Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure So

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels

From: Jens Reimann <jreimann@xxxxxxxxxx>
Date: Thu, 27 Jun 2024 14:51:50 +0200
Delivered-to: eclipse.org-architecture-council@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-architecture-council/>
List-help: <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=unsubscribe>

I think it makes perfect sense. What I didn't understand is: how that would be applied to projects?

Is that something that projects would self attest/certify? Is that something that would be enforced by the foundation? Or attested by the foundation during reviews? Resulting in some level of compliance projects can advertise with?

On Wed, Jun 26, 2024 at 10:29 PM Mikael Barbero via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx> wrote:

Dear Architecture Council members,

This is a request for review and feedback on a new security framework proposal, Eclipse Foundation Secure Supply Chain Lifecycle (EF3SCL). EF3SCL is a pragmatic security framework designed to promote actionable security practices and provide a clear progression path for Eclipse Foundation projects to secure their supply chains.

The draft document for EF3SCL can be found here: https://github.com/eclipse-csi/gradually/blob/main/EF3SCL.md

We have shared this framework with several other groups. To gather all feedback and allow for inter-group discussion, we have initiated a discussion thread on GitHub. In this thread, we provide context and reasoning behind the creation of this framework. We would greatly appreciate it if you could share your comments there.

We look forward to your valuable feedback and guidance.

Cheers,

Mikaël Barbero
Head of Security | Eclipse Foundation
🐦 @mikbarbero
📅 Book an appointment
Eclipse Foundation: The Community for Open Innovation and Collaboration

_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council

Jens Reimann
Principal Software Engineer / R&D Product Middleware
_____________________________________________________________________________

Red Hat GmbH, Registered seat: Werner-von-Siemens-Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht München/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross

Follow-Ups:
- Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
  - From: Mikael Barbero

References:
- [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
  - From: Mikael Barbero

Prev by Date: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Next by Date: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Previous by thread: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Next by thread: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Index(es):
- Date
- Thread

Breadcrumbs