* My suggestions on auditing that services are running free software
@ 2024-03-22 8:35 Ian Kelling
2024-03-22 15:57 ` Konstantin Ryabitsev
0 siblings, 1 reply; 3+ messages in thread
From: Ian Kelling @ 2024-03-22 8:35 UTC (permalink / raw)
To: cti-tac
This is fulfilling a request from the last CTI TAC meeting.
I suggest: For any program that users interact with via a user
interface, the user should be able to download & run a copy as free
software (they need to be able to know & get the specific version being
run). If the internet archive is not taking at least weekly snapshots,
there should be a web page with a history of past versions too. Past
version information is needed for example if a service changes and a
user doesn't like the change, then they can download and run the
previous version.
If needed, I can help work out more specific more details of what
programs should count, but the list of programs on the CTI website [0]
seems to have the right idea.
[0]: https://cti.coretoolchain.dev/services/index.html
I suggest: if an entire machine is provided to a user, for example root
ssh access to run any program the user wants, then the scope of programs
to be free software on that machine should be greater than in the case
of a service. Defining that scope can happen if and when there plans for
providing an entire machine, I see no plans right now.
I suggest that CTI come up with a proposal/plan for how to implement the
audit. Eg, checking what software is being run and that users are able
to download a copy and that it is free software. The FSF will be
available to review the proposal.
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: My suggestions on auditing that services are running free software
2024-03-22 8:35 My suggestions on auditing that services are running free software Ian Kelling
@ 2024-03-22 15:57 ` Konstantin Ryabitsev
2024-04-03 18:55 ` Carlos O'Donell
0 siblings, 1 reply; 3+ messages in thread
From: Konstantin Ryabitsev @ 2024-03-22 15:57 UTC (permalink / raw)
To: Ian Kelling; +Cc: cti-tac
On Fri, Mar 22, 2024 at 04:35:13AM -0400, Ian Kelling wrote:
> I suggest that CTI come up with a proposal/plan for how to implement the
> audit. Eg, checking what software is being run and that users are able
> to download a copy and that it is free software. The FSF will be
> available to review the proposal.
Before we go down that route, please note that LF IT does not provide backend
access to third parties, so any audit plans will be limited to auditing
documentation.
We, of course, comply with licensing terms, so any AGPL-licensed software
(such as public-inbox) is available for download (we run the upstream version
without any modifications). Any free software without such requirement may
have basic version info, not necessarily down to the exact patch level. For
example, I doubt anyone benefits from knowing the exact version of Postfix
used to send this mailing list message.
Best regards,
Konstantin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: My suggestions on auditing that services are running free software
2024-03-22 15:57 ` Konstantin Ryabitsev
@ 2024-04-03 18:55 ` Carlos O'Donell
0 siblings, 0 replies; 3+ messages in thread
From: Carlos O'Donell @ 2024-04-03 18:55 UTC (permalink / raw)
To: Konstantin Ryabitsev, Ian Kelling; +Cc: cti-tac
On 3/22/24 11:57, Konstantin Ryabitsev wrote:
> On Fri, Mar 22, 2024 at 04:35:13AM -0400, Ian Kelling wrote:
>> I suggest that CTI come up with a proposal/plan for how to implement the
>> audit. Eg, checking what software is being run and that users are able
>> to download a copy and that it is free software. The FSF will be
>> available to review the proposal.
>
> Before we go down that route, please note that LF IT does not provide backend
> access to third parties, so any audit plans will be limited to auditing
> documentation.
I agree, and I would not want any service provider to give backend access to third parties
because it creates an increased security risk to support the audit. The cost of compliance
is relevant here if it creates a security risk. We can achieve compliance without the
additional risk.
For me as a CTI TAC member is reasonable to have a documented list of the versions of the
software that was being run, audit the list, and update the list with versions on the
CTI website.
> We, of course, comply with licensing terms, so any AGPL-licensed software
> (such as public-inbox) is available for download (we run the upstream version
> without any modifications). Any free software without such requirement may
> have basic version info, not necessarily down to the exact patch level. For
> example, I doubt anyone benefits from knowing the exact version of Postfix
> used to send this mailing list message.
The purpose of the audit is to ensure that we meet the ethical repository hosting criteria
and we can meet those obligations by ensuring we run unpacked distro versions or unpatched
upstream versions of the software. Where we deviate from upstream or distro versions we should
do so only briefly to address security issues. Knowing the exact version of Postfix is *less*
important to me than knowing that we are running without any local patches applied and using
the standard distro version or standard upstream release. So it would be a checkbox item for
me to ask "Are we using the distro version? Are we using upstream directly?"
Does that make sense?
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-03 18:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-22 8:35 My suggestions on auditing that services are running free software Ian Kelling
2024-03-22 15:57 ` Konstantin Ryabitsev
2024-04-03 18:55 ` Carlos O'Donell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.