[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures)
|
Dear Equinox developers,
The Eclipse Foundation is willing to fund a security audit of the recent changes to p2 to support detached signatures (made to replace classical jars signing).
The Eclipse Foundation recognizes the benefits of the new workflow and we would like to help the project verify that the move from a chain of trust based on certificates managed by the JRE to a chain of trust based on PGP did not introduce any flaw in the install/update workflow. Such a flaw could render users' setup vulnerable to some attacks and exploitation of a flaw could be a hard blow to the Equinox project and the Eclipse IDE reputation.
The audit company we selected is OSTIF. They have an excellent track record in auditing Open Source projects like OpenSSL or SLF4j. I've cc'd OSTIF's directors, Derek and Amir. They will explain you the different milestones that will eventually lead to the publication of a report.
The very first step is to define the scope of the audit. It will be provided to the audit team to help them focus on the key area of the code that we want to asses (and hopefully improve) the security.
Thank you for your help in doing this work that will help enhancing the security of Equinox p2.
Mikaël Barbero
Head of Security | Eclipse Foundation 🐦 @mikbarbero
|
Attachment:
signature.asc
Description: Message signed with OpenPGP