[off topic] RE: Re: Country Of Origin Verification - 8944

ASSI Stromeko@nexgo.de
Thu Jun 18 18:04:48 GMT 2020


Jason Pyeron writes:
> <rant>Unless Cygwin and its packages are never to be used by business
> and government, these are legitimate concerns. Just because some of
> the users and volunteers do not care or understand does not mean it is
> not important.</rant>

Well, even if any user or volunteer does care and understand, that still
does not put them into a position to provide the information that was
asked.

For the original question: It is clear from earlier communication on
this list that Cygwin is in use by various branches of the
U.S. government, so if you can get hold of the people who've done that
before you'll likely be able to re-use their trail(s) and get 80…90% of
your answers by copy&paste.

> Supply Chain Risk is a real issue.
[…]
> But this approach cannot work for Centos, Cygwin, and other
> collections of open source.

Right.  For Cygwin in particular, there is the additional issue that it
is very much a rolling distribution, and packages come and go and change
versions all the time.  So by the time you've cut through all the red
tape you'll have to start over again.

I use Cygwin in environments that need to be auditable.  While the
actual auditing thankfully has not yet been necessary, I've put in place
some of the preparations for that nevertheless:

1. The install is from a local repository and setup has been modified to
allow only signed installs and been outfitted with a different signing
key so users can't go around the local repo and install from the
internet (yes, they've tried).

2. The install will always leave you with the same set of packages when
successful for each type of installation supported and the install
script knows which type of installation belongs on each machine.  I
could nail that part down harder, but at the moment it suffices. All
add-on software for Cygwin that is not in the upstream repository is
properly packaged locally and put into the local repository

3. If proper auditing ever becomes necessary I can switch to a phased
install model where I can keep certain machines to whatever the audited
state is and keep updating the other installs as I do at the moment for
all of them.  Right now I just have a staging repo that I update
frequently and gets copied to the live repo when I tested the staging
install OK.

4. I've convinced myself that I could build all packages from source if
I had to, but I've not actually done it yet.  That would not be a
requirement for us anyway, but as requirements change all the time it's
better to have that fallback in place.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Waldorf MIDI Implementation & additional documentation:
http://Synth.Stromeko.net/Downloads.html#WaldorfDocs


More information about the Cygwin mailing list