José Miguel Parrella
José Miguel Parrella
While `tzdata` and `ca-certificates` release mostly data instead of source code, they are arguably critical to trust. I suggest adding (and tracking) the "build" dependencies of both. For example, in...
The software in the OIN Linux System definition is described in a series of tables. Those tables can be browsed by technology area: https://openinventionnetwork.com/linux-system-definition/table-10/breakdowns/originating-project/ Fun fact, Steve Winslow has published...
In the spreadsheet, there is a column for a URL. Most of the ~100 rows have a link to a GitHub repository, with notable exceptions including the Linux kernel, `golang`,...
The `cip-core` project emits a package list comprising the minimal (core) CIP system. Several pieces of software in the list might already be in OpenSSF's critical projects list, but it'd...
The list of critical open source projects, components and framework is currently published as a [spreadsheet](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit). I suggest that it's provided as a machine-readable file under source control in this...
Taking an inspiration from https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-explanatory and https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition-faqs#Ref_FAQ3, could we use the techniques from #41 to identify additional projects that operate on the network or run with privileges, at least on...
The current spreadsheet shows package managers as candidate projects, and has build toolchains (generally comprising build systems, compilers and associated tooling) in the considered list. While the list is not...
Currently, [`openssh` requires `openssh-clients` and `openssh-server`](https://github.com/microsoft/azurelinux/blob/2.0/SPECS/openssh/openssh.spec#L65-L66). This means that anyone that depends on `openssh` will get all the software, when they might only need clients _or_ server. The packages that...
In Azure Linux 2.0 (and 3.0), [`git` depends on `openssh`](https://github.com/microsoft/azurelinux/blob/8728caaee1dbaa223d0a53287b04fcd5164d0bf3/SPECS/git/git.spec#L16), which in turn depends on `openssh-server`. Consider changing the `Requires` stanza in `git` to `openssh-clients` if `sshd` isn't really necessary...
`imagecustomizer` overrides or deletes `/etc/resolv.conf` in https://github.com/microsoft/azurelinux/blob/a952e5f20a10bd24f2d0a27eca9f2c0110c998ed/toolkit/tools/pkg/imagecustomizerlib/customizeutils.go#L110-L147 in order to support managed `resolv.conf`, as in `systemd-resolved` ([reference](https://github.com/microsoft/azurelinux/blob/2.0/toolkit/tools/imagecustomizer/docs/configuration.md#etcresolvconf)). This breaks managed resolver functionality in cases where `/etc` is `ro`, notable example...