| Re: [equinox-dev] Security audit of the recent changes to Eclipse p2 (PGP signatures) |
Mikael,
The draft is simple and looks fine.Thanks,
Ed
Dear Equinox developers,
The Eclipse Foundation is willing to fund a security audit of the recent changes to p2 to support detached signatures (made to replace classical jars signing).
The Eclipse Foundation recognizes the benefits of the new workflow and we would like to help the project verify that the move from a chain of trust based on certificates managed by the JRE to a chain of trust based on PGP did not introduce any flaw in the install/update workflow. Such a flaw could render users' setup vulnerable to some attacks and exploitation of a flaw could be a hard blow to the Equinox project and the Eclipse IDE reputation.
The audit company we selected is OSTIF. They have an excellent track record in auditing Open Source projects like OpenSSL or SLF4j. I've cc'd OSTIF's directors, Derek and Amir. They will explain you the different milestones that will eventually lead to the publication of a report.
The very first step is to define the scope of the audit. It will be provided to the audit team to help them focus on the key area of the code that we want to asses (and hopefully improve) the security.
Please find a draft of such a scope at https://docs.google.com/document/d/1uwZU56d0pW40sUonm83bf1Uy9xLbb0C1vDOQC5FGhp8/edit?usp=sharing. Feel free to make suggestions and/or comments on the document itself.
Thank you for your help in doing this work that will help enhancing the security of Equinox p2.
Mikaël BarberoHead of Security | Eclipse Foundation🐦 @mikbarberoEclipse Foundation: The Platform for Open Innovation and Collaboration
_______________________________________________ equinox-dev mailing list equinox-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/equinox-dev