I replied to Mikael only by mistake. Forwarding it now for publicity. ---------- Forwarded message --------- From: Aleksandar Kurtakov <akurt...@redhat.com> Date: Wed, Aug 10, 2022 at 1:29 PM Subject: Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures) To: Mikaël Barbero <mikael.barb...@eclipse-foundation.org>
Hey Mikaël, Mickael Istria has been the main guy behind this and is on vacation for the next couple of weeks, I think we will have to wait for him. On Wed, Aug 10, 2022 at 1:24 PM Mikael Barbero < mikael.barb...@eclipse-foundation.org> wrote: > Dear Equinox developers, > > The Eclipse Foundation is willing to fund a security audit of the recent > changes to p2 to support detached signatures (made to replace classical > jars signing). > > The Eclipse Foundation recognizes the benefits of the new workflow and we > would like to help the project verify that the move from a chain of trust > based on certificates managed by the JRE to a chain of trust based on PGP > did not introduce any flaw in the install/update workflow. Such a flaw > could render users' setup vulnerable to some attacks and exploitation of a > flaw could be a hard blow to the Equinox project and the Eclipse IDE > reputation. > > The audit company we selected is OSTIF <https://ostif.org>. They have an > excellent track record > <https://github.com/ostif-org/OSTIF/blob/main/Completed-Engagements.md> in > auditing Open Source projects like OpenSSL or SLF4j. I've cc'd OSTIF's > directors, Derek and Amir. They will explain you the different milestones > that will eventually lead to the publication of a report. > > The very first step is to define the scope of the audit. It will be > provided to the audit team to help them focus on the key area of the code > that we want to asses (and hopefully improve) the security. > > Please find a draft of such a scope at > https://docs.google.com/document/d/1uwZU56d0pW40sUonm83bf1Uy9xLbb0C1vDOQC5FGhp8/edit?usp=sharing. > Feel free to make suggestions and/or comments on the document itself. > > Thank you for your help in doing this work that will help enhancing the > security of Equinox p2. > > > *Mikaël Barbero * > *Head of Security | Eclipse Foundation* > 🐦 @mikbarbero > Eclipse Foundation <http://www.eclipse.org/>: The Platform for Open > Innovation and Collaboration > > _______________________________________________ > equinox-dev mailing list > equinox-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/equinox-dev > -- Aleksandar Kurtakov Red Hat Eclipse Team -- Aleksandar Kurtakov Red Hat Eclipse Team
_______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/equinox-dev
