastructure be used for?
""""""""""""""""""""""""""""""""""""""""""""
That depends on the requirements given by the GNU Toolchain community.
The requirements from the community are input to the steering committee, and so
the answer depends largely on exactly what was the intended purpose.
How are services validated prior to migration?
""""""""""""""""""""""""""""""""""""""""""""""
Services are validated on a per-service basis, with per-service functionality
being tested. Given the focus on strong service isolation and resilience the
inter-service integration pieces can and should be added in stages e.g.
email to bugzilla, git send-email to mailing lists, as services that can
communicate are brought online.
The intent is not to stand up a monolithic integrated set of services, but to
start small and create well-isolated services that can operate independently
with loose coupling.
Are all services migrated at the same time?
"""""""""""""""""""""""""""""""""""""""""""
There are no plans to construct a prototype of the entire constellation of
enumerated services for a project that is to be migrated to CTI services.
Instead the approach taken is to stand up well-isolated services that can
operate independently of each other and with high resilience, and then add
the inter-service integration functionality.
Since many of the services being provided are known to already be deployed
in production for other projects there is a lot of existing experience
to support deployment. What needs to be done is to ensure stronger isolation
between services as part of improving the project's cybersecurity position.
Are there any presentations covering CTI?
"""""""""""""""""""""""""""""""""""""""""
Yes, in October 2022 the CTI TAC gave an `FSF hosted community Q&A <https://media.libreplanet.org/u/libreplanet/m/the-gti-project-a-conversation-and-community-q-a/>`_.
-----------------
* :ref:`genindex`
* :ref:`search`
|
