Optional Identity Verification for Eclipse Foundation Committers Launches June 2

Mikaël Barbero

Trust is a core part of open source collaboration. At the Eclipse Foundation, we have always required committers to provide their real first and last name when signing their committer agreements, and we have long stated that certain committer information, including name and email address, is publicly displayed in connection with contributions. On June 2, the Eclipse Foundation will make optional identity verification generally available for Eclipse Foundation committers.

I want to be clear about what this is, and just as importantly, what it is not. This is an optional program. We have no plan to make it mandatory in the foreseeable future. This is not a staged rollout, a hidden policy change, or a first step toward requiring identity verification for all committers. If that position were ever to change, it would require open discussion, proper governance, and careful legal and community review.

The purpose of this program is narrower: to give committers who choose to participate an additional way to demonstrate that their displayed Eclipse Foundation account name has been verified against a government-issued ID.

What is changing?

Committers who choose to participate will be able to verify their identity using a government-issued ID through iDenfy, our identity verification provider headquartered in the European Union. A successful verification will result in a checkmark on the committer’s Eclipse Foundation account profile. That checkmark indicates that the displayed name on the account has been verified against a government-issued ID.

This program does not change our mission, our governance model, or our existing committer requirements. It provides an additional, voluntary mechanism for committers who want to demonstrate alignment with the Eclipse Foundation’s existing rules of engagement. In practical terms:

  • Participation is optional.
  • The program is available to Eclipse Foundation committers.
  • A successful verification results in a checkmark on the committer’s Eclipse Foundation account profile.
  • The checkmark indicates that the displayed name has been verified against a government-issued ID.
  • The program may later serve as an additional factor for account recovery for committers who choose to participate.

ID verification badge on Eclipse Foundation user account

Why are we doing this?

The security and integrity of open source software are increasingly important to users, adopters, contributors, and downstream consumers. Open source communities are being asked to provide stronger assurances about the software they produce and the processes used to produce it. This program is one concrete step in that direction.

It gives committers a voluntary account-level trust signal while preserving the openness and community-led nature of Eclipse Foundation projects. It is intended to strengthen trust, not to create barriers to participation. There are committers who may want a way to show that their Eclipse Foundation account identity has been verified. There are also projects and adopters that may find such a trust signal useful. This program makes that possible without imposing it on those who do not want to participate.

Privacy and data handling

Identity verification is a sensitive topic, and we have designed this program with data minimization in mind. The verification workflow is handled by iDenfy. Government-issued ID images, face photos, and similar source materials are processed by iDenfy and are not stored by the Eclipse Foundation.

On the Eclipse Foundation side, we store only the validation certificate returned after a successful verification. That certificate includes the issuance date, the validated field values needed for the program, such as first name, last name, and country, and a digital signature. iDenfy retains verification materials for a limited operational and debugging period, currently up to 90 days, after which they are deleted according to the configured retention policy.

Documentation and FAQ

We also recognize that committers may have practical questions about how the verification process works, what information is used, what is stored, what is not stored, and how to interpret the verification checkmark. More detailed documentation about the process, along with a FAQ, will be published in the Eclipse Foundation Project Handbook by the June 2 general availability date.

In the meantime, we encourage questions and discussion in the Eclipse CSI GitHub Discussions area.

What this does not mean

Because identity verification can raise understandable concerns, I want to address this directly. This is not a mandatory identity verification program. It is not age verification. It is not a change to how Eclipse Foundation projects are governed. It is not a change to how contributors participate in our communities. It is also not a quiet first step toward making identity verification mandatory.

The program is voluntary. Committers can decide whether participating makes sense for them. Our goal is to provide an additional trust mechanism for those who want it, while continuing to respect the open, global, and community-driven nature of the Eclipse Foundation ecosystem.

Join the discussion

We know this topic can raise important questions about privacy, security, accessibility, community norms, and the future of open source participation. Those questions deserve open discussion. Please share your questions, concerns, and suggestions in the Eclipse CSI GitHub Discussions area:

https://github.com/orgs/eclipse-csi/discussions

We welcome input from committers and the broader Eclipse Foundation community as we make this capability generally available on June 2.

Thank you

Thanks to Alpha-Omega for their support of the Eclipse Foundation ecosystem security by sponsoring this work.