Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure So

[Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>]

Thank you, Matthias. My answers inline.

I like the proposal.

I'm glad you like it.

 Some comments regarding securing of source code repositories:

 

Commit signing:

• important on git servers like GitHub and GitLab which have no means to prohibit forging of committer identities (supported in Gerrit).
• still a can of worms, see e.g. https://lobi.to/writes/wacksigning/

I think most promising is gitsign leveraging Sigstore infrastructure and push signing, though GitHub and GitLab don’t support it (Gerrit does).

Authenticating to git servers using short lived OAuth tokens (not long-lived personal access tokens) is possible with https://github.com/hickford/git-credential-oauth

I like https://github.com/hickford/git-credential-oauth a lot, just like gitsign/sigstore, but what do you think about the developer experience of these tools?

I think we should encourage hardware keys for MFA, I started using yubikeys a couple of months ago and never looked back

Good point. It is not explicitly mentioned in the framework because it's not something that we can check/attest for. Something like this will go in Level 4: Developers are well-versed in best practices, where we plan on building something to make our recommendations to developers (https://github.com/eclipse-csi/security-handbook/blob/main/secure-developer.md) more attractive than a text document (think something similar to https://digital-defense.io/). More on that soon.

I would welcome a policy that commits should use the real name of the contributor instead of an anonymous nick name which seems to be popular on GitHub.

See https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/4641 for a related discussion.