Mikaël Barbero's blog

    Eclipse Foundation Publishes Results of Eclipse JKube Security Audit

    Friday, September 15, 2023 - 10:00 by Mikaël Barbero
    Today, the Eclipse Foundation released the results of our security audit for Eclipse JKube , a collection of tools for building Java applications that can be deployed to a cloud environment. Findings from the audit have been addressed in the 1.13 release leading to a new feature. This audit included...

    Eclipse Foundation Publishes Results of Equinox p2 Security Audit

    Wednesday, July 12, 2023 - 10:00 by Mikaël Barbero
    Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects. Today, we’re taking another step...

    New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security

    Wednesday, March 15, 2023 - 08:00 by Mikaël Barbero
    Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the...

    March 2023 Update on Security improvements at the Eclipse Foundation

    Friday, March 3, 2023 - 04:00 by Mikaël Barbero
    Thanks to financial support from the OpenSSF’s Alpha-Omega project , the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Two Factor Authentication Eclipse Tycho , Eclipse m2e , and Eclipse RAP have all enforced 2FA for all their committers on GitHub: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2701 https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2702...

    Shell Hole: How Advanced Prompts are Putting Software Developers at Risk

    Wednesday, March 1, 2023 - 03:00 by Mikaël Barbero
    Advanced shell prompts, such as those provided by theme engines like oh-my-zsh and oh-my-posh , have become increasingly popular among software developers due to their convenience, versatility, and customizability. However, the use of plugins that are executed outside of any sandbox and have full access to the developer shell environment...

    Update on Security improvements at the Eclipse Foundation

    Thursday, November 24, 2022 - 10:00 by Mikaël Barbero
    Thanks to financial support from the OpenSSF’s Alpha-Omega project , the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Our previous analysis helped us prioritize work area where improvements would be the most significant. Let’s see where we are today. Protect the branches...

    Open Source Software Supply Chain Security starts with developers

    Tuesday, November 22, 2022 - 10:00 by Mikaël Barbero
    Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it...

    Credentials leaked on GitHub

    Sunday, March 21, 2021 - 04:00 by Mikaël Barbero
    A postmortem about the incident that could have affected artifacts on repo.eclipse.org What happened? On Feb 16th 2021, we received a security report about secrets in the main Jiro repository . This report was correct. On March 18th 2020, the secrets were committed inside the repository. What was leaked? The...