[PATCH] source/faq/index: Update FAQ.

[PATCH] source/faq/index: Update FAQ.

[Carlos O'Donell]

Update the FAQ with additional entries as requested by CTI TAC
review.

Add information about relevant national standards and why we want
to advance the state of our current infrastructure.

Add information about service bringup and how to achieve that.

Signed-off-by: Carlos O'Donell <carlos@redhat.com>
---
 source/faq/index.rst | 60 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/source/faq/index.rst b/source/faq/index.rst
index 66458c1..81bdc3c 100644
--- a/source/faq/index.rst
+++ b/source/faq/index.rst
@@ -8,7 +8,7 @@ You have questions we have answers!
 
 Can we keep deploying services as we have?
 """"""""""""""""""""""""""""""""""""""""""
-No. The GNU Toolchain is a critical foundation of trust for the
+The GNU Toolchain is a critical foundation of trust for the
 GNU/Linux ecosystem and the demands on its infrastructure, services, and
 security requirements have grown over time. The trend of increasing complexity
 to support its development and associated financial demands will not abate.
@@ -16,6 +16,38 @@ Different projects have different risk tolerances and the GNU Toolchain must
 meet more stringent expectations to maintain the trust of the ecosystem. It is
 with this context in mind that CTI has been formed.
 
+The global focus on security is clear and present and in direct relation to
+the effective functioning of economies and societies. The GNU Toolchain plays
+a hugely important role in companies and communities of all sizes, providing
+tooling for compilation, assembly, linkage, running and debugging of
+critical software.
+
+In order to continue to support these communities we must start to adhere to
+the modern cybersecurity principles including moving towards zero-trust
+architectures with strong application sandboxing for all provided services
+e.g. NIST SP.800-207, separate and protect each environment involved
+in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor,
+risk-based authentication and conditional access for each environment.
+
+Governments around the world have increased their focus on Cybersecurity and
+resilience in the face of cybersecurity attacks. In the European Union with
+the creation of the Network and Information Security Directive (NIS 2016/1148,
+NIS2 2022/2555), the Cybersecurity Act (2019/881), and now the Cyber Resilience
+Act (2022/0272). In the United States with the publishing of the Executive
+Order 14028 "Improving the Nation's Cybersecurity", with NIST's
+Secure Software Development Framework (SSDF SP 800-218A), Cybersecurity
+Framework 2.0 (CSF 2.0), and Software Supply Chain Security Guidance.
+
+Several of the components of the GNU Toolchain meet the definition of NIST's
+"critical software" since they underpin ICAM (Identity, Credentials and
+access management), network control (DNS stub resolver), and key operating
+system components. We want to expand and continue to support FOSS in all
+of these use cases we should strive to meet the increasing cybersecurity
+best practices.
+
+The purpose of CTI is to help meet these requirements now and into the future
+to ensure FOSS and the GNU Toolchain can be used by these users and communities.
+
 What concrete steps will CTI help with?
 """""""""""""""""""""""""""""""""""""""
 Some of the major goals include:
@@ -109,6 +141,32 @@ That depends on the requirements given by the GNU Toolchain community.
 The requirements from the community are input to the steering committee, and so
 the answer depends largely on exactly what was the intended purpose.
 
+How are services validated prior to migration?
+""""""""""""""""""""""""""""""""""""""""""""""
+Services are validated on a per-service basis, with per-service functionality
+being tested. Given the focus on strong service isolation and resilience the
+inter-service integration pieces can and should be added in stages e.g.
+email to bugzilla, git send-email to mailing lists, as services that can
+communicate are brought online.
+
+The intent is not to stand up a monolithic integrated set of services, but to
+start small and create well-isolated services that can operate independently
+with loose coupling.
+
+Are all services migrated at the same time?
+"""""""""""""""""""""""""""""""""""""""""""
+There are no plans to construct a prototype of the entire constellation of
+enumerated services for a project that is to be migrated to CTI services.
+
+Instead the approach taken is to stand up well-isolated services that can
+operate independently of each other and with high resilience, and then add
+the inter-service integration functionality.
+
+Since many of the services being provided are known to already be deployed
+in production for other projects there is a lot of existing experience
+to support deployment. What needs to be done is to ensure stronger isolation
+between services as part of improving the project's cybersecurity position.
+
 Are there any presentations covering CTI?
 """""""""""""""""""""""""""""""""""""""""
 Yes, in October 2022 the CTI TAC gave an `FSF hosted community Q&A <https://media.libreplanet.org/u/libreplanet/m/the-gti-project-a-conversation-and-community-q-a/>`_.
-- 
2.45.0

Re: [PATCH] source/faq/index: Update FAQ.

[Carlos O'Donell]

On 5/29/24 9:48 AM, Carlos O'Donell wrote:
> Update the FAQ with additional entries as requested by CTI TAC
> review.
> 
> Add information about relevant national standards and why we want
> to advance the state of our current infrastructure.
> 
> Add information about service bringup and how to achieve that.

Any input from the TAC?

I plan to push this next week as the FAQ items noted here expand on the
existing answer we had, and other answers are following what we're doing
today.

> Signed-off-by: Carlos O'Donell <carlos@redhat.com>
> ---
>  source/faq/index.rst | 60 +++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 59 insertions(+), 1 deletion(-)
> 
> diff --git a/source/faq/index.rst b/source/faq/index.rst
> index 66458c1..81bdc3c 100644
> --- a/source/faq/index.rst
> +++ b/source/faq/index.rst
> @@ -8,7 +8,7 @@ You have questions we have answers!
>  
>  Can we keep deploying services as we have?
>  """"""""""""""""""""""""""""""""""""""""""
> -No. The GNU Toolchain is a critical foundation of trust for the
> +The GNU Toolchain is a critical foundation of trust for the
>  GNU/Linux ecosystem and the demands on its infrastructure, services, and
>  security requirements have grown over time. The trend of increasing complexity
>  to support its development and associated financial demands will not abate.
> @@ -16,6 +16,38 @@ Different projects have different risk tolerances and the GNU Toolchain must
>  meet more stringent expectations to maintain the trust of the ecosystem. It is
>  with this context in mind that CTI has been formed.
>  
> +The global focus on security is clear and present and in direct relation to
> +the effective functioning of economies and societies. The GNU Toolchain plays
> +a hugely important role in companies and communities of all sizes, providing
> +tooling for compilation, assembly, linkage, running and debugging of
> +critical software.
> +
> +In order to continue to support these communities we must start to adhere to
> +the modern cybersecurity principles including moving towards zero-trust
> +architectures with strong application sandboxing for all provided services
> +e.g. NIST SP.800-207, separate and protect each environment involved
> +in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor,
> +risk-based authentication and conditional access for each environment.
> +
> +Governments around the world have increased their focus on Cybersecurity and
> +resilience in the face of cybersecurity attacks. In the European Union with
> +the creation of the Network and Information Security Directive (NIS 2016/1148,
> +NIS2 2022/2555), the Cybersecurity Act (2019/881), and now the Cyber Resilience
> +Act (2022/0272). In the United States with the publishing of the Executive
> +Order 14028 "Improving the Nation's Cybersecurity", with NIST's
> +Secure Software Development Framework (SSDF SP 800-218A), Cybersecurity
> +Framework 2.0 (CSF 2.0), and Software Supply Chain Security Guidance.
> +
> +Several of the components of the GNU Toolchain meet the definition of NIST's
> +"critical software" since they underpin ICAM (Identity, Credentials and
> +access management), network control (DNS stub resolver), and key operating
> +system components. We want to expand and continue to support FOSS in all
> +of these use cases we should strive to meet the increasing cybersecurity
> +best practices.
> +
> +The purpose of CTI is to help meet these requirements now and into the future
> +to ensure FOSS and the GNU Toolchain can be used by these users and communities.
> +
>  What concrete steps will CTI help with?
>  """""""""""""""""""""""""""""""""""""""
>  Some of the major goals include:
> @@ -109,6 +141,32 @@ That depends on the requirements given by the GNU Toolchain community.
>  The requirements from the community are input to the steering committee, and so
>  the answer depends largely on exactly what was the intended purpose.
>  
> +How are services validated prior to migration?
> +""""""""""""""""""""""""""""""""""""""""""""""
> +Services are validated on a per-service basis, with per-service functionality
> +being tested. Given the focus on strong service isolation and resilience the
> +inter-service integration pieces can and should be added in stages e.g.
> +email to bugzilla, git send-email to mailing lists, as services that can
> +communicate are brought online.
> +
> +The intent is not to stand up a monolithic integrated set of services, but to
> +start small and create well-isolated services that can operate independently
> +with loose coupling.
> +
> +Are all services migrated at the same time?
> +"""""""""""""""""""""""""""""""""""""""""""
> +There are no plans to construct a prototype of the entire constellation of
> +enumerated services for a project that is to be migrated to CTI services.
> +
> +Instead the approach taken is to stand up well-isolated services that can
> +operate independently of each other and with high resilience, and then add
> +the inter-service integration functionality.
> +
> +Since many of the services being provided are known to already be deployed
> +in production for other projects there is a lot of existing experience
> +to support deployment. What needs to be done is to ensure stronger isolation
> +between services as part of improving the project's cybersecurity position.
> +
>  Are there any presentations covering CTI?
>  """""""""""""""""""""""""""""""""""""""""
>  Yes, in October 2022 the CTI TAC gave an `FSF hosted community Q&A <https://media.libreplanet.org/u/libreplanet/m/the-gti-project-a-conversation-and-community-q-a/>`_.

-- 
Cheers,
Carlos.

Re: [PATCH] source/faq/index: Update FAQ.

[Frank Ch. Eigler]

Hi, Carlos -

> [...]
> > +In order to continue to support these communities we must start to adhere to
> > +the modern cybersecurity principles including moving towards zero-trust
> > +architectures with strong application sandboxing for all provided services
> > +e.g. NIST SP.800-207, separate and protect each environment involved
> > +in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor,
> > +risk-based authentication and conditional access for each environment.
> [...]

Thank you for offering those extra book references.  It would help
even more if there were an itemized list of those particular
suggestions or mandates from those books are of your interest, and how
each is absent on sourceware vs. to be satisfied at lf.  In other
words, offer a way for someone to verify problem, incompliance and
compliance.

- FChE

Re: [PATCH] source/faq/index: Update FAQ.

[Carlos O'Donell]

On 6/5/24 2:33 PM, Frank Ch. Eigler wrote:
> Hi, Carlos -
> 
>> [...]
>>> +In order to continue to support these communities we must start to adhere to
>>> +the modern cybersecurity principles including moving towards zero-trust
>>> +architectures with strong application sandboxing for all provided services
>>> +e.g. NIST SP.800-207, separate and protect each environment involved
>>> +in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor,
>>> +risk-based authentication and conditional access for each environment.
>> [...]
> 
> Thank you for offering those extra book references.  It would help
> even more if there were an itemized list of those particular
> suggestions or mandates from those books are of your interest, and how
> each is absent on sourceware vs. to be satisfied at lf.  In other
> words, offer a way for someone to verify problem, incompliance and
> compliance.

Such an answer goes beyond what I would normally put into an FAQ. The 
intent of the FAQ is to be smaller quick to read answers to specific
questions.

Such an answer could also be viewed as antagonistic towards Sourceware and
I don't want it to be seen that way. I would like to continue collaborating
now and into the future with you and the other overseers.

-- 
Cheers,
Carlos.

Re: [PATCH] source/faq/index: Update FAQ.

[Carlos O'Donell]

On 6/5/24 11:41 AM, Carlos O'Donell wrote:
> On 5/29/24 9:48 AM, Carlos O'Donell wrote:
>> Update the FAQ with additional entries as requested by CTI TAC
>> review.
>>
>> Add information about relevant national standards and why we want
>> to advance the state of our current infrastructure.
>>
>> Add information about service bringup and how to achieve that.
> 
> Any input from the TAC?
> 
> I plan to push this next week as the FAQ items noted here expand on the
> existing answer we had, and other answers are following what we're doing
> today.

Pushed live.

-- 
Cheers,
Carlos.