Re: Interest in ISO 27001 audit/certification for the Debian Project?

[Russ Allbery <rra@debian.org>]

Simon Josefsson <simon@josefsson.org> writes:

> I think that is not the only possible scenario -- another one that I
> find at least reasonable, if not more likely, is that anyone who
> considered volunteering to implement this soon realized that there are
> fundamental aspects that would need to be addressed first, raised those
> concerns, did not find sufficient support or interest to address or talk
> about the concerns, and started to work on improving those issues
> elsewhere (if they at all cared to pursue it further, demotivation is a
> factor too).

Sure, I intended to include that in "not in a position to do that work."
Missing prerequisites is one of the reasons why someone may not be in a
position to do that work.

> That pattern applies to Ubuntu, although I guess ISO 27001 on its own
> may not have been the biggest motivation there.  Still, the end result
> is that Ubuntu has ISO 27k and Debian hasn't.

I think we're both agreeing on ISO 27001.

I would expect the current state, since Ubuntu is (in part) the product of
a commercial company that wants to sell to the sorts of institutions that
care about ISO 27001 and therefore is willing to pay people to do the
tedious and annoying work of filling out all the paperwork required for
certification.

Debian is (presumably) not. It's not at all obvious to me, as someone who
has worked on ISO 27001 and other security certifications before, why
Debian would bother. The current certification state feels like an
excellent division of labor to me: The volunteer project works on the
things that are more interesting and enjoyable to do in one's spare time
or as targeted contract work, and the company attempting to make a
commercial product takes a snapshot of that work and then does all the
tedious and annoying certification paperwork filing and maintenance, which
often requires a full-time compliance team, external audits depending on
the specific certification, etc.

Certification compliance is not something I would ever work on without
being paid, personally. It is not enjoyable or fun; it's a job whose only
real benefit is the paycheck you get for doing it. That's of course just
my personal opinion; maybe someone out there finds filling out ISO 27001
paperwork a great way to spend a lazy Saturday afternoon.

> (I guess the reference to "you" is not directly meant to me, but someone
> else?  I don't recall bringing up ISO 27k before and personally I find
> such certifications, like FIPS, generally more harmful than useful.
> Some parts of ISO 27k bring up important topics, but you can become ISO
> 27k certified without really adressing the problems, and some of the
> topics they bring up may imply worse technical solutions.)

No, I mean you, but I was talking about the "I would disagree that Debian
would not be improved by further documentation and transparency work" part
of your message. You have been making this point for some time, and still
seem unhappy with the current state, so I assume that the basic problem is
lack of volunteer resources. That may include resources to work through
whatever underlying concerns people may have uncovered and figure out how
to address them within Debian's structure; that is, indeed, part of that
work. My point is that I don't think anyone is *opposed* to "further
documentation and transparency work." There are just a lot of things to do
in Debian and people work on the things they think are important or enjoy.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>