Re: Interest in ISO 27001 audit/certification for the Debian Project?
I completely agree.
It's also a reason why I've decided to not implement ssfscorecards
crap in my personal projects.
If some corporation that wants to sell to the USA army or whatever
needs some compliance done, it won't be happening for free.
I think it is important to resist these pressures that ultimately come
from wealthy corporations trying to make us work for free.
So I'm against the idea of getting certified in principle. (I'm not
necessarily against the idea of improving the processes we use, but
only if there is no increase in workload).
Best
Il giorno mer 19 nov 2025 alle ore 13:39 Marc Haber
<mh+debian-devel@zugschlus.de> ha scritto:
>
> On Tue, Nov 18, 2025 at 09:44:10AM +0000, Farruco wrote:
> >TL;DR: Does Debian (via SPI) have plans or interest in pursuing ISO 27001
> >certification for its development, maintenance, and operations? This
> >could bolster assurance for users amid supply chain risks.
>
> In my paid work, the work that I need to do do pay for housing and food,
> I have to jump through uncomfortable burning hoops. I have to present my
> ideas in front of committees full of people who don't have the knowledge
> or expertise to judge my ideas, but they still do. This has already
> taken the fun from my paid work 20 years ago.
>
> As an unpaid volunteer, I do HATE the idea of the same hoops being
> placed inside Debian.
>
> "Enterprise IT is like IT, just without the fun".
>
> Going for this (or another) certification will take the fun out of
> Debian as well. Please don't. Debian doesn't need to sell anything.
--
Salvo Tomaselli
I difensori della morale tradizionale sono raramente persone di cuore. Si è
tentati di pensare che essi si servano della morale come di legittimo sfogo
al loro desiderio di fare del male agli altri.
-- Bertrand Russell, Perché non sono cristiano. 1957
http://ltworf.github.io/
Reply to: