From nobody Fri Apr 19 20:55:46 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VLn3n3Jv5z5HkTK for ; Fri, 19 Apr 2024 20:55:49 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VLn3n2pcJz42tT; Fri, 19 Apr 2024 20:55:49 +0000 (UTC) (envelope-from jhb@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713560149; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5hWCaKqER9UaYnJBjVnBq2MYqEs1lMvPGBsorx4BDJs=; b=NhozTwyKgHYmkqTYN6EslGeEWGE3tKYN42wLLn+KhcDXaOQwfWtTon4jnUedrnLB18//vY V8GgArYDxorPlRr4C18XWwbpW6HRbowRqax2Cuyn3A8J1Xd5pQWUNx2QIB1heiOm5grazk 22+aHZQdJvV3FwOMBVaKkcKeg/862RZ7Ke9Dsv0rJ7azCzpT3svSo0HtGN8U6gP2SEnmnV 6UCdhpgZc+cxzAEbUxhyjvuSMgrcg5TdL+iIfNXH5J0zRiVfRuHnwrRO8L7suHDGSHvEyu 2tlTOOlzCt0hVLPzkM+aK27VHb4c9rvjF0exDhI8fgyV1uhIICz8eib6/qI1Fg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713560149; a=rsa-sha256; cv=none; b=RvEvlwT2f6wVJn1TScQGW58gLcr907u5e3ncNbpsewqtPwJFL6FyI1jnutUCl/ddsB1fr8 Yia+xtiBSBXOuwilj6Z3h3Odde8rexHrFvaUIRSQrHnI8DYbg4QiaJvsMfZywrp9hNNwHe yN9wsGQ/IiNjTqldCqylchbiNnBXiJ9CeeoJ6sLe+8Zvf/mCcllh6UrUrOHERoacSk6EkT yNdQRVXwS1gjAlFQiUk0/MgpQs3RON4BrpLvrTC1DCa8to9NObGKecuXuqigMOxAs+ESGx 0axUtYsBCl1x1ap4O3ubqGPnsns4qJNpQ8konVab+EvJvMiKVE1rouqd1PkGTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713560149; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5hWCaKqER9UaYnJBjVnBq2MYqEs1lMvPGBsorx4BDJs=; b=dyM8V/lDomkQxqHOwbhUT2STMM/lYOHztNrW7hmYg//xsTWzuQkYAnwSzUaMoF9cm+S47v cVWYswSP4uinsw2LFN9GzToyZa6AXN9SAHsVHv2awNv/BNz7NEsFcv3G3uCBoUbXazRg9d mLOiITRK1+eqj4DQWh7ZVHz5fSHktJu+q5ArgoqanwI39SETbhT6Bca62uZM75Qaa1PEDY vqJG+0mJ8qkEa4+eXQTI2q6u5N2Vlgq9eV42rFopzBz/+ubf5riupp/3rru5+mxs2z2M9T zppMD5laeCzH5P/nZqCjPpZOLxbhs/ZdBIb1CEIY1RYRXxtv5G8G6P58YI3B0g== Received: from [IPV6:2601:644:937f:4c50:a7:7b77:f3e2:6cff] (unknown [IPv6:2601:644:937f:4c50:a7:7b77:f3e2:6cff]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 4VLn3m6xdsz11hP; Fri, 19 Apr 2024 20:55:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Message-ID: <0b3d0e98-318f-4807-b4d1-6597af6afd6d@FreeBSD.org> Date: Fri, 19 Apr 2024 13:55:46 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money? Content-Language: en-US To: Lexi Winter , questions@freebsd.org Cc: core@freebsd.org References: From: John Baldwin In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 4/18/24 2:30 PM, Lexi Winter wrote: > so today i came across this press release: > > https://freebsdfoundation.org/blog/freebsd-foundation-delivers-v1-of-freebsd-ssdf-attestation-to-support-cybersecurity-compliance/ > > "FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support > Cybersecurity Compliance" > > this is about some new thing called "SSDF Attestation" which is now > available to people who give money to the FreeBSD Foundation. > > reading the PR, i learned: > >> The SSDF Attestation continues the FreeBSD community’s longstanding >> commitment to security by providing transparency and trustworthiness >> in its software development environment. This move aligns with the US >> federal government’s recent initiative to bolster software security. > > i would like to know exactly what "transparency" and "trushworthiness" > is being provided to Foundation donors which is not provided to the rest > of us. > > can anyone summarise exactly what this "SSDF" includes that is being > witheld from normal users like me? > > cc: core@ since i assume core was somehow involved in this. core@ was not intimately involved with this (because core@ doesn't have money or spend money), but did ok the FF pursuing this attestation. A quick search on your search engine of choice shows that SSDF attestation is a compliance certification via the CISA agency in the US. If you are a supplier to the US government, you likely need to certify your products before agencies in the US government can purchase them. Normally you would do all that yourself, so if you are selling some product to the US government, you as the supplier have to fork out the money to pay for a certification for your product and its various components. My understanding of this is that the FF has paid actual money (something core@ does not have) to deal with the paperwork of certifying FreeBSD and is willing to share that with donors. So if you donate to the FF you can re-use their certification for the FreeBSD part of your product (you would still need to certify other parts of your product) instead of paying to certify FreeBSD yourself. Presumably the idea is that sharing the cost of the certification is cheaper than each of the donors who need it doing it independently. Note though, this isn't about some secret cabal doing different code changes that are only available to donors, this is purely about paperwork that you may need to sell a FreeBSD-based product to the US government. If you aren't selling products to the US government, you aren't effected and probably don't care. Also note that the Project doesn't control whether or not people choose to get certifications for FreeBSD (and usually such certifications are for a specific version, so each new version requires a new certification). To date we have not tried to place any constraints on who might want to certify FreeBSD as part of a product whether that be the FF or a vendor shipping a FreeBSD-based appliance. If you want to spend your own money to certify FreeBSD, have at it. -- John Baldwin