Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money?

Reply: Dale Scott : "Re: why does FreeBSD only offer trustworthiness and transparency to people who donate money?"
In reply to: Lexi Winter : "why does FreeBSD only offer trustworthiness and transparency to people who donate money?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Fri, 19 Apr 2024 20:55:46 UTC

On 4/18/24 2:30 PM, Lexi Winter wrote:
> so today i came across this press release:
> 
> https://freebsdfoundation.org/blog/freebsd-foundation-delivers-v1-of-freebsd-ssdf-attestation-to-support-cybersecurity-compliance/
> 
> "FreeBSD Foundation Delivers V1 of FreeBSD SSDF Attestation to Support
> Cybersecurity Compliance"
> 
> this is about some new thing called "SSDF Attestation" which is now
> available to people who give money to the FreeBSD Foundation.
> 
> reading the PR, i learned:
> 
>> The SSDF Attestation continues the FreeBSD community’s longstanding
>> commitment to security by providing transparency and trustworthiness
>> in its software development environment. This move aligns with the US
>> federal government’s recent initiative to bolster software security.
> 
> i would like to know exactly what "transparency" and "trushworthiness"
> is being provided to Foundation donors which is not provided to the rest
> of us.
> 
> can anyone summarise exactly what this "SSDF" includes that is being
> witheld from normal users like me?
> 
> cc: core@ since i assume core was somehow involved in this.

core@ was not intimately involved with this (because core@ doesn't have
money or spend money), but did ok the FF pursuing this attestation.

A quick search on your search engine of choice shows that SSDF attestation is
a compliance certification via the CISA agency in the US.  If you are a supplier
to the US government, you likely need to certify your products before agencies
in the US government can purchase them.  Normally you would do all that yourself,
so if you are selling some product to the US government, you as the supplier have
to fork out the money to pay for a certification for your product and its
various components.  My understanding of this is that the FF has paid actual
money (something core@ does not have) to deal with the paperwork of certifying
FreeBSD and is willing to share that with donors.  So if you donate to the
FF you can re-use their certification for the FreeBSD part of your product (you
would still need to certify other parts of your product) instead of paying to
certify FreeBSD yourself.  Presumably the idea is that sharing the cost of the
certification is cheaper than each of the donors who need it doing it
independently.

Note though, this isn't about some secret cabal doing different code changes
that are only available to donors, this is purely about paperwork that you may
need to sell a FreeBSD-based product to the US government.  If you aren't selling
products to the US government, you aren't effected and probably don't care.

Also note that the Project doesn't control whether or not people choose to get
certifications for FreeBSD (and usually such certifications are for a specific
version, so each new version requires a new certification).  To date we have
not tried to place any constraints on who might want to certify FreeBSD as
part of a product whether that be the FF or a vendor shipping a FreeBSD-based
appliance.  If you want to spend your own money to certify FreeBSD, have at it.

-- 
John Baldwin