We have started publishing a Security Handbook for Eclipse Foundation Committers. The Eclipse Security Handbook provides best practices for securing development workflows within Eclipse Foundation projects. It covers topics such as securing developer accounts, machines, and environments. Additionally, the handbook includes guidelines for vulnerability management, including handling embargoes and issuing security advisories. The document also provides references to tools and other best practices to help maintain secure software development processes.
All remaining GitHub organizations owned by the Eclipse Foundation are now incorporating Eclipse OtterDog. There are 172 GitHub organization managed by OtterDog, an increase of 65 since the end of June. OtterDog now manages the configuration of 1,764 repositories.
This month's updates include:
- Added support for configuring default code scanning setup of a repository.
- Added operation open-pr to automatically create a PR for local changes.
- Deprecated organization settings
dependabot_alerts_enabled_for_new_repositories,dependabot_security_updates_enabled_for_new_repositoriesanddependency_graph_enabled_for_new_repositories. - Deprecated organization setting
has_repository_projects. - Fixed updating the configuration of a project when its base template changed.
- Fixed updating configuration when the
github_idof a project changed
The Open Regulatory Compliance Working Group has launched a new website along with a set of associated repositories, which include early documentation, notably a Markdown version of the CRA text with anchors for easy linking. The organizations listed below have completed the necessary paperwork over the past month::
- Open Elements GmbH
- Stichting NLnet Labs
- The Matrix.org Foundation
- OWASP
- SCANOSS
- The Document Foundation
Three webinars have been organized to demystify the CRA topics:
- How to read the CRA: Identifying the key parts of the CRA for effective compliance, Enzo Ribagnac, Associate Director for European Policy, Eclipse Foundation
- The CRA Obligations: Identifying the Relevant Obligations for the OSS Community, Benjamin Boegel, Head of Sector for Product Security and Certification Policy at the European Commission
- CRA Standards making: Understanding key standards and their production timeline, Filipe Jones Mourão, Policy Officer, DG CNECT, European Commission
Over the past few weeks, we encountered an issue with our code signing service (both JAR signing and Authenticode). The mandatory switch to a Hardware Security Module (HSM) for certificate storage has significantly impacted our performance and scalability.
In response, we explored various "as-a-service" solutions, aiming to turn this challenge into an opportunity to eliminate our in-house, self-hosted setup and free up some resources. Unfortunately, the market solutions we evaluated do not scale to our requirements, especially in terms of pricing.
At the same time, we investigated using Cloud HSM, which seemed to be a promising solution. We deployed a new version of the signing service that leverages Google KMS as a backend. This approach is far more scalable and has restored build times to normal. We also took this opportunity to adopt the Java-native JSign library for JAR signing and Windows Authenticode, rather than relying on subprocesses.
We discussed the recent changes in Code Signing and GitHub Configuration Self-Service during July's committer office hours.
We published a blog post discussing the new 4.0 version of CVSS. The blog post explains the differences introduced in the CVSS 4.0 scoring system compared to CVSS 3.1. The post also highlights how these changes affect vulnerability scoring for Eclipse Foundation projects and encourages using new fields like "Urgency" for a more nuanced assessment.
We have completed our search for a new Security Software Engineer to join the team. The new member will begin mid-September.