You are viewing a plain text version of this content. The canonical link for it is here.
Posted to security-discuss@community.apache.org by David Nalley <da...@gnsa.us> on 2022/01/01 00:36:55 UTC
Re: read-ahead material
On Fri, Dec 31, 2021 at 3:10 PM Phil Steitz <ph...@steitz.com> wrote:
> Thanks, Sam. I think the bullets below are good for the meat, but based
> on David's summary of the CISA conversation and various public posts, I
> think there is some important background / educational material that we
> need to communicate.
This is consistent with my experience with senior government officials.
They tend to be smart, intelligent people, but have no depth of knowledge
of open source, and certainly none of the context around open source or the
Apache Software Foundation that we can have.
This means that they read words like "volunteer" and likely associate that
with "amateur" or even "non-professional" folks who are pursuing something
as a hobby. (See Sam's post to this list for more).
I don't think the pre-brief meeting with DNSA is expected to solve
problems. I'd use it to provide context on the ASF, how we work, and let
them ask questions. As Phil calls out below, there are going to be large
gaps of understanding; this isn't really a conversation with infosec
professionals at this level. These are policy folks with responsibilities
that include tech spaces.
If we're going to send over pre-brief information, It should be on things
like how the ASF operates, the breadth of our projects, and how project
governance works, how security works at the ASF, etc. I'd wouldn't expect
DNSA to be able to name another Apache project, aside from log4j. This
means there's likely not an understanding of how broad our portfolio is, or
how important we are to the ecosystem. Again, not casting aspersions, just
a reflection of the reality that open source is a small subset of her
responsibility.
> The points that Mark makes about the lack of
> "upgrade agility" across the supply chain are not obvious to people who
> don't do this every day, which is pretty much 100% of the audience
> here. If what we are collectively trying to solve is a supply chain
> issue, we really need a better level set on how exactly the supply chain
> works. We have a fairly nicely encapsulated piece of it at the ASF and
> explaining how that piece works is good background and good context for
> how "help" can meaningfully applied in our communities. It also sets us
> up to ensure that the consequences of any external actions, regs, etc.
> on our part of the supply chain are understood.
>
I think this is huge, and we should
>
> So I would suggest that the meat below follows a brief backgrounder on
> ASF structure, governance, release and security processes and policies,
> emphasizing the points where we connect to different software supply
> chains and how we accept and manage security issues. Probably a lot of
> that can come from existing web pages, e.g [0-3]. It is probably also a
> good idea to ask Sally to help review any docs we provide that are not
> just links to the web site.
>
> The key thing to keep reminding ourselves is that a) the WH and other US
> gov ppl want to act and b) their understanding of root causes and
> practical solutions likely contains large gaps that can only be
> addressed by getting a fuller understanding of how OSS is made,
> distributed, consumed and maintained.
>
> Phil
>
> [0] https://www.apache.org/security/
> [1] https://www.apache.org/foundation/how-it-works.html
> [2] https://www.apache.org/theapacheway/index.html
> [3] https://www.apache.org/dev/
>
> On 12/31/21 12:06 PM, Sam Ruby wrote:
> > In addition to the in-person meeting next month, we are invited to
> > send read-ahead material and there will be a brief phone call. Given
> > that the call will only last 30 minutes, I presume that call will be
> > consumed by introductions, logistics, and perhaps questions about the
> > read-ahead material. That call will be on Wednesday, so I would like
> > to send any read-ahead material that we might have late morning EST on
> > Monday.
> >
> > My thoughts are to lead with a summary/bulletized version of what has
> > been discussed recently on this list, followed by actual pointers to
> > the original emails. Here's a first draft... additions/corrections
> > welcome, both to the bullet points and new posts (preferably to this
> > list) that should be added.
> >
> > Key bullet points
> >
> > * This will require collective action
> > o There are things we can do, both individually and together, to
> > reduce the number of vulnerabilities.
> > o There are things, such as SBOMs, that can help identify what is
> > affected once a vulnerability is found.
> > o Much of this is moot if patches are never applied.
> > * Volunteers/community/participation
> > o Out contributors tend to be seasoned software professionals
> > whose employers include ASF releases in their commercial products.
> > o Our communities are healthy, open, and transparent.
> > o Companies an government agencies that want to help don't need
> > money or formal contracts to do so. Join our mailing lists,
> > review our code, contribute fixes.
> >
> > Background reading:
> >
> > * EO - Mark Cox - https://s.apache.org/3nctr
> > * SBOM - David Nalley - https://s.apache.org/hccur
> > * Applying updates - Mark Thomas - https://s.apache.org/5jqab
> > * Collective action - Phil Steitz - https://s.apache.org/ljzn0
> > * Volunteers - Sam Ruby - https://s.apache.org/3vkpr
> > * Contributors/maintenance - Dominik Psenner -
> > https://s.apache.org/3lrk1
> > * CISA - David Nalley - https://s.apache.org/1gr1c
> > * Get Involved - https://www.apache.org/foundation/getinvolved.html
> >
> > - Sam Ruby
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
> For additional commands, e-mail:
> security-discuss-help@community.apache.org
>
>
Re: read-ahead material
Posted by Mark J Cox <mj...@apache.org>.
On Sat, 1 Jan 2022, 00:37 David Nalley, <da...@gnsa.us> wrote:
> On Fri, Dec 31, 2021 at 3:10 PM Phil Steitz <ph...@steitz.com> wrote:
>
> > Thanks, Sam. I think the bullets below are good for the meat, but based
> > on David's summary of the CISA conversation and various public posts, I
> > think there is some important background / educational material that we
> > need to communicate.
>
>
>
> This is consistent with my experience with senior government officials.
> They tend to be smart, intelligent people, but have no depth of knowledge
> of open source, and certainly none of the context around open source or the
> Apache Software Foundation that we can have.
>
> This means that they read words like "volunteer" and likely associate that
> with "amateur" or even "non-professional" folks who are pursuing something
> as a hobby. (See Sam's post to this list for more).
>
> I don't think the pre-brief meeting with DNSA is expected to solve
> problems. I'd use it to provide context on the ASF, how we work, and let
> them ask questions. As Phil calls out below, there are going to be large
> gaps of understanding; this isn't really a conversation with infosec
> professionals at this level. These are policy folks with responsibilities
> that include tech spaces.
>
> If we're going to send over pre-brief information, It should be on things
> like how the ASF operates, the breadth of our projects, and how project
> governance works, how security works at the ASF, etc. I'd wouldn't expect
> DNSA to be able to name another Apache project, aside from log4j. This
> means there's likely not an understanding of how broad our portfolio is, or
> how important we are to the ecosystem. Again, not casting aspersions, just
> a reflection of the reality that open source is a small subset of her
> responsibility.
>
I agree completely. We need to help explain what the ASF is, how it works,
what we produce, how we produce it, and how we currently deal with
vulnerabilities. We need to make sure this covers how we are different to
other OSS foundations such as LF so they don't think what works for one
works for all. That's what should be in the materials.
While we might be tempted to start to explain things we can do differently
or better, this the first time we're having these conversations at a
foundation level rather than individual projects, so let's be careful to
not end up committing ourselves to things we've just thought of. We can
get a lot of value from listening in these meetings.
Mark
>
>
> > The points that Mark makes about the lack of
> > "upgrade agility" across the supply chain are not obvious to people who
> > don't do this every day, which is pretty much 100% of the audience
> > here. If what we are collectively trying to solve is a supply chain
> > issue, we really need a better level set on how exactly the supply chain
> > works. We have a fairly nicely encapsulated piece of it at the ASF and
> > explaining how that piece works is good background and good context for
> > how "help" can meaningfully applied in our communities. It also sets us
> > up to ensure that the consequences of any external actions, regs, etc.
> > on our part of the supply chain are understood.
> >
>
> I think this is huge, and we should
>
>
> >
> > So I would suggest that the meat below follows a brief backgrounder on
> > ASF structure, governance, release and security processes and policies,
> > emphasizing the points where we connect to different software supply
> > chains and how we accept and manage security issues. Probably a lot of
> > that can come from existing web pages, e.g [0-3]. It is probably also a
> > good idea to ask Sally to help review any docs we provide that are not
> > just links to the web site.
> >
> > The key thing to keep reminding ourselves is that a) the WH and other US
> > gov ppl want to act and b) their understanding of root causes and
> > practical solutions likely contains large gaps that can only be
> > addressed by getting a fuller understanding of how OSS is made,
> > distributed, consumed and maintained.
> >
> > Phil
> >
> > [0] https://www.apache.org/security/
> > [1] https://www.apache.org/foundation/how-it-works.html
> > [2] https://www.apache.org/theapacheway/index.html
> > [3] https://www.apache.org/dev/
> >
> > On 12/31/21 12:06 PM, Sam Ruby wrote:
> > > In addition to the in-person meeting next month, we are invited to
> > > send read-ahead material and there will be a brief phone call. Given
> > > that the call will only last 30 minutes, I presume that call will be
> > > consumed by introductions, logistics, and perhaps questions about the
> > > read-ahead material. That call will be on Wednesday, so I would like
> > > to send any read-ahead material that we might have late morning EST on
> > > Monday.
> > >
> > > My thoughts are to lead with a summary/bulletized version of what has
> > > been discussed recently on this list, followed by actual pointers to
> > > the original emails. Here's a first draft... additions/corrections
> > > welcome, both to the bullet points and new posts (preferably to this
> > > list) that should be added.
> > >
> > > Key bullet points
> > >
> > > * This will require collective action
> > > o There are things we can do, both individually and together, to
> > > reduce the number of vulnerabilities.
> > > o There are things, such as SBOMs, that can help identify what is
> > > affected once a vulnerability is found.
> > > o Much of this is moot if patches are never applied.
> > > * Volunteers/community/participation
> > > o Out contributors tend to be seasoned software professionals
> > > whose employers include ASF releases in their commercial
> products.
> > > o Our communities are healthy, open, and transparent.
> > > o Companies an government agencies that want to help don't need
> > > money or formal contracts to do so. Join our mailing lists,
> > > review our code, contribute fixes.
> > >
> > > Background reading:
> > >
> > > * EO - Mark Cox - https://s.apache.org/3nctr
> > > * SBOM - David Nalley - https://s.apache.org/hccur
> > > * Applying updates - Mark Thomas - https://s.apache.org/5jqab
> > > * Collective action - Phil Steitz - https://s.apache.org/ljzn0
> > > * Volunteers - Sam Ruby - https://s.apache.org/3vkpr
> > > * Contributors/maintenance - Dominik Psenner -
> > > https://s.apache.org/3lrk1
> > > * CISA - David Nalley - https://s.apache.org/1gr1c
> > > * Get Involved - https://www.apache.org/foundation/getinvolved.html
> > >
> > > - Sam Ruby
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> security-discuss-unsubscribe@community.apache.org
> > For additional commands, e-mail:
> > security-discuss-help@community.apache.org
> >
> >
>