Making a decision for glibc.

tl;dr The GNU Maintainers for the GNU C Library (glibc) plan to move
core services to infrastructure hosted by the Core Toolchain
Infrastructure (CTI) project. As maintainers for the project we do this
to meet the present and future needs of glibc and the GNU Toolchain. We
want secure, robust, and sustainable infrastructure, balanced against
the needs of developers and the community to collaborate and innovate,
with reliable funding to support the infrastructure in the long term.

In 2019 leadership from the GNU Toolchain started down a path that led
to the Core Toolchain Infrastructure project. The project aims to move
toolchain infrastructure issues forward; to provide a sustainable path
forward for secure and state of the art infrastructure.

Post-pandemic, since 2022 the GNU Toolchain has continued to move
forward the state of the current infrastructure by engaging the
developers, the projects, and a wider set of sponsors that can
support a sustainable path forward for the toolchain.

Key achievements:

  2022 - Started using infrastructure provided by CTI like BigBlueButton
         for meetings for the GNU Toolchain e.g. Weekly glibc patch
         queue review and Monthly Office hours in two timezones.

  2023 - Service enumeration for GNU Toolchain projects (gcc, glibc,
         binutils, gdb).

  2024 - Completed pricing and service contract negotiation for migration
         with LF IT.

  2025 - Completed GNU Toolchain and glibc documents to define secure
         development requirements and the infrastructure needs.

These steps were a necessary evolution and resulted in several critical
milestones, e.g., service enumeration, secure development documents;
which collectively paved the way for a sustainable path forward.

While it was clear to the GNU Toolchain leadership that requirements
were coming to improve the toolchain cyber-security posture, these
requirements were not clear to all project developers. As part of
receiving this feedback we have worked to document and define a secure
development policy for glibc and at a higher level the GNU Toolchain.
While Sourceware has started making some critical technical changes, the
GNU Toolchain still faces serious, systemic concerns about securing a
global, highly available service and building a sustainable, diverse
sponsorship model. At the same time we are freeing up the GNU Toolchain
developers and volunteers to focus on next-generation work, such as
Sourceware’s post-commit CI and Forge-based workflows.

The decision to leverage CTI and LF IT is the direct result of seeking a
comprehensive, long-term solution to these exact challenges, expanding
our sponsorship base and leveraging existing sponsors like the OpenSSF.
The CTI TAC’s proposal to use Linux Foundation IT is rooted in the fact
that they are an existing team in the industry that implements very
similar functionality for the Linux kernel. The proposal directly
benefits glibc developers. By partnering with a team that develops and
understands FOSS tooling (b4, grokmirror and patatt) and large-scale
kernel infrastructure. This partnership ensures our core infrastructure
is secure and scalable.

This sustainable path forward for glibc includes:

  * A global robust and secure mirrored git repository for public clones
    that supports robust CI/CD workflows for developers and downstream
    distributions.

  * A global robust and scalable email system leveraging existing
    production deployments and reputation i.e. subspace.kernel.org.

  * A continuous process of review for project requirements, FOSS usage,
    security policy, and cost.

  * A sustainable funding model for the infrastructure including a
    diverse collection of sponsors to support various infrastructure
    requirements now and in the future.

While consensus for the move among GNU Maintainers for glibc is not
unanimous, most of the maintainers endorse the move, and key developers
have expressed their support in the upstream discussions. Additionally
CTI has received a lot of feedback over the last 3 years as the project
worked on infrastructure, and we include some of that feedback here and
in our CTI FAQ [1] with comments.

Some members of the community have expressed disappointment that funding
would go to the Linux Foundation. Some members of the community have
expressed concern that a board structure would allow corporate
influence. Neither of these concerns are new and exist today with Red
Hat and IBM, both being for-profit corporate entities. The GNU Toolchain
leadership has a 30+ year history of successfully navigating the
dynamics of working with sponsors and providing FOSS solutions,
including meeting the GNU Ethical Repository hosting criteria.

We invite all members of the glibc and GNU Toolchain community to join
us in this important transition. Your insights, contributions, and
feedback are essential to making CTI infrastructure a success that
benefits everyone. Let's work together to build a more secure and
sustainable future — reach out on libc-alpha@sourceware.org, participate
in the weekly office hours, or propose ways to get involved. Let's
collaborate to build a more resilient and sustainable infrastructure
foundation for the GNU Toolchain.

Action plan:

  * Weekly office hours for CTI to provide an open space for discussion
    of infrastructure improvements

  * Work with LF IT to update the CY24 statement of work and discuss with
    the glibc developers

  * Work towards migrating glibc git and mailing lists as first priority
    since these match our security priorities.

Cheers,
Carlos O’Donell
GNU Maintainer for glibc
Core Toolchain Infrastructure Project TAC member
[1] https://cti.coretoolchain.dev/faq/index.html