Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money?

In reply to: Odhiambo Washington : "Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Matthew Seaman <matthew_at_FreeBSD.org>
Date: Fri, 19 Apr 2024 09:20:42 UTC

On 19/04/2024 07:30, Odhiambo Washington wrote:
> On Fri, Apr 19, 2024 at 12:30 AM Lexi Winter <lexi@le-fay.org> wrote:
> 
>> so today i came across this press release:
>>
>>
>> https://freebsdfoundation.org/blog/freebsd-foundation-delivers-v1-of-freebsd-ssdf-attestation-to-support-cybersecurity-compliance/
>>
>> "FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support
>> Cybersecurity Compliance"
>>
>> this is about some new thing called "SSDF Attestation" which is now
>> available to people who give money to the FreeBSD Foundation.
>>
>> reading the PR, i learned:
>>
>>> The SSDF Attestation continues the FreeBSD community’s longstanding
>>> commitment to security by providing transparency and trustworthiness
>>> in its software development environment. This move aligns with the US
>>> federal government’s recent initiative to bolster software security.
>>
>> i would like to know exactly what "transparency" and "trushworthiness"
>> is being provided to Foundation donors which is not provided to the rest
>> of us.
>>
>> can anyone summarise exactly what this "SSDF" includes that is being
>> witheld from normal users like me?
>>
>> cc: core@ since i assume core was somehow involved in this.
>>
> 
> There is only one codebase for FreeBSD, IIRC.
> There aren't special users and normal users.
> 
> 

This is all about having a piece of paper to certify to large (often 
govenment) organizations that FreeBSD provides a certain standard of 
security.  Which means that FreeBSD or FreeBSD-based products can check 
off at least one more tickbox in the sort of scrutiny process a big 
organization will go through before deciding that they can use a 
particular product.

For individuals and small enterprises this sort of bureacratic approach 
is pretty much irrelevant: I'm happy with the levels of security 
provided by FreeBSD because I know the people involved and what sort of 
coding standards, vulnerability management and incident response are in 
use.  That informal reputational trust wouldn't be suitable for a big 
enterprise, so this is a more formal mechanism to provide the same sort 
of assurance on a larger scale.

Look at it this way: it's a way for large companies or other 
organizations to pay for something that the rest of us basically get for 
free...

	Cheers,

	Matthew