[equinox-dev] Declare 4.27 RC1

[Samantha Dawley]

Hello,

Please sign off on Issue 892

- Declare 4.27 RC1

Current Candidate

Eclipse downloads:
https://download.eclipse.org/eclipse/downloads/drops4/I20230222-1800

Build logs and/or test results (eventually):
https://download.eclipse.org/eclipse/downloads/drops4/I20230222-1800/testResults.php

Software site repository:
https://download.eclipse.org/eclipse/updates/4.27-I-builds

Specific (simple) site repository:
https://download.eclipse.org/eclipse/updates/4.27-I-builds/I20230222-1800

Equinox downloads:
https://download.eclipse.org/equinox/drops/I20230222-1800


Best Regards,
Samantha Dawley
Red Hat Eclipse Team
___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

[Mickael Istria]

Hello,

For what I'm aware of, there is currently no-one really planning to provide
some fixes for the identified vulnerabilities. They're still important
though. So I would suggest that we just open CVEs for those ASAP without
waiting further as waiting longer isn't likely to increase the chances of
seeing fixes coming in while having CVEs open is more likely to get
attention of consumers and potenatial contributors so they become more
likely to contribute a fix.

What do you think?

On Wed, Feb 22, 2023 at 5:13 PM Amir Montazery  wrote:

> Hello everyone! I thought to follow up on this thread to see if there was
> any feedback or progress on remediation of the 3 major vulnerabilities
> reported in the audit.
>
> As soon as the Eclipse PMC members and Equinox developers are satisfied
> with the report and status of the fixes, OSTIF can help with the
> publication and sharing of the results.
>
> Thank you,
> Amir
>
> On Tue, Jan 31, 2023 at 11:49 AM Mikael Barbero via equinox-dev <
> equinox-dev@eclipse.org> wrote:
>
>> Dear Eclipse PMC members, Dear Equinox developers,
>>
>> I am pleased to inform you that the security audit of the recent changes
>> to p2 to support detached signatures has been completed. A report is
>> available for review upon request (limited to PMC members and committers).
>> Mickael Istria and Ed Merks participated in the audit and have seen early
>> and final versions of the report.
>>
>> There are some findings in the report, and I have created vulnerability
>> issues for the major ones:
>>
>>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581453
>>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581452
>>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581451
>>
>> Note: These issues are only visible to committers until full disclosure.
>>
>> As for the low-risk findings, it is up to the committers and PMC members
>> who request the report to decide whether to create vulnerability tickets or
>> regular issues.
>>
>> The most critical issue identified by the security firm is CVE-2021-41037
>> (https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029), which has not
>> seen a fix in the past 2 years. The PMC may want to re-consider this issue.
>>
>> Please let us know the Eclipse project's plan for addressing the 3 major
>> vulnerabilities listed above. Note that the bugs and the report shall be
>> published no later than May 1st, as per the Eclipse Foundation Security
>> Policy (https://www.eclipse.org/security/policy.php). Of course, we can
>> also disclose it earlier at your discretion.
>>
>> Thanks!
>>
>> On Tue, Aug 9, 2022 at 6:08 PM Mikael Barbero <
>> mikael.barb...@eclipse-foundation.org> wrote:
>>
>>> Dear Eclipse PMC members,
>>>
>>> As you may know, the Eclipse Foundation is about to fund a security
>>> audit of the recent changes to p2 to support detached signatures (made to
>>> replace classical jars signing).
>>>
>>> The Eclipse Foundation recognizes the benefits of the new workflow and
>>> we would like to help the project verify that the move from a chain of
>>> trust based on certificates managed by the JRE to a chain of trust based on
>>> PGP did not introduce any flaw in the verification process. Such a flaw
>>> could render users' setup vulnerable to attacks and exploitation of a flaw
>>> could be a hard blow to the Eclipse IDE reputation.
>>>
>>> I will shortly introduce an audit company to the Eclipse p2 committers.
>>> I will do that on the equinox-dev mailing list. I will ask the committers
>>> to help us (the Eclipse Foundation and the audit company) define the exact
>>> scope of the audit. We kindly ask you, members of the Eclipse PMC, your
>>> support with this process. We will especially appreciate your help with
>>> easing the communication between the project and the audit company and as
>>> such, make the audit to be as fruitful as possible.
>>>
>>> FYI, the audit company is OSTIF . They have an
>>> excellent track record
>>>  in
>>> auditing Open Source projects like OpenSSL or SLF4j.
>>>
>>> Feel free to get back to me if you have any question.
>>>
>>> Thanks.
>>>
>>>
>>> *Mikaël Barbero *
>>> *Head of Security | Eclipse Foundation*
>>>  @mikbarbero
>>> Eclipse Foundation : The Platform for Open
>>> Innovation and Collaboration
>>>
>>> ___
>> equinox-dev mailing list
>> equinox-dev@eclipse.org
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/equinox-dev
>>
>
>
> --
> *Amir Montazery*
> Managing Director
> Open Source Technology Improvement Fund
> https://ostif.org/
> https://calendly.com/ostif
>
> ___
> equinox-dev mailing list
> equinox-dev@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/equinox-dev
>


-- 
Mickael Istria
Eclipse IDE 

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

[Amir Montazery]

Hello everyone! I thought to follow up on this thread to see if there was
any feedback or progress on remediation of the 3 major vulnerabilities
reported in the audit.

As soon as the Eclipse PMC members and Equinox developers are satisfied
with the report and status of the fixes, OSTIF can help with the
publication and sharing of the results.

Thank you,
Amir

On Tue, Jan 31, 2023 at 11:49 AM Mikael Barbero via equinox-dev <
equinox-dev@eclipse.org> wrote:

> Dear Eclipse PMC members, Dear Equinox developers,
>
> I am pleased to inform you that the security audit of the recent changes
> to p2 to support detached signatures has been completed. A report is
> available for review upon request (limited to PMC members and committers).
> Mickael Istria and Ed Merks participated in the audit and have seen early
> and final versions of the report.
>
> There are some findings in the report, and I have created vulnerability
> issues for the major ones:
>
>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581453
>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581452
>- https://bugs.eclipse.org/bugs/show_bug.cgi?id=581451
>
> Note: These issues are only visible to committers until full disclosure.
>
> As for the low-risk findings, it is up to the committers and PMC members
> who request the report to decide whether to create vulnerability tickets or
> regular issues.
>
> The most critical issue identified by the security firm is CVE-2021-41037 (
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029), which has not seen
> a fix in the past 2 years. The PMC may want to re-consider this issue.
>
> Please let us know the Eclipse project's plan for addressing the 3 major
> vulnerabilities listed above. Note that the bugs and the report shall be
> published no later than May 1st, as per the Eclipse Foundation Security
> Policy (https://www.eclipse.org/security/policy.php). Of course, we can
> also disclose it earlier at your discretion.
>
> Thanks!
>
> On Tue, Aug 9, 2022 at 6:08 PM Mikael Barbero <
> mikael.barb...@eclipse-foundation.org> wrote:
>
>> Dear Eclipse PMC members,
>>
>> As you may know, the Eclipse Foundation is about to fund a security audit
>> of the recent changes to p2 to support detached signatures (made to replace
>> classical jars signing).
>>
>> The Eclipse Foundation recognizes the benefits of the new workflow and we
>> would like to help the project verify that the move from a chain of trust
>> based on certificates managed by the JRE to a chain of trust based on PGP
>> did not introduce any flaw in the verification process. Such a flaw could
>> render users' setup vulnerable to attacks and exploitation of a flaw could
>> be a hard blow to the Eclipse IDE reputation.
>>
>> I will shortly introduce an audit company to the Eclipse p2 committers. I
>> will do that on the equinox-dev mailing list. I will ask the committers to
>> help us (the Eclipse Foundation and the audit company) define the exact
>> scope of the audit. We kindly ask you, members of the Eclipse PMC, your
>> support with this process. We will especially appreciate your help with
>> easing the communication between the project and the audit company and as
>> such, make the audit to be as fruitful as possible.
>>
>> FYI, the audit company is OSTIF . They have an
>> excellent track record
>>  in
>> auditing Open Source projects like OpenSSL or SLF4j.
>>
>> Feel free to get back to me if you have any question.
>>
>> Thanks.
>>
>>
>> *Mikaël Barbero *
>> *Head of Security | Eclipse Foundation*
>>  @mikbarbero
>> Eclipse Foundation : The Platform for Open
>> Innovation and Collaboration
>>
>> ___
> equinox-dev mailing list
> equinox-dev@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/equinox-dev
>


-- 
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
___
equinox-dev mailing list
equinox-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/equinox-dev