Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money?
Date: Fri, 19 Apr 2024 20:55:46 UTC
On 4/18/24 2:30 PM, Lexi Winter wrote: > so today i came across this press release: > > https://freebsdfoundation.org/blog/freebsd-foundation-delivers-v1-of-freebsd-ssdf-attestation-to-support-cybersecurity-compliance/ > > "FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support > Cybersecurity Compliance" > > this is about some new thing called "SSDF Attestation" which is now > available to people who give money to the FreeBSD Foundation. > > reading the PR, i learned: > >> The SSDF Attestation continues the FreeBSD community’s longstanding >> commitment to security by providing transparency and trustworthiness >> in its software development environment. This move aligns with the US >> federal government’s recent initiative to bolster software security. > > i would like to know exactly what "transparency" and "trushworthiness" > is being provided to Foundation donors which is not provided to the rest > of us. > > can anyone summarise exactly what this "SSDF" includes that is being > witheld from normal users like me? > > cc: core@ since i assume core was somehow involved in this. core@ was not intimately involved with this (because core@ doesn't have money or spend money), but did ok the FF pursuing this attestation. A quick search on your search engine of choice shows that SSDF attestation is a compliance certification via the CISA agency in the US. If you are a supplier to the US government, you likely need to certify your products before agencies in the US government can purchase them. Normally you would do all that yourself, so if you are selling some product to the US government, you as the supplier have to fork out the money to pay for a certification for your product and its various components. My understanding of this is that the FF has paid actual money (something core@ does not have) to deal with the paperwork of certifying FreeBSD and is willing to share that with donors. So if you donate to the FF you can re-use their certification for the FreeBSD part of your product (you would still need to certify other parts of your product) instead of paying to certify FreeBSD yourself. Presumably the idea is that sharing the cost of the certification is cheaper than each of the donors who need it doing it independently. Note though, this isn't about some secret cabal doing different code changes that are only available to donors, this is purely about paperwork that you may need to sell a FreeBSD-based product to the US government. If you aren't selling products to the US government, you aren't effected and probably don't care. Also note that the Project doesn't control whether or not people choose to get certifications for FreeBSD (and usually such certifications are for a specific version, so each new version requires a new certification). To date we have not tried to place any constraints on who might want to certify FreeBSD as part of a product whether that be the FF or a vendor shipping a FreeBSD-based appliance. If you want to spend your own money to certify FreeBSD, have at it. -- John Baldwin