Mikaël Barbero's blog

Today, the Eclipse Foundation released the results of our security audit for Eclipse JKube , a collection of tools for building Java applications that can be deployed to a cloud environment. Findings from the audit have been addressed in the 1.13 release leading to a new feature. This audit included...

Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects. Today, we’re taking another step...

Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the...

Thanks to financial support from the OpenSSF’s Alpha-Omega project , the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Two Factor Authentication Eclipse Tycho , Eclipse m2e , and Eclipse RAP have all enforced 2FA for all their committers on GitHub: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2701 https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2702...

Advanced shell prompts, such as those provided by theme engines like oh-my-zsh and oh-my-posh , have become increasingly popular among software developers due to their convenience, versatility, and customizability. However, the use of plugins that are executed outside of any sandbox and have full access to the developer shell environment...

Thanks to financial support from the OpenSSF’s Alpha-Omega project , the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Our previous analysis helped us prioritize work area where improvements would be the most significant. Let’s see where we are today. Protect the branches...

Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it...

As stewards of the Eclipse Marketplace , the Eclispe Foundation is responsible for providing a safe place for the Eclipse IDE users to download their plugins. While the Eclipse Marketplace does not host or transmit the plugins bits, it provides links to (p2) repositories containing them. Until today, there was...

The Eclipse Foundation recently received financial support from the OpenSSF’s Alpha-Omega project . We are thrilled to be able to help our projects improve the security of their Software Supply Chain. We have a number of initiatives that are being started, but today we will focus on the 1026 git...

A postmortem about the incident that could have affected artifacts on repo.eclipse.org What happened? On Feb 16th 2021, we received a security report about secrets in the main Jiro repository . This report was correct. On March 18th 2020, the secrets were committed inside the repository. What was leaked? The...