| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.3.2 sourceware.org D497E3851C12 |
| Authentication-Results: | sourceware.org; |
| dmarc=none (p=none dis=none) header.from=nexgo.de | |
| Authentication-Results: | sourceware.org; |
| spf=pass smtp.mailfrom=Stromeko AT nexgo DOT de | |
| From: | ASSI <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: [off topic] RE: Re: Country Of Origin Verification - 8944 |
| References: | <18ca01d64522$85307b80$8f917280$@pdinc.us> |
| Date: | Thu, 18 Jun 2020 20:04:48 +0200 |
| In-Reply-To: | <18ca01d64522$85307b80$8f917280$@pdinc.us> (Jason Pyeron's |
| message of "Wed, 17 Jun 2020 23:42:41 -0400") | |
| Message-ID: | <87bllguu67.fsf@Otto.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
| MIME-Version: | 1.0 |
| X-VADE-STATUS: | LEGIT |
| X-Spam-Status: | No, score=0.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_NUMSUBJECT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, | |
| SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.2 (2018-09-13) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <http://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <http://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Errors-To: | cygwin-bounces AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 05II5PvY029204 |
Jason Pyeron writes: > <rant>Unless Cygwin and its packages are never to be used by business > and government, these are legitimate concerns. Just because some of > the users and volunteers do not care or understand does not mean it is > not important.</rant> Well, even if any user or volunteer does care and understand, that still does not put them into a position to provide the information that was asked. For the original question: It is clear from earlier communication on this list that Cygwin is in use by various branches of the U.S. government, so if you can get hold of the people who've done that before you'll likely be able to re-use their trail(s) and get 80…90% of your answers by copy&paste. > Supply Chain Risk is a real issue. […] > But this approach cannot work for Centos, Cygwin, and other > collections of open source. Right. For Cygwin in particular, there is the additional issue that it is very much a rolling distribution, and packages come and go and change versions all the time. So by the time you've cut through all the red tape you'll have to start over again. I use Cygwin in environments that need to be auditable. While the actual auditing thankfully has not yet been necessary, I've put in place some of the preparations for that nevertheless: 1. The install is from a local repository and setup has been modified to allow only signed installs and been outfitted with a different signing key so users can't go around the local repo and install from the internet (yes, they've tried). 2. The install will always leave you with the same set of packages when successful for each type of installation supported and the install script knows which type of installation belongs on each machine. I could nail that part down harder, but at the moment it suffices. All add-on software for Cygwin that is not in the upstream repository is properly packaged locally and put into the local repository 3. If proper auditing ever becomes necessary I can switch to a phased install model where I can keep certain machines to whatever the audited state is and keep updating the other installs as I do at the moment for all of them. Right now I just have a staging repo that I update frequently and gets copied to the live repo when I tested the staging install OK. 4. I've convinced myself that I could build all packages from source if I had to, but I've not actually done it yet. That would not be a requirement for us anyway, but as requirements change all the time it's better to have that fallback in place. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |