On Wed, Feb 3, 2021 at 11:13 AM Niels Möller nisse@lysator.liu.se wrote:
David Edelsohn dje.gcc@gmail.com writes:
Thanks for setting this up. The default accounts have a limited time (90 days?). For long-term CI access, I can help request a long-term account for Nettle.
That would be helpful.
I've had look at the terms and conditions, http://security.marist.edu/LinuxOne/TC.PDF. Most of it looks very reasonable, but there are a few items that I find a bit unclear:
- [...] You agree to obey all relevant New York State and US laws, including all export controls laws.
My understanding is that US export control laws don't apply to FOSS software (and that's why, e.g., Debian no longer have special non-us mirrors for distributing cryptographic software). But I don't know the details, and if there really isn't a problem, why is it mentioned explicitly in the terms and conditions?
I am not a lawyer and cannot give legal advice about any of this. I also cannot speak officially for IBM or Marist about the terms and conditions of agreements.
This hasn't been a problem for other Open Source projects, including Open Source cryptographic libraries.
You're not hosting development of the library in the U.S. nor distributing the library from the U.S., so you would seem to be obeying New York State and US laws. The U.S. does not restrict importation of cryptographic software. Downloading the library or repo into the system at Marist to run testing or CI is considered importing.
10 [...] d. To protect your LinuxOne Account, keep your Secure Shell (SSH) keys confidential. You are responsible for the activity that happens on or through your LinuxOne Account.
Is it acceptable under these terms if I upload a private key to a CI config that is part of the gnutls project hosted on gitlab.com? Maamoun's suggested method was to add it as a "Variable" in the CI/CD web config, I'm assuming that will not make it publicly visible (but I'd need to double check).
The item is not specifying how you handle the security and confidentiality of your keys, only that you are responsible for activity on your LinuxONE s390x instance. The intention is that you not email spam or hack other systems or run Bitcoin miners from your account, and make a reasonable effort that malicious parties cannot break into your LinuxONE instance to do similar bad things.
I don't know precisely which individuals will get access to use the key (and hence my account) if I do that, even though I expect it to be small number of good people (admins of the gnutls project, and the key will also be technically accessible by gitlab staff).
[...] Do not reuse your LinuxOne Account keys on third-party applications.
I also don't understand what "third-party applications" means in this context, but I'd guess gitlab could be one?
Again, I interpret this as basic key security: don't reuse keys or passwords on multiple accounts where a compromise of one account would allow an attacker to compromise other accounts, including the LinuxONE system. It didn't say that you couldn't use it, it said don't REuse it, such as, don't use the same key for LinuxONE and AWS and wherever else you run CI.
Thanks, David