Mikaël Barbero's blog

    Understanding Software Provenance Attestation: The Roles of SLSA and in-toto

    Thursday, December 28, 2023 - 09:00 by Mikaël Barbero
    A software provenance attestation is a signed document that associates metadata with an artifact, encompassing details like the artifact’s origin, build steps, and dependencies. This information is critical for verifying the artifact’s authenticity and integrity. Featuring a cryptographic signature, provenance attestation ensures the document remains unaltered, playing a vital role...

    Understanding Software Provenance

    Tuesday, December 26, 2023 - 09:00 by Mikaël Barbero
    In the ever-evolving landscape of open-source software development, the creation and distribution of artifacts—such as compiled binaries, libraries, and documentation—represent the tangible results of a multifaceted process. These artifacts are more than just a collection of code; they are the final product of myriad decisions, alterations, and contributions, each with...

    Eclipse Foundation Embraces Sigstore

    Saturday, December 23, 2023 - 05:00 by Mikaël Barbero
    As part of our ongoing commitment to fortifying the security of our software development processes, we’re excited to announce a significant enhancement for all Eclipse Foundation projects utilizing our Jenkins infrastructure. This advancement comes with the integration of Sigstore , a cutting-edge solution designed to bolster the security and integrity...

    Elevating Software Supply Chain Security: Eclipse Foundation's 2FA Milestone

    Monday, December 18, 2023 - 11:00 by Mikaël Barbero
    In the realm of open-source software, security of the supply chain is not just a concern—it’s a crucial battleground. The Eclipse Foundation, at the forefront of this fight, has taken a decisive step with its 2023 initiative to enforce two-factor authentication (2FA) across its platforms. This move is more than...

    Eclipse Foundation Publishes Results of Eclipse JKube Security Audit

    Friday, September 15, 2023 - 10:00 by Mikaël Barbero
    Today, the Eclipse Foundation released the results of our security audit for Eclipse JKube , a collection of tools for building Java applications that can be deployed to a cloud environment. Findings from the audit have been addressed in the 1.13 release leading to a new feature. This audit included...

    Eclipse Foundation Publishes Results of Equinox p2 Security Audit

    Wednesday, July 12, 2023 - 10:00 by Mikaël Barbero
    Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects. Today, we’re taking another step...

    New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security

    Wednesday, March 15, 2023 - 08:00 by Mikaël Barbero
    Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the...

    March 2023 Update on Security improvements at the Eclipse Foundation

    Friday, March 3, 2023 - 04:00 by Mikaël Barbero
    Thanks to financial support from the OpenSSF’s Alpha-Omega project , the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Two Factor Authentication Eclipse Tycho , Eclipse m2e , and Eclipse RAP have all enforced 2FA for all their committers on GitHub: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2701 https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/2702...