Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2023-03-02 Thread Ed Merks
Mickael, The Planning Council has worked with the IDE WG to create the following issue which is looking to address the PGP-related issues as well as two other outstanding p2 CVEs:

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2023-02-22 Thread Mickael Istria
Hello, For what I'm aware of, there is currently no-one really planning to provide some fixes for the identified vulnerabilities. They're still important though. So I would suggest that we just open CVEs for those ASAP without waiting further as waiting longer isn't likely to increase the chances

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2023-02-22 Thread Amir Montazery
Hello everyone! I thought to follow up on this thread to see if there was any feedback or progress on remediation of the 3 major vulnerabilities reported in the audit. As soon as the Eclipse PMC members and Equinox developers are satisfied with the report and status of the fixes, OSTIF can help

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2023-01-31 Thread Mikael Barbero via equinox-dev
Dear Eclipse PMC members, Dear Equinox developers, I am pleased to inform you that the security audit of the recent changes to p2 to support detached signatures has been completed. A report is available for review upon request (limited to PMC members and committers). Mickael Istria and Ed Merks

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-10-21 Thread Mikael Barbero
Dear equinox/p2 devs, OSTIF got the responses from the audit companies and the best one was from Include Security that covers: 1) Code review Equinox p2 2) Threat model 3) SAST Review and suggestions 4) ossfuzz review and implementation(as time allows) 5) Reporting 6) QA / Project Management

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-08-22 Thread Mikael Barbero
(hit send too fast). I will let OSTIF knows that we're good to go with the current RFP. Will keep you posted. Mikaël Barbero Head of Security | Eclipse Foundation  @mikbarbero Eclipse Foundation : The Platform for Open Innovation and Collaboration > On 22 Aug 2022,

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-08-22 Thread Mikael Barbero
Thanks everyone. Mikaël Barbero Head of Security | Eclipse Foundation  @mikbarbero Eclipse Foundation : The Platform for Open Innovation and Collaboration > On 22 Aug 2022, at 17:04, Mickael Istria wrote: > > Hi, > > The draft seems good enough to me as well. >

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-08-22 Thread Mickael Istria
Hi, The draft seems good enough to me as well. Cheers, ___ equinox-dev mailing list equinox-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/equinox-dev

Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-08-11 Thread Ed Merks
Mikael, The draft is simple and looks fine. Thanks, Ed On 10.08.2022 12:23, Mikael Barbero wrote: Dear Equinox developers, The Eclipse Foundation is willing to fund a security audit of the recent changes to p2 to support detached signatures (made to replace classical jars signing). The

[equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)

2022-08-10 Thread Mikael Barbero
Dear Equinox developers, The Eclipse Foundation is willing to fund a security audit of the recent changes to p2 to support detached signatures (made to replace classical jars signing). The Eclipse Foundation recognizes the benefits of the new workflow and we would like to help the project