[equinox-dev] Fwd: Security audit of the recent changes to Eclipse p2 (P

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[equinox-dev] Fwd: Security audit of the recent changes to Eclipse p2 (PGP signatures)

From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
Date: Thu, 11 Aug 2022 11:54:38 +0300
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/equinox-dev/>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

I replied to Mikael only by mistake. Forwarding it now for publicity.

---------- Forwarded message ---------
From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
Date: Wed, Aug 10, 2022 at 1:29 PM
Subject: Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
To: Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>

Hey Mikaël,

Mickael Istria has been the main guy behind this and is on vacation for the next couple of weeks, I think we will have to wait for him.

On Wed, Aug 10, 2022 at 1:24 PM Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Dear Equinox developers,

The Eclipse Foundation is willing to fund a security audit of the recent changes to p2 to support detached signatures (made to replace classical jars signing).

The Eclipse Foundation recognizes the benefits of the new workflow and we would like to help the project verify that the move from a chain of trust based on certificates managed by the JRE to a chain of trust based on PGP did not introduce any flaw in the install/update workflow. Such a flaw could render users' setup vulnerable to some attacks and exploitation of a flaw could be a hard blow to the Equinox project and the Eclipse IDE reputation.

The audit company we selected is OSTIF. They have an excellent track record in auditing Open Source projects like OpenSSL or SLF4j. I've cc'd OSTIF's directors, Derek and Amir. They will explain you the different milestones that will eventually lead to the publication of a report.

The very first step is to define the scope of the audit. It will be provided to the audit team to help them focus on the key area of the code that we want to asses (and hopefully improve) the security.

Please find a draft of such a scope at https://docs.google.com/document/d/1uwZU56d0pW40sUonm83bf1Uy9xLbb0C1vDOQC5FGhp8/edit?usp=sharing. Feel free to make suggestions and/or comments on the document itself.

Thank you for your help in doing this work that will help enhancing the security of Equinox p2.

Mikaël Barbero
Head of Security | Eclipse Foundation
🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/equinox-dev

Aleksandar Kurtakov

Red Hat Eclipse Team

Aleksandar Kurtakov

Red Hat Eclipse Team

References:
- [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
  - From: Mikael Barbero

Prev by Date: Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
Next by Date: [equinox-dev] Eclipse and Equinox 4.25 (2022-09) M3 Reminder
Previous by thread: Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
Next by thread: Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
Index(es):
- Date
- Thread

Breadcrumbs