Add core entry from matthew

svn path=/head/; revision=49562

en_US.ISO8859-1/htdocs/news/status/report-2016-07-2016-09.xml

@@ -1242,4 +1242,120 @@
 
     </body>
   </project>
+
+  <project cat='team'>
+    <title>The &os; Core Team</title>
+
+    <contact>
+      <person>
+	<name>&os; Core Team</name>
+	<email>core@FreeBSD.org</email>
+      </person>
+    </contact>
+
+    <body>
+      <p>The third quarter started with the handover to the ninth Core
+	team as it took office.  With four members returning from the
+	previous core (Baptiste Daroussin, Ed Maste, George Neville-Neil
+	and Hiroki Sato); one returning member after a term away (John
+	Baldwin) and four members new to core (Allan Jude, Kris Moore,
+	Benedict Reuschling and Benno Rice) the new core team represents
+	just about the ideal balance between experience and fresh
+	blood.</p>
+
+      <p>Beyond handing over all of the ongoing business, reviewing
+	everything on Core's agenda and other routine changeover
+	activities, the first action of the new core was to respond to a
+	query from Craig Rodrigues concerning how hardware supplied to the
+	project through donations to the &os; Foundation was being
+	used.</p>
+
+      <p>The Foundation does keep records of what hardware has been
+	supplied over time and has some idea of the original purpose that
+	hardware was provisioned for, but does not track the current usage
+	of the project's hardware assets.  Cluster administration keep
+	their own configuration database, but this is not suitable for
+	general publication and covers much more than Foundation supplied
+	equipment.  After some discussion it was decided that updated
+	information about the current disposition of Foundation supplied
+	equipment should be incorporated in the Foundation's annual
+	report.</p>
+
+      <p>Ensuring that all of the &os; code base is supplied under open
+	and unencumbered licensing terms and that we do not infringe on
+	patent terms or otherwise act counter to any legal requirements
+	are some of Core's primary concerns.  During this quarter, there
+	were three items of this nature.</p>
+
+      <ul>
+	<li>Importing Concurrency Kit.  In consultation with the
+	  Foundation's legal counsel, it was determined that the relevant
+	  patents on the 'Read Copy Update' synchronization mechanisms
+	  have expired, and consequently the import of selected parts of
+	  concurrency kit was approved.</li>
+
+	<li>The proposal to create a shadow GPLv3 toolchain repository
+	  was put to the community.  Ultimately the whole idea has been
+	  rendered largely redundant by faster than anticipated progress
+	  at integrating the latest LLVM toolchain on most of the
+	  interesting system architectures.  The goal of a GPL-free base
+	  system is within our grasp.</li>
+
+	<li>Reports that GPL code has been pasted into linuxkpi sources
+	  are under investigation.  Core would like to stress that great
+	  care must be taken to avoid inadvertent license infringement,
+	  especially when implementing hardware interfaces or similar
+	  where there is limited scope to invent new constants or
+	  otherwise make it clear this is a novel implementation.</li>
+      </ul>
+
+      <p>Work on LLVM has thrown up problems with the presence of
+	certain pre-compiled binary-only drivers as part of the GENERIC
+	kernel.  Core has adopted the policy that such binary-only code
+	should be moved to loadable modules and that the GENERIC kernel
+	must be compiled entirely from original sources.</p>
+
+      <p>The item that has absorbed the largest portion of Core's
+	attention this quarter concerns the project's handling of security
+	vulnerabilities in bspatch(1), libarchive(3), FreeBSD-update(8)
+	and portsnap(8).  A partial fix was applied in
+	&os;-SA-16:25.bspatch but this lacks fixes to libarchive code
+	that were not yet available from upstream.</p>
+
+      <p>SecTeam receives privileged early reports of many
+	vulnerabilities and consequently has a strict policy of not
+	commenting publicly until an advisory and patches have been
+	published.  Early access to information about vulnerabilities is
+	contingent on their ability to avoid premature disclosure, and
+	without such, they could not have security advisories and
+	patches ready to go immediately the vulnerability is
+	published.</p>
+
+      <p>However, in this case, vulnerabilities were already public and
+	the lack of any official response from the &os; project was
+	leading to concern amongst users and some critical press coverage.
+	Core stepped in and published a statement clarifying the situation
+	and the particular difficulties involved in securely modifying the
+	mechanisms used to deliver security patches.  Core believes that
+	prompt notification and discussion of the implications and
+	possible workarounds to any <i>public</i> vulnerability should not wait
+	on the availability of formal OS patches.</p>
+
+      <p>The OpenSSH project has deprecated DSA keys upstream.  &os; had
+	kept DSA keys enabled in the later 10.x releases for compatibility
+	reasons, but with the release of 11.0 the time has come to
+	synchronise again with upstream.  Since there are numerous DSA
+	keys in use in the &os; cluster this has necessitated an
+	exercise to get replacement keys installed.  Core would like to
+	thank David Wolfskill and the accounts team for handling the surge
+	in key changes with a great deal of aplomb.</p>
+
+      <p>During this quarter we welcomed Michael Zhilin, Imre Vadasz,
+	Steve Kiernan and Toomas Soome as new source committers.  Over the
+	same period, we said farewell to Martin Wilke and Erwin Lansing
+	who have handed in their commit bits.  We wish them well in their
+	future endeavours and hope to see them return as soon as they
+	can.</p>
+    </body>
+  </project>
 </report>