FAQ

You have questions we have answers!

Can we keep deploying services as we have?

The GNU Toolchain is a critical foundation of trust for the GNU/Linux ecosystem and the demands on its infrastructure, services, and security requirements have grown over time. The trend of increasing complexity to support its development and associated financial demands will not abate. Different projects have different risk tolerances and the GNU Toolchain must meet more stringent expectations to maintain the trust of the ecosystem. It is with this context in mind that CTI has been formed.

The global focus on security is clear and present and in direct relation to the effective functioning of economies and societies. The GNU Toolchain plays a hugely important role in companies and communities of all sizes, providing tooling for compilation, assembly, linkage, running and debugging of critical software.

In order to continue to support these communities we must start to adhere to the modern cybersecurity principles including moving towards zero-trust architectures with strong application sandboxing for all provided services e.g. NIST SP.800-207, separate and protect each environment involved in software development e.g. NIST SP.800-218A PO.5.1, and use multi-factor, risk-based authentication and conditional access for each environment.

Governments around the world have increased their focus on Cybersecurity and resilience in the face of cybersecurity attacks. In the European Union with the creation of the Network and Information Security Directive (NIS 2016/1148, NIS2 2022/2555), the Cybersecurity Act (2019/881), and now the Cyber Resilience Act (2022/0272). In the United States with the publishing of the Executive Order 14028 “Improving the Nation’s Cybersecurity”, with NIST’s Secure Software Development Framework (SSDF SP 800-218A), Cybersecurity Framework 2.0 (CSF 2.0), and Software Supply Chain Security Guidance.

Several of the components of the GNU Toolchain meet the definition of NIST’s “critical software” since they underpin ICAM (Identity, Credentials and access management), network control (DNS stub resolver), and key operating system components. We want to expand and continue to support FOSS in all of these use cases we should strive to meet the increasing cybersecurity best practices.

The purpose of CTI is to help meet these requirements now and into the future to ensure FOSS and the GNU Toolchain can be used by these users and communities.

What concrete steps will CTI help with?

Some of the major goals include:

• Isolating all services in VMs or containers to increase service security and reduce service resource interference.

• Allow volunteers to focus efforts outside of core infrastructure maintenance.

• Prepare for additional software supply chain requirements from

Why are you currently using Linux Foundation IT as the service provider?

The CTI TAC recommendation is to use Linux Foundation IT services for core infrastructure. The LF IT team already supports many of the same services for the Linux kernel and at scale. The migration would involve moving services from Sourceware.org to LF IT servers. We continue to be thankful and appreciative of the time spent by Sourceware.org volunteers in support of the current services.

What is the urgency vs what is the timeline?

The GNU Toolchain community should be making consistent forward progress to improve our infrastructure and cybersecurity position. Showing progress is important for the ecosystem to trust us as a secure and critical part of the software supply chain. We should not wait until there are Cybersecurity regulations that are beyond our ability to comply with as the FOSS ecosystem of tooling and infrastructure. Projects of similar scope and importance have been deploying significant resources for the use of the development community.

Sourceware volunteers have fielded requests and organized volunteer efforts that have worked well. Does LF allow volunteers to administer the servers together with them? Have they in the past?

The CTI TAC is the point of contact for volunteers. CTI can fund multiple activities, by multiple entities, and the way in which the volunteers engage may differ between them.

How does this project relate to the GNU Project or the Free Software Foundation (FSF)?

Many of the GNU Toolchain components are a part of the GNU Project, and contribute to the development of the GNU system. The FSF supports the GNU Project, and in turn supports the GNU Toolchain. The GNU Toolchain community works with the FSF via a working together fund to support the development of the GNU Toolchain directly. The Core Toolchain Infrastructure project is distinct from the GNU Project and the FSF.

How does this project relate to the GCC Compile Farm Project?

The GCC Compiler Farm is a unique resource for the GNU Toolchain and provides interactive systems for developers to manually test on a wide variety of hardware and software configurations. This is not exactly the same set of requirements that the community might have for securing a supply chain, or using modern CI/CD workflows.

How will the composition of the Core Toolchain infrastructure project reflect the communities it supports?

Members of the GNU Toolchain community will always be invited to become members of the technical advisory council for the project.

What is the composition of the project steering committee?

The project steering committee will be composed of sponsoring members of the Linux Foundation and members of the GNU Toolchain community.

What does the project TAC do?

The TAC takes input from the GNU Toolchain community and works with the members to, implement, and resolve prioritized requirements.

Is the GNU Toolchain development model going to change?

No. The aim of the project is to provide additional infrastructure for the community that is being made available to support the GNU Toolchain. All development changes will always be driven by the community.

Is Sourceware going to be deprecated?

The Core Toolchain Infrastructure project is distinct from Sourceware. The intent is to move critical infrastructure from Sourceware to the Core Toolchain Infrastructure project to provide paid services.

Who can use the new infrastructure?

That depends on the requirements given by the GNU Toolchain community. The requirements from the community are input to the steering committee, and so the answer depends largely on exactly what was the intended purpose.

What can the new infrastructure be used for?

That depends on the requirements given by the GNU Toolchain community. The requirements from the community are input to the steering committee, and so the answer depends largely on exactly what was the intended purpose.

How are services validated prior to migration?

Services are validated on a per-service basis, with per-service functionality being tested. Given the focus on strong service isolation and resilience the inter-service integration pieces can and should be added in stages e.g. email to bugzilla, git send-email to mailing lists, as services that can communicate are brought online.

The intent is not to stand up a monolithic integrated set of services, but to start small and create well-isolated services that can operate independently with loose coupling.

Are all services migrated at the same time?

There are no plans to construct a prototype of the entire constellation of enumerated services for a project that is to be migrated to CTI services.

Instead the approach taken is to stand up well-isolated services that can operate independently of each other and with high resilience, and then add the inter-service integration functionality.

Since many of the services being provided are known to already be deployed in production for other projects there is a lot of existing experience to support deployment. What needs to be done is to ensure stronger isolation between services as part of improving the project’s cybersecurity position.

Are there any presentations covering CTI?

Yes, in October 2022 the CTI TAC gave an FSF hosted community Q&A.

---

• Index

• Search Page