Mikaël Barbero's blog

New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security

Wednesday, March 15, 2023 - 08:00 by Mikaël Barbero

Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard?

March 2023 Update on Security improvements at the Eclipse Foundation

Friday, March 3, 2023 - 04:00 by Mikaël Barbero

Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months.

Shell Hole: How Advanced Prompts are Putting Software Developers at Risk

Wednesday, March 1, 2023 - 03:00 by Mikaël Barbero

Advanced shell prompts, such as those provided by theme engines like oh-my-zsh and oh-my-posh, have become increasingly popular among software developers due to their convenience, versatility, and customizability. However, the use of plugins that are executed outside of any sandbox and have full access to the developer shell environment, presents significant security risks, especially for Open Source Software developers.

Update on Security improvements at the Eclipse Foundation

Thursday, November 24, 2022 - 10:00 by Mikaël Barbero

Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Our previous analysis helped us prioritize work area where improvements would be the most significant. Let’s see where we are today.

Open Source Software Supply Chain Security starts with developers

Tuesday, November 22, 2022 - 10:00 by Mikaël Barbero

Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it worse, the attack surface of the supply chain is wide. Covering it all requires a deep scrutinity of many factors.

Enforcing HTTPS on the Eclipse Marketplace

Tuesday, September 20, 2022 - 13:25 by Mikaël Barbero

As stewards of the Eclipse Marketplace, the Eclispe Foundation is responsible for providing a safe place for the Eclipse IDE users to download their plugins. While the Eclipse Marketplace does not host or transmit the plugins bits, it provides links to (p2) repositories containing them. Until today, there was no restriction on those links.

State of the Eclipse Foundation GitHub repositories

Wednesday, August 31, 2022 - 05:30 by Mikaël Barbero

The Eclipse Foundation recently received financial support from the OpenSSF’s Alpha-Omega project. We are thrilled to be able to help our projects improve the security of their Software Supply Chain. We have a number of initiatives that are being started, but today we will focus on the 1026 git repositories of the 254 Eclipse Projects hosted at Github, spread among 50 different organizations.

Credentials leaked on GitHub

Sunday, March 21, 2021 - 04:00 by Mikaël Barbero

A postmortem about the incident that could have affected artifacts on repo.eclipse.org

What happened?

On Feb 16th 2021, we received a security report about secrets in the main Jiro repository. This report was correct. On March 18th 2020, the secrets were committed inside the repository.

Scaling up the Continuous Integration infrastructure for Eclipse Foundation’s projects — Act 2

Tuesday, May 29, 2018 - 04:00 by Mikaël Barbero

TL;DR

Infrastructure improvements and migration described in last year post is eventually happening, with some tweaks.

Scaling up the Continuous Integration infrastructure for Eclipse Foundation’s projects

Friday, April 27, 2018 - 04:00 by Mikaël Barbero

TL;DR

Projects hosted by the Eclipse Foundation will soon benefit from a brand new enterprise-grade continuous integration (CI) infrastructure. Expected improvements are: resiliency, scalability and nimbleness. We are doing this move with tremendous support from our friends at CloudBees and RedHat with their respective products Jenkins Enterprise and OpenShift Container Platform.

1
2
next
last

Eclipse Foundation Blogs

Wayne Beaton (821 posts)
Mike Milinkovich (322 posts)
Ivar Grimstad (254 posts)
Benjamin Cabé (131 posts)
Tanja Obradovic (60 posts)
Thabang Mashologu (37 posts)
John Kellerman (31 posts)
Paul Buck (22 posts)
Brian King (19 posts)
Frédéric Desbiens (19 posts)
Mikaël Barbero (17 posts)
Christopher Guindon (16 posts)
Gael Blondelle (14 posts)
Hailley Seed (10 posts)
Denis Roy (9 posts)
Hudson Kelly (8 posts)
Michael Plagge (4 posts)
Shabnam Mayel (3 posts)
Shanda Giacomoni (3 posts)
Serina El Salibi (3 posts)
Jacob Harris (2 posts)
Clark Roundy (2 posts)
Karla Ferrer (2 posts)
Paul White (1 posts)
Stephanie Swart (1 posts)
Sharon Corbett (1 posts)

Recent blog posts

Organising Your Eclipse Open Source Project Team
Hashtag Jakarta EE #168
New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
Take the 2023 Jakarta EE Developer Survey
Hashtag Jakarta EE #167
Product Liability Directive: More Bad News for Open Source
Rodrigo Pinto: Eclipse Cloud DevTools Contributor of the Month!
Hashtag Jakarta EE #166
March 2023 Update on Security improvements at the Eclipse Foundation
Eclipse Cloud DevTools Digest - January and February, 2023