Mickael,
The Planning Council has worked with the IDE WG to create the following
issue which is looking to address the PGP-related issues as well as two
other outstanding p2 CVEs:
https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg-dev-funded-efforts/ide-wg-dev-funded-program-planning-council-top-issues/-/issues/16
My sense is that we'd present a better image to the community, i.e., get
attention in a more positive way, if we demonstrated through actions
that we care about fixing security problems...
Regards,
Ed
On 22.02.2023 17:36, Mickael Istria wrote:
Hello,
For what I'm aware of, there is currently no-one really planning to
provide some fixes for the identified vulnerabilities. They're still
important though. So I would suggest that we just open CVEs for those
ASAP without waiting further as waiting longer isn't likely to
increase the chances of seeing fixes coming in while having CVEs open
is more likely to get attention of consumers and potenatial
contributors so they become more likely to contribute a fix.
What do you think?
On Wed, Feb 22, 2023 at 5:13 PM Amir Montazery <[email protected]> wrote:
Hello everyone! I thought to follow up on this thread to see if
there was any feedback or progress on remediation of the 3 major
vulnerabilities reported in the audit.
As soon as the Eclipse PMC members and Equinox developers are
satisfied with the report and status of the fixes, OSTIF can help
with the publication and sharing of the results.
Thank you,
Amir
On Tue, Jan 31, 2023 at 11:49 AM Mikael Barbero via equinox-dev
<[email protected]> wrote:
Dear Eclipse PMC members, Dear Equinox developers,
I am pleased to inform you that the security audit of the
recent changes to p2 to support detached signatures has been
completed. A report is available for review upon request
(limited to PMC members and committers). Mickael Istria and Ed
Merks participated in the audit and have seen early and final
versions of the report.
There are some findings in the report, and I have created
vulnerability issues for the major ones:
* https://bugs.eclipse.org/bugs/show_bug.cgi?id=581453
* https://bugs.eclipse.org/bugs/show_bug.cgi?id=581452
* https://bugs.eclipse.org/bugs/show_bug.cgi?id=581451
Note: These issues are only visible to committers until full
disclosure.
As for the low-risk findings, it is up to the committers and
PMC members who request the report to decide whether to create
vulnerability tickets or regular issues.
The most critical issue identified by the security firm is
CVE-2021-41037
(https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029), which
has not seen a fix in the past 2 years. The PMC may want to
re-consider this issue.
Please let us know the Eclipse project's plan for addressing
the 3 major vulnerabilities listed above. Note that the bugs
and the report shall be published no later than May 1st, as
per the Eclipse Foundation Security Policy
(https://www.eclipse.org/security/policy.php). Of course, we
can also disclose it earlier at your discretion.
Thanks!
On Tue, Aug 9, 2022 at 6:08 PM Mikael Barbero
<[email protected]> wrote:
Dear Eclipse PMC members,
As you may know, the Eclipse Foundation is about to fund a
security audit of the recent changes to p2 to support
detached signatures (made to replace classical jars signing).
The Eclipse Foundation recognizes the benefits of the new
workflow and we would like to help the project verify that
the move from a chain of trust based on certificates
managed by the JRE to a chain of trust based on PGP did
not introduce any flaw in the verification process. Such a
flaw could render users' setup vulnerable to attacks and
exploitation of a flaw could be a hard blow to the Eclipse
IDE reputation.
I will shortly introduce an audit company to the Eclipse
p2 committers. I will do that on the equinox-dev mailing
list. I will ask the committers to help us (the Eclipse
Foundation and the audit company) define the exact scope
of the audit. We kindly ask you, members of the Eclipse
PMC, your support with this process. We will especially
appreciate your help with easing the communication between
the project and the audit company and as such, make the
audit to be as fruitful as possible.
FYI, the audit company is OSTIF <https://ostif.org>. They
have an excellent track record
<https://github.com/ostif-org/OSTIF/blob/main/Completed-Engagements.md> in
auditing Open Source projects like OpenSSL or SLF4j.
Feel free to get back to me if you have any question.
Thanks.
*Mikaël Barbero *
*Head of Security | Eclipse Foundation*
🐦 @mikbarbero
Eclipse Foundation <http://www.eclipse.org/>: The Platform
for Open Innovation and Collaboration
_______________________________________________
equinox-dev mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/equinox-dev
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
_______________________________________________
equinox-dev mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/equinox-dev
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/eclipseide> developer, for Red
Hat Developers <https://developers.redhat.com/>
_______________________________________________
equinox-dev mailing list
[email protected]
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________
equinox-dev mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/equinox-dev
