You are viewing a plain text version of this content. The canonical link for it is here.
Posted to security-discuss@community.apache.org by Mark J Cox <mj...@apache.org> on 2023/11/16 18:15:50 UTC
Re: RFI on OSS Security and Memory Safe Programming Languages
As an update we worked on the document and submitted it, see the final
comments here https://www.regulations.gov/comment/ONCD-2023-0002-0106
With huge thanks to Arnout, Ruth, Dirk-Willem and Henri for getting this
over the line!
Regards, Mark
On Wed, Sep 27, 2023 at 9:38 PM Arnout Engelen <en...@apache.org> wrote:
> Hi all,
>
> How would we respond to this request? Should anyone who wants to respond do
> so on personal title (mentioning their ASF affiliation), or do we want to
> try and make some kind of joint statement?
>
> I've started drafting some of my thoughts in a doc at
>
> https://docs.google.com/document/d/1NU1ytkOeg6a3GnZVPJc8dzKMEmdFhWzKd82CzXXeK9w/edit?usp=sharing
> , though it's still rather rough.
>
>
> Arnout
>
> On Tue, Aug 15, 2023 at 5:04 PM Mark J Cox <mj...@apache.org> wrote:
>
> > CISA contacted us to highlight an important request for comments on
> > memory-safe programming languages. Instead of rewriting their email,
> I've
> > quoted it below (with permission)
> >
> > Regards, Mark
> >
> > :
> >
> >
> >
> > OSS Colleagues,
> >
> >
> >
> > CISA would like to take this opportunity to flag the recent request for
> > information (RFI) released by the White House Office of the National
> Cyber
> > Director (ONCD) (in coordination with the Cybersecurity and
> Infrastructure
> > Security Agency (CISA), the National Science Foundation (NSF), the
> Defense
> > Advanced Research Projects Agency (DARPA), and the Office of Management
> > and Budget (OMB)).
> >
> >
> >
> > CISA recognizes the importance of the OSS community, and we are flagging
> > this RFI to ensure it is widely seen and shared with leading
> organizations
> > within OSS. As part of the U.S. federal government, we are seeking input
> > from OSS organizations and other private entities to help shape the
> federal
> > government’s strategy and action plan to strengthen the OSS ecosystem.
> >
> >
> >
> > Please feel free to further share this RFI with others in the community.
> >
> >
> >
> > Note, comments must be received by *5pm EST on October 9, 2023*.
> Responses
> > can be submitted either:
> >
> >
> >
> > 1. Through regulations.gov directly using the “Comment” button on the
> > top left of the site.
> > 2. Through email using MS Word or PDF to OS3IRFI@ncd.eop.gov. Please
> > ensure the email subject header is “Open-Source Software Security RFI
> > Response” and your organization's name.
> >
> >
> >
> > *Further submission guidelines and notes can be found in the RFI* (found
> > here: https://www.regulations.gov/document/ONCD-2023-0002-0001). Please
> > direct any questions related to this RFI to OS3IRFI@ncd.eop.gov (Nasreen
> > Djouini – telephone: 202-881-4697).
> >
> >
> >
> > The full White House and CISA announcements can also be found at the
> links
> > below:
> >
> >
> >
> > - White House Announcement:
> >
> >
> https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/
> > - CISA Announcement:
> >
> >
> https://www.cisa.gov/news-events/news/we-want-your-input-help-secure-open-source-software
> >
> >
> >
> > Thank you all in advance for any feedback submitted and for your
> continued
> > collaboration with CISA!
> >
>
Re: RFI on OSS Security and Memory Safe Programming Languages
Posted by Andrea Cosentino <an...@gmail.com>.
Thanks for sharing.
I read it originally and it was really well done.
Thanks for all you do.
Il gio 16 nov 2023, 19:22 Jarek Potiuk <ja...@potiuk.com> ha scritto:
> Very nice - I read it before and it's a very good write-up.
>
> On Thu, Nov 16, 2023 at 7:16 PM Mark J Cox <mj...@apache.org> wrote:
>
> > As an update we worked on the document and submitted it, see the final
> > comments here https://www.regulations.gov/comment/ONCD-2023-0002-0106
> >
> > With huge thanks to Arnout, Ruth, Dirk-Willem and Henri for getting this
> > over the line!
> >
> > Regards, Mark
> >
> >
> > On Wed, Sep 27, 2023 at 9:38 PM Arnout Engelen <en...@apache.org>
> wrote:
> >
> > > Hi all,
> > >
> > > How would we respond to this request? Should anyone who wants to
> respond
> > do
> > > so on personal title (mentioning their ASF affiliation), or do we want
> to
> > > try and make some kind of joint statement?
> > >
> > > I've started drafting some of my thoughts in a doc at
> > >
> > >
> >
> https://docs.google.com/document/d/1NU1ytkOeg6a3GnZVPJc8dzKMEmdFhWzKd82CzXXeK9w/edit?usp=sharing
> > > , though it's still rather rough.
> > >
> > >
> > > Arnout
> > >
> > > On Tue, Aug 15, 2023 at 5:04 PM Mark J Cox <mj...@apache.org> wrote:
> > >
> > > > CISA contacted us to highlight an important request for comments on
> > > > memory-safe programming languages. Instead of rewriting their email,
> > > I've
> > > > quoted it below (with permission)
> > > >
> > > > Regards, Mark
> > > >
> > > > :
> > > >
> > > >
> > > >
> > > > OSS Colleagues,
> > > >
> > > >
> > > >
> > > > CISA would like to take this opportunity to flag the recent request
> for
> > > > information (RFI) released by the White House Office of the National
> > > Cyber
> > > > Director (ONCD) (in coordination with the Cybersecurity and
> > > Infrastructure
> > > > Security Agency (CISA), the National Science Foundation (NSF), the
> > > Defense
> > > > Advanced Research Projects Agency (DARPA), and the Office of
> > Management
> > > > and Budget (OMB)).
> > > >
> > > >
> > > >
> > > > CISA recognizes the importance of the OSS community, and we are
> > flagging
> > > > this RFI to ensure it is widely seen and shared with leading
> > > organizations
> > > > within OSS. As part of the U.S. federal government, we are seeking
> > input
> > > > from OSS organizations and other private entities to help shape the
> > > federal
> > > > government’s strategy and action plan to strengthen the OSS
> ecosystem.
> > > >
> > > >
> > > >
> > > > Please feel free to further share this RFI with others in the
> > community.
> > > >
> > > >
> > > >
> > > > Note, comments must be received by *5pm EST on October 9, 2023*.
> > > Responses
> > > > can be submitted either:
> > > >
> > > >
> > > >
> > > > 1. Through regulations.gov directly using the “Comment” button on
> > the
> > > > top left of the site.
> > > > 2. Through email using MS Word or PDF to OS3IRFI@ncd.eop.gov.
> > Please
> > > > ensure the email subject header is “Open-Source Software Security
> > RFI
> > > > Response” and your organization's name.
> > > >
> > > >
> > > >
> > > > *Further submission guidelines and notes can be found in the RFI*
> > (found
> > > > here: https://www.regulations.gov/document/ONCD-2023-0002-0001).
> > Please
> > > > direct any questions related to this RFI to OS3IRFI@ncd.eop.gov
> > (Nasreen
> > > > Djouini – telephone: 202-881-4697).
> > > >
> > > >
> > > >
> > > > The full White House and CISA announcements can also be found at the
> > > links
> > > > below:
> > > >
> > > >
> > > >
> > > > - White House Announcement:
> > > >
> > > >
> > >
> >
> https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/
> > > > - CISA Announcement:
> > > >
> > > >
> > >
> >
> https://www.cisa.gov/news-events/news/we-want-your-input-help-secure-open-source-software
> > > >
> > > >
> > > >
> > > > Thank you all in advance for any feedback submitted and for your
> > > continued
> > > > collaboration with CISA!
> > > >
> > >
> >
>
Re: RFI on OSS Security and Memory Safe Programming Languages
Posted by Jarek Potiuk <ja...@potiuk.com>.
Very nice - I read it before and it's a very good write-up.
On Thu, Nov 16, 2023 at 7:16 PM Mark J Cox <mj...@apache.org> wrote:
> As an update we worked on the document and submitted it, see the final
> comments here https://www.regulations.gov/comment/ONCD-2023-0002-0106
>
> With huge thanks to Arnout, Ruth, Dirk-Willem and Henri for getting this
> over the line!
>
> Regards, Mark
>
>
> On Wed, Sep 27, 2023 at 9:38 PM Arnout Engelen <en...@apache.org> wrote:
>
> > Hi all,
> >
> > How would we respond to this request? Should anyone who wants to respond
> do
> > so on personal title (mentioning their ASF affiliation), or do we want to
> > try and make some kind of joint statement?
> >
> > I've started drafting some of my thoughts in a doc at
> >
> >
> https://docs.google.com/document/d/1NU1ytkOeg6a3GnZVPJc8dzKMEmdFhWzKd82CzXXeK9w/edit?usp=sharing
> > , though it's still rather rough.
> >
> >
> > Arnout
> >
> > On Tue, Aug 15, 2023 at 5:04 PM Mark J Cox <mj...@apache.org> wrote:
> >
> > > CISA contacted us to highlight an important request for comments on
> > > memory-safe programming languages. Instead of rewriting their email,
> > I've
> > > quoted it below (with permission)
> > >
> > > Regards, Mark
> > >
> > > :
> > >
> > >
> > >
> > > OSS Colleagues,
> > >
> > >
> > >
> > > CISA would like to take this opportunity to flag the recent request for
> > > information (RFI) released by the White House Office of the National
> > Cyber
> > > Director (ONCD) (in coordination with the Cybersecurity and
> > Infrastructure
> > > Security Agency (CISA), the National Science Foundation (NSF), the
> > Defense
> > > Advanced Research Projects Agency (DARPA), and the Office of
> Management
> > > and Budget (OMB)).
> > >
> > >
> > >
> > > CISA recognizes the importance of the OSS community, and we are
> flagging
> > > this RFI to ensure it is widely seen and shared with leading
> > organizations
> > > within OSS. As part of the U.S. federal government, we are seeking
> input
> > > from OSS organizations and other private entities to help shape the
> > federal
> > > government’s strategy and action plan to strengthen the OSS ecosystem.
> > >
> > >
> > >
> > > Please feel free to further share this RFI with others in the
> community.
> > >
> > >
> > >
> > > Note, comments must be received by *5pm EST on October 9, 2023*.
> > Responses
> > > can be submitted either:
> > >
> > >
> > >
> > > 1. Through regulations.gov directly using the “Comment” button on
> the
> > > top left of the site.
> > > 2. Through email using MS Word or PDF to OS3IRFI@ncd.eop.gov.
> Please
> > > ensure the email subject header is “Open-Source Software Security
> RFI
> > > Response” and your organization's name.
> > >
> > >
> > >
> > > *Further submission guidelines and notes can be found in the RFI*
> (found
> > > here: https://www.regulations.gov/document/ONCD-2023-0002-0001).
> Please
> > > direct any questions related to this RFI to OS3IRFI@ncd.eop.gov
> (Nasreen
> > > Djouini – telephone: 202-881-4697).
> > >
> > >
> > >
> > > The full White House and CISA announcements can also be found at the
> > links
> > > below:
> > >
> > >
> > >
> > > - White House Announcement:
> > >
> > >
> >
> https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/
> > > - CISA Announcement:
> > >
> > >
> >
> https://www.cisa.gov/news-events/news/we-want-your-input-help-secure-open-source-software
> > >
> > >
> > >
> > > Thank you all in advance for any feedback submitted and for your
> > continued
> > > collaboration with CISA!
> > >
> >
>