From nobody Thu Apr 18 21:30:33 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VL9tR259Nz5HcMm
	for <questions@mlmmj.nyi.freebsd.org>; Thu, 18 Apr 2024 21:30:39 +0000 (UTC)
	(envelope-from lexi@le-fay.org)
Received: from fuchsia.eden.le-Fay.ORG (fuchsia.eden.le-fay.org [81.187.47.195])
	by mx1.freebsd.org (Postfix) with ESMTP id 4VL9tP6srDz4VWY;
	Thu, 18 Apr 2024 21:30:37 +0000 (UTC)
	(envelope-from lexi@le-fay.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=le-fay.org header.s=fuchsia header.b=FXY2Nzs+;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of lexi@le-fay.org designates 81.187.47.195 as permitted sender) smtp.mailfrom=lexi@le-fay.org
Received: from iris.eden.le-Fay.ORG (iris.eden.le-fay.org [IPv6:2001:8b0:aab5:106:3::6])
	by fuchsia.eden.le-Fay.ORG (Postfix) with ESMTP id 39FAB919B;
	Thu, 18 Apr 2024 21:30:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=le-fay.org; s=fuchsia;
	t=1713475835; bh=RXJnFiAooEeo8GIaZdPFl7OY7vU2fMKtk2cbpClA8hY=;
	h=Date:From:To:Cc:Subject;
	b=FXY2Nzs+0ob9mKmb2NcmH+ZdI+2Plv4pnhix7NzpDKoj6jdG5bmILDCWz1BSWbtH3
	 mWa1UnPd260hEiTVW6UfyFhoUhA5N3VvDI0PcxdDxst8kyv4C/YCAu7xThrOuufen/
	 insfjb7FxwqUyTTarWFR6thgyw31KAuk0SQr7e4E=
Received: from ilythia.eden.le-fay.org (ilythia.eden.le-fay.org [IPv6:2001:8b0:aab5:106:3::10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by iris.eden.le-Fay.ORG (Postfix) with ESMTPSA id 88BF32C0416;
	Thu, 18 Apr 2024 22:30:34 +0100 (BST)
Date: Thu, 18 Apr 2024 22:30:33 +0100
From: Lexi Winter <lexi@le-fay.org>
To: questions@freebsd.org
Cc: core@freebsd.org
Subject: why does FreeBSD only offer trustworthiness and transparency to
 people who donate money?
Message-ID: <ZiGQ-RSQAsrEET5x@ilythia.eden.le-fay.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="cs61EXLVr1GOXnOB"
Content-Disposition: inline
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.50 / 15.00];
	SIGNED_PGP(-2.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	MIME_GOOD(-0.20)[multipart/signed,text/plain];
	R_DKIM_ALLOW(-0.20)[le-fay.org:s=fuchsia];
	R_SPF_ALLOW(-0.20)[+ip4:81.187.47.195];
	RCVD_NO_TLS_LAST(0.10)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MISSING_XM_UA(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	ASN(0.00)[asn:20712, ipnet:81.187.0.0/16, country:GB];
	ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	DWL_DNSWL_NONE(0.00)[le-fay.org:dkim];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	DMARC_NA(0.00)[le-fay.org];
	TO_DN_NONE(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	DKIM_TRACE(0.00)[le-fay.org:+]
X-Rspamd-Queue-Id: 4VL9tP6srDz4VWY


--cs61EXLVr1GOXnOB
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

so today i came across this press release:

https://freebsdfoundation.org/blog/freebsd-foundation-delivers-v1-of-freebs=
d-ssdf-attestation-to-support-cybersecurity-compliance/

"FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support
Cybersecurity Compliance"

this is about some new thing called "SSDF Attestation" which is now
available to people who give money to the FreeBSD Foundation.

reading the PR, i learned:

> The SSDF Attestation continues the FreeBSD community=E2=80=99s longstandi=
ng
> commitment to security by providing transparency and trustworthiness
> in its software development environment. This move aligns with the US
> federal government=E2=80=99s recent initiative to bolster software securi=
ty.

i would like to know exactly what "transparency" and "trushworthiness"
is being provided to Foundation donors which is not provided to the rest
of us.

can anyone summarise exactly what this "SSDF" includes that is being
witheld from normal users like me?

cc: core@ since i assume core was somehow involved in this.

--cs61EXLVr1GOXnOB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmYhkPYACgkQDHqbqZ41
x5loQgv9HTIJFJzXi5oLkf+LsU0Ymmt/LPk26Zbq+bXrxXy8qAANSaukGanh3oc7
CDECJ/gPabJ4VQxnTFqYFOGYwwyRlDPAgZ4fan4k7GqKVNNvateWLyG+CjwSWg2R
nR5917rP5STSyVKn5LbUn+3YGRRVFVEWDN7i4qIQpzYUBUIeUMv4/5WbSdBMw7df
Y3qvBUTB/oRVqC0Gie896FCMH5pGLBFAnxXdvc2DZyzY0SCchvf1LaG2K9f9/Omw
PaqaI5pcm1xwzZBfrhmLwKAFOL1BMcJn+R+G5exKUjIUxJbp+OJHKensBBN7St8c
MLUw6NOaLS4wu6rGUelIhDnEaJaaLB6Sc9KMK+UgGlWMgxXgyQnLKkQnhMfPf9AL
Vm1Rlmys9FkfU3ehAHJx2D1aFkOY4d0ZQta9HXGOg3ZkhMf+SYOmJAM1zQjk2Pyo
D9ZN33d9XzznFbSJSxjhgzQmBCpgY0Sl2Rw5xVRYpyLUxEMJ1+TQSijZ99uMyujA
pkK6XXLZ
=ZxlR
-----END PGP SIGNATURE-----

--cs61EXLVr1GOXnOB--