Re: [eclipse.org-planning-council] [platform-dev] Unsigned Content?

[Ed Merks <ed.merks@xxxxxxxxx>]

Comments below.

On 17.12.2021 07:46, Aleksandar Kurtakov wrote:

On Fri, Dec 17, 2021 at 8:01 AM Ed Merks <ed.merks@xxxxxxxxx> wrote:

Has the platform decided to bypass Orbit to produce IUs directly from
some other sources?   I'm not sure how the multiple versions of such IUs
on the release train will be (or even can be) coordinated across
projects if the general new approach is that each project produces such
things purely for its own purpose from whatever sources it deems fit.

Also, the artifacts are not signed, which is the reason that I noticed:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.23-I-builds/index.html

Note that once an unsigned version of some specific artifact ID is out
there is the wild (in someone's bundle pool), it's extremely hard to
stamp it out unless a new version with a new artifact ID is created to
supersede it.

Perhaps the platform has decided that PGP signatures are now deemed to
be fully secure and fully feature complete such that signatures are
obsolete?  This is not the expectation I have based Planning Council
discussions.

Platform is not contributing these to release train so no issue for release train for now!

    That appears to be the case given these particular IUs are not on
    the current train.

The feature org.eclipse.test relies on PGP on purpose as this is our proof and example how PGP works and is on par with jarsigner as far as signing requirements for third party dependencies are considered https://github.com/eclipse-cbi/best-practices/blob/main/software-supply-chain/osssc-best-practices.md#securing-third-party-artifacts .

A proof of concept is arguably useful. 

Here is what happens when the installer tries to install org.mockito.mockito-core into a Platform SDK IDE:

java.lang.NullPointerException
    at org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.buildPGPTrustore(CertificateChecker.java:311)
    at org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker$1.get(CertificateChecker.java:63)
    at org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker$1.get(CertificateChecker.java:1)
    at org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.checkCertificates(CertificateChecker.java:126)
    at org.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.start(CertificateChecker.java:83)
    at org.eclipse.equinox.internal.p2.engine.phases.CheckTrust.completePhase(CheckTrust.java:63)
    at org.eclipse.equinox.internal.p2.engine.Phase.postPerform(Phase.java:254)
    at org.eclipse.equinox.internal.p2.engine.Phase.perform(Phase.java:105)
    at org.eclipse.equinox.internal.p2.engine.PhaseSet.perform(PhaseSet.java:50)
    at org.eclipse.equinox.internal.p2.engine.Engine.perform(Engine.java:80)
    at org.eclipse.equinox.internal.p2.engine.Engine.perform(Engine.java:48)
    at org.eclipse.equinox.internal.provisional.p2.director.PlanExecutionHelper.executePlan(PlanExecutionHelper.java:46)
    at org.eclipse.oomph.p2.internal.core.ProfileTransactionImpl$3.commit(ProfileTransactionImpl.java:549)
    at org.eclipse.oomph.p2.internal.core.ProfileTransactionImpl.commit(ProfileTransactionImpl.java:345)
    at org.eclipse.oomph.setup.p2.impl.P2TaskImpl.perform(P2TaskImpl.java:905)
    at org.eclipse.oomph.setup.internal.core.SetupTaskPerformer.doPerformNeededSetupTasks(SetupTaskPerformer.java:3851)
    at org.eclipse.oomph.setup.internal.core.SetupTaskPerformer.performNeededSetupTasks(SetupTaskPerformer.java:3779)
    at org.eclipse.oomph.setup.internal.core.SetupTaskPerformer.performTriggeredSetupTasks(SetupTaskPerformer.java:3760)
    at org.eclipse.oomph.setup.internal.core.SetupTaskPerformer.perform(SetupTaskPerformer.java:3638)
    at org.eclipse.oomph.setup.ui.wizards.ProgressPage$9.run(ProgressPage.java:600)
    at org.eclipse.oomph.setup.ui.wizards.ProgressPage$11$1.run(ProgressPage.java:727)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)

    Why?  Because
org.eclipse.equinox.internal.p2.engine.phases.CheckTrust.completePhase(IProgressMonitor,
    IProfile, Map<String, Object>) knows the profile, but the
    certificate checker doesn't know to check that profile but rather
    checks the self profile.  I imagine the p2 director will have such
    problems too, or perhaps it will not fail but also might not
    actually check the correct profile...

Updating mockito and friends to newer versions so they work with latest Java versions is a task we couldn't have completed if we had gone through Orbit as this literally doubles the work involved.

    I sympathize fully with the endless work of getting things done
    primarily for the benefit of others.  I wonder though if n projects
    have to duplicate the effort n times if that will be n times the
    work.  Also, might we end up with n versions of each such bundle? 
    That's not a problem for the platform, but it's problem for SimRel
    and for the community at large.  The Platform PMC is of course not
    obligated to care.

This was a topic for next Planning Council meeting but as it's already bringed here: Yes, Eclipse PMC has decided that we are going with PGP signatures and it's fullfilling the given requirements (https://wiki.eclipse.org/Eclipse/PMC#Meeting_Minutes). There is just not enough manpower to keep releng uptodate and fix bugs at the same time. So from now on things like Jetty updates and other third party updates will go with PGP signing only from Eclipse TLP. It's not a decision taken lightly - it's total exhaustion amongst people doing that work and lack of interest from others to heavily engage in either sharing the burden of the releng process or at least look into the new approach and point issues in it.

    The community with which I'm familiar tended to build consensus
    around decisions.  In any case, I can relate to being tired.  It has
    been impossible to find time to look into the evolving new
    approach.  (The log4j thing was of course endless fun too.)

So the possible paths I see are:

* Simrel accepts PGP signatures

* Simrel stays with old Platform that doesn't contain third party PGP signed dependencies

* Someone steps up to do all the needed work in the old way

* Someone points how a real exploit with PGP signing but can't happen with jarsigning

    The path the Platform PMC has chosen to take is effectively the
    first one.  Dismissing the third option might have been done only
    after communicating with the community before hand...

The topic is something I have planned to bring to the next Planning Council meeting in January. Eclipse Platform doesn't plan to push any third party updates for content in Simrel for limited period to give some time for Planning Council to discuss and decide. I seriously wanted to delay this discussion after Christmas to not interrupt the discussions during vacations, which already started or start today for quite a few people including me.

 

    It doesn't appear there is really much of discussion to be had
    though...

_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev

On behalf of Eclipse PMC

--

Aleksandar Kurtakov

Red Hat Eclipse Team

_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev