[LTP] Inquiry: Country of Origin for LCOV Version 1.x

[LTP] Inquiry: Country of Origin for LCOV Version 1.x

[Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP] via ltp]

[-- Attachment #1.1: Type: text/plain, Size: 1402 bytes --]

Hello, my name is Cynthia and I am a Supply Chain Risk Management Analyst at NASA. NASA is currently conducting a supply chain assessment of LCOV Version 1.x.  As stated in Sections 208 and 514 of the Consolidated Appropriations Act, 2022, Public Law 117-103, enacted March 15, 2022, a required step of our process is to verify the Country of Origin (CoO) information for the product (i.e., the country where the products were developed, manufactured, and assembled.)
As LCOV Version 1.x is open source, we understand that this inquiry is not directly applicable, as contributions may be made from individuals from around the world. In this case, NASA is interested in confirming the following information:

  1.  Is there an organization which sponsors/publishes the project, or a primary developer who audits the code for potential vulnerabilities, errors, or malicious code? Y/N
  2.  Does LCOV Version 1.x have an overseeing organization or individual along these lines? Y/N

  1.  If so, please provide the name of the organization and country they are established in.
If the information above is unknown or cannot be provided, we request that you provide the country or list of countries where the majority of contributions originate from to satisfy Sections 208 and 514 of the Consolidated Appropriations Act, 2022, Public Law 117-103, enacted March 15, 2022.

Thank you,
Cynthia

[-- Attachment #1.2: Type: text/html, Size: 8590 bytes --]

[-- Attachment #2: Type: text/plain, Size: 60 bytes --]


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] Inquiry: Country of Origin for LCOV Version 1.x

[Cyril Hrubis]

Hi!
> Hello, my name is Cynthia and I am a Supply Chain Risk Management
> Analyst at NASA. NASA is currently conducting a supply chain
> assessment of LCOV Version 1.x.  As stated in Sections 208 and 514 of
> the Consolidated Appropriations Act, 2022, Public Law 117-103, enacted
> March 15, 2022, a required step of our process is to verify the
> Country of Origin (CoO) information for the product (i.e., the country
> where the products were developed, manufactured, and assembled.) As
> LCOV Version 1.x is open source, we understand that this inquiry is
> not directly applicable, as contributions may be made from individuals
> from around the world. In this case, NASA is interested in confirming
> the following information:
>
>   1.  Is there an organization which sponsors/publishes the project,
>       or a primary developer who audits the code for potential
>       vulnerabilities, errors, or malicious code? Y/N
>
>   2.  Does LCOV Version 1.x have an overseeing organization or
>       individual along these lines? Y/N
>
>   1.  If so, please provide the name of the organization and country
>   they are established in.  If the information above is unknown or
>   cannot be provided, we request that you provide the country or list
>   of countries where the majority of contributions originate from to
>   satisfy Sections 208 and 514 of the Consolidated Appropriations Act,
>   2022, Public Law 117-103, enacted March 15, 2022.

As far as I can tell LCOV is maintained by Peter Oberparleiter from IBM
(now in CC).

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [EXTERNAL] Re: Inquiry: Country of Origin for LCOV Version 1.x

[Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP] via ltp]

Thank you for your help!

-----Original Message-----
From: Cyril Hrubis <chrubis@suse.cz> 
Sent: Monday, July 4, 2022 1:56 PM
To: Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP] <cynthia.x.zhang@nasa.gov>
Cc: ltp@lists.linux.it; oberpar@linux.ibm.com
Subject: [EXTERNAL] Re: [LTP] Inquiry: Country of Origin for LCOV Version 1.x

Hi!
> Hello, my name is Cynthia and I am a Supply Chain Risk Management 
> Analyst at NASA. NASA is currently conducting a supply chain 
> assessment of LCOV Version 1.x.  As stated in Sections 208 and 514 of 
> the Consolidated Appropriations Act, 2022, Public Law 117-103, enacted 
> March 15, 2022, a required step of our process is to verify the 
> Country of Origin (CoO) information for the product (i.e., the country 
> where the products were developed, manufactured, and assembled.) As 
> LCOV Version 1.x is open source, we understand that this inquiry is 
> not directly applicable, as contributions may be made from individuals 
> from around the world. In this case, NASA is interested in confirming 
> the following information:
>
>   1.  Is there an organization which sponsors/publishes the project,
>       or a primary developer who audits the code for potential
>       vulnerabilities, errors, or malicious code? Y/N
>
>   2.  Does LCOV Version 1.x have an overseeing organization or
>       individual along these lines? Y/N
>
>   1.  If so, please provide the name of the organization and country
>   they are established in.  If the information above is unknown or
>   cannot be provided, we request that you provide the country or list
>   of countries where the majority of contributions originate from to
>   satisfy Sections 208 and 514 of the Consolidated Appropriations Act,
>   2022, Public Law 117-103, enacted March 15, 2022.

As far as I can tell LCOV is maintained by Peter Oberparleiter from IBM (now in CC).

--
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] Inquiry: Country of Origin for LCOV Version 1.x

[Peter Oberparleiter]

Hi,

please find my reply to your questions regarding LCOV below.

>> Hello, my name is Cynthia and I am a Supply Chain Risk Management
>> Analyst at NASA. NASA is currently conducting a supply chain
>> assessment of LCOV Version 1.x.  As stated in Sections 208 and 514 of
>> the Consolidated Appropriations Act, 2022, Public Law 117-103, enacted
>> March 15, 2022, a required step of our process is to verify the
>> Country of Origin (CoO) information for the product (i.e., the country
>> where the products were developed, manufactured, and assembled.) As
>> LCOV Version 1.x is open source, we understand that this inquiry is
>> not directly applicable, as contributions may be made from individuals
>> from around the world. In this case, NASA is interested in confirming
>> the following information:
>>
>>   1.  Is there an organization which sponsors/publishes the project,
>>       or a primary developer who audits the code for potential
>>       vulnerabilities, errors, or malicious code? Y/N
>>
>>   2.  Does LCOV Version 1.x have an overseeing organization or
>>       individual along these lines? Y/N

IBM is the main sponsor of work on the upstream LCOV repository [1], and
I'm working as maintainer of the LCOV code base. In this role I review
code contributions from other developers for apparent errors, and
alignment with LCOV’s project goals [2] and coding style before inclusion.

However there is no formal procedure established to audit the code
specifically for potential vulnerabilities or malicious code. Therefore
the answer to these two questions is no.

>>   1.  If so, please provide the name of the organization and country
>>   they are established in.  If the information above is unknown or
>>   cannot be provided, we request that you provide the country or list
>>   of countries where the majority of contributions originate from to
>>   satisfy Sections 208 and 514 of the Consolidated Appropriations Act,
>>   2022, Public Law 117-103, enacted March 15, 2022.

At the time of writing (July 2022), the majority (>90%) of code as
measured in lines of code in the LCOV repository was developed by myself
on behalf of “IBM Deutschland Research & Development GmbH” which is a
German subsidiary of the US-based IBM Corporation.

Furthermore the LCOV git repository [1] contains a record of all
contributions, including the e-mail address of each contributor, but no
attribution to countries of origin.


Regards,
  Peter

[1] https://github.com/linux-test-project/lcov
[2] https://github.com/linux-test-project/lcov/blob/v1.16/CONTRIBUTING#L51

-- 
Peter Oberparleiter
Linux on IBM Z Development
IBM Deutschland Research & Development GmbH

Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294	

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [EXTERNAL] Re: Inquiry: Country of Origin for LCOV Version 1.x

[Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP] via ltp]

Thank you for your help!

-----Original Message-----
From: Peter Oberparleiter <oberpar@linux.ibm.com> 
Sent: Friday, July 8, 2022 9:36 AM
To: Zhang, Cynthia X. (GSFC-710.0)[TELOPHASE CORP] <cynthia.x.zhang@nasa.gov>
Cc: ltp@lists.linux.it; Cyril Hrubis <chrubis@suse.cz>
Subject: [EXTERNAL] Re: [LTP] Inquiry: Country of Origin for LCOV Version 1.x

Hi,

please find my reply to your questions regarding LCOV below.

>> Hello, my name is Cynthia and I am a Supply Chain Risk Management 
>> Analyst at NASA. NASA is currently conducting a supply chain 
>> assessment of LCOV Version 1.x.  As stated in Sections 208 and 514 of 
>> the Consolidated Appropriations Act, 2022, Public Law 117-103, 
>> enacted March 15, 2022, a required step of our process is to verify 
>> the Country of Origin (CoO) information for the product (i.e., the 
>> country where the products were developed, manufactured, and 
>> assembled.) As LCOV Version 1.x is open source, we understand that 
>> this inquiry is not directly applicable, as contributions may be made 
>> from individuals from around the world. In this case, NASA is 
>> interested in confirming the following information:
>>
>>   1.  Is there an organization which sponsors/publishes the project,
>>       or a primary developer who audits the code for potential
>>       vulnerabilities, errors, or malicious code? Y/N
>>
>>   2.  Does LCOV Version 1.x have an overseeing organization or
>>       individual along these lines? Y/N

IBM is the main sponsor of work on the upstream LCOV repository [1], and I'm working as maintainer of the LCOV code base. In this role I review code contributions from other developers for apparent errors, and alignment with LCOV’s project goals [2] and coding style before inclusion.

However there is no formal procedure established to audit the code specifically for potential vulnerabilities or malicious code. Therefore the answer to these two questions is no.

>>   1.  If so, please provide the name of the organization and country
>>   they are established in.  If the information above is unknown or
>>   cannot be provided, we request that you provide the country or list
>>   of countries where the majority of contributions originate from to
>>   satisfy Sections 208 and 514 of the Consolidated Appropriations Act,
>>   2022, Public Law 117-103, enacted March 15, 2022.

At the time of writing (July 2022), the majority (>90%) of code as measured in lines of code in the LCOV repository was developed by myself on behalf of “IBM Deutschland Research & Development GmbH” which is a German subsidiary of the US-based IBM Corporation.

Furthermore the LCOV git repository [1] contains a record of all contributions, including the e-mail address of each contributor, but no attribution to countries of origin.


Regards,
  Peter

[1] https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-test-project%2Flcov&amp;data=05%7C01%7Ccynthia.x.zhang%40nasa.gov%7C576ba46d24ae427c6acc08da60e6c79b%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637928841555071471%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=Y%2Fwu%2BX5HLbGLqy6InijYmOHOit8WA4P7r0%2BGTt2dc2c%3D&amp;reserved=0
[2] https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-test-project%2Flcov%2Fblob%2Fv1.16%2FCONTRIBUTING%23L51&amp;data=05%7C01%7Ccynthia.x.zhang%40nasa.gov%7C576ba46d24ae427c6acc08da60e6c79b%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637928841555071471%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=Pk5seYu5QPcYtRVg6Ina4WTDKrZXYRUX5svaat99B8U%3D&amp;reserved=0

--
Peter Oberparleiter
Linux on IBM Z Development
IBM Deutschland Research & Development GmbH

Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294	

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp