Security

Exploring the Future of Open Source Security at OCX 2024

Exploring the Future of Open Source Security at OCX 2024

Mikaël Barbero
In the fast-paced world of software development, open source has emerged as a catalyst for innovation. But with this rapid growth comes an equally crucial responsibility: security. As open source continues to reshape the digital landscape, ensuring robust security measures is no longer optional; it’s essential. That’s why Open Community Experience (OCX) is placing a strong emphasis on the latest advancements in open source security. What Is OCX 2024? OCX 2024 is a conference taking place on 22-24 October in Mainz, Germany, where the future of open source is actively shaped.
Securing the Future: 2FA Now Mandatory for Eclipse Foundation Committers

Securing the Future: 2FA Now Mandatory for Eclipse Foundation Committers

Mikaël Barbero
The Eclipse Foundation is pleased to announce the successful implementation of two-factor authentication (2FA) for all committers on both gitlab.eclipse.org and github.com. This initiative, aimed at bolstering the security of our source code repositories, mandates that all users with write access to an Eclipse Project repository (commonly known as committers) on GitHub and the Eclipse Foundation GitLab instance must use 2FA. Two-factor authentication adds an extra layer of security by requiring not only a password but also a second form of verification.
Understanding Software Provenance Attestation: The Roles of SLSA and in-toto

Understanding Software Provenance Attestation: The Roles of SLSA and in-toto

Mikaël Barbero
A software provenance attestation is a signed document that associates metadata with an artifact, encompassing details like the artifact’s origin, build steps, and dependencies. This information is critical for verifying the artifact’s authenticity and integrity. Featuring a cryptographic signature, provenance attestation ensures the document remains unaltered, playing a vital role in mitigating supply chain attacks. By scrutinizing the provenance of binaries, users can thwart the execution of malicious code on their systems.
Understanding Software Provenance

Understanding Software Provenance

Mikaël Barbero

In the ever-evolving landscape of open-source software development, the creation and distribution of artifacts—such as compiled binaries, libraries, and documentation—represent the tangible results of a multifaceted process. These artifacts are more than just a collection of code; they are the final product of myriad decisions, alterations, and contributions, each with its unique narrative. It’s essential to grasp these narratives or the provenance of these artifacts, to secure the supply chain effectively. Moreover, the integrity and security of these artifacts are paramount, as they underpin the trust and reliability users expect. This post aims to demystify the concept of provenance for these released artifacts. We will delve into why a comprehensive understanding of their origins and the path they take—examined through the lens of the journalistic 5W1H (Who, What, When, Where, Why, and How)—is crucial for enhancing the security posture of an open source project’s supply chain.

Eclipse Foundation Embraces Sigstore

Eclipse Foundation Embraces Sigstore

Mikaël Barbero

As part of our ongoing commitment to fortifying the security of our software development processes, we’re excited to announce a significant enhancement for all Eclipse Foundation projects utilizing our Jenkins infrastructure. This advancement comes with the integration of Sigstore, a cutting-edge solution designed to bolster the security and integrity of software supply chains. By exploring the integration of Sigstore within the Eclipse Foundation’s Jenkins setup, this article sets out to demonstrate how this advancement is reshaping secure software development and deployment for Eclipse Foundation projects.

Elevating Software Supply Chain Security: Eclipse Foundation's 2FA Milestone

Elevating Software Supply Chain Security: Eclipse Foundation's 2FA Milestone

Mikaël Barbero

In the realm of open-source software, security of the supply chain is not just a concern—it’s a crucial battleground. The Eclipse Foundation, at the forefront of this fight, has taken a decisive step with its 2023 initiative to enforce two-factor authentication (2FA) across its platforms. This move is more than a security upgrade; it’s a testament to the Foundation’s commitment to safeguarding the open-source software supply chain against escalating threats.

Eclipse Mosquitto Security Audit Has Been Completed

Eclipse Mosquitto Security Audit Has Been Completed

Mikaël Barbero
We’re excited to announce that the Eclipse Foundation has successfully conducted a security audit for Eclipse Mosquitto, marking our fourth project audit this year. To enhance security, all Mosquitto users are urged to upgrade to the latest available version. All issues identified by the audit have been fixed in the source code. An Eclipse IoT project, Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations, from powerful servers to embedded and low power machines.
Eclipse Jetty Security Audit Has Been Completed

Eclipse Jetty Security Audit Has Been Completed

Mikaël Barbero

We’re proud to share that the Eclipse Foundation has completed the security audit for Eclipse Jetty, one of the world’s most widely deployed web server and servlet containers. All users are encouraged to upgrade to versions containing changes addressing all conclusions of the audit: Eclipse Jetty 12.0.0, 11.0.16, 10.0.16, and 9.4.53.

Eclipse Foundation Publishes Results of Equinox p2 Security Audit

Mikaël Barbero

Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects.

Today, we’re taking another step forward with the completion of the security audit for Equinox p2, the provisioning component of the Eclipse IDE.