Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure So

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels

From: "Sohn, Matthias" <matthias.sohn@xxxxxxx>
Date: Thu, 27 Jun 2024 23:54:22 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sap.com; dmarc=pass action=none header.from=sap.com; dkim=pass header.d=sap.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EDhzSdZbIKFffi8IATrX9Bcz3Hbe0azD8cTZdPnPwOY=; b=ZsRv5ab0WBywAT+wGyDuqPc/g9SX5kqQk7I8iggI49uuWTZCUwIQn5ASzad4UP5dFiJTn9AWRPvfQ7zTekw6PnHtWToPu0O7YQf1UMnelkvg70KdpBOmL9t0P+Ikj0V0SgPh7qwcPtGpfv+q2VqSAHbV8JYAMiaLRxiTYZi1IyE85y2m92E19ZZK34IrqCiCoqJooTBt0wkb1BwNIQKsPYIRrfvhdBJyiylYqlaxg5btvbB5Sq8CuGougjT3oJjlTy8+5Lb/284Zmf8hvbBKSTHiuAStHxQQUIbYn9DwUzEhkG84tCV5L/ZUyuuAtlp28th3OHroqh+/ie0vCc8W5A==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XLuNANfK7t65boHJvO/ZWUIxpfxOmpim3tyg7aMqUc86iaFJ6PFd1zfVV6f+37GNggaeVcPLHMXKo94huz6IE0NoKWKypT4zdWr0ZevdP9TdhWMrziemJQgEU5eq/cynfrzN8r9eZwJW4EHrjaUMM7rhzWAU+lldSIfJXyBJLyDCoNCTZ5KY6w+/sodTobJisl6/aJZPPnYJ7Hk92r5J4gvpbZ5SxC02D9ejfjj8gtHz1Jw0yPo6iQKsNulCFO1LLMfVn7E53aPBL8xjrf0OCni4oZyPPlv3Ya1L0j8H2Sxexj2VmxZRiOdtXOx4QCLfDb8jf6w8azsknlejtdWnZA==
Delivered-to: eclipse.org-architecture-council@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-architecture-council/>
List-help: <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHayAd2j1wIZPdl4kmdeDY2qxnLRLHcRNub
Thread-topic: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels

I like the proposal.

Some comments regarding securing of source code repositories:

Commit signing:

important on git servers like GitHub and GitLab which have no means to prohibit forging of committer identities (supported in Gerrit).
still a can of worms, see e.g. https://lobi.to/writes/wacksigning/
I think most promising is gitsign leveraging Sigstore infrastructure and push signing, though GitHub and GitLab don’t support it (Gerrit does).

Authenticating to git servers using short lived OAuth tokens (not long-lived personal access tokens) is possible with

https://github.com/hickford/git-credential-oauth

I think we should encourage hardware keys for MFA, I started using yubikeys a couple of months ago and never looked back

I would welcome a policy that commits should use the real name of the contributor instead of an anonymous nick name which seems to be popular on GitHub.

From: eclipse.org-architecture-council <eclipse.org-architecture-council-bounces@xxxxxxxxxxx> on behalf of Mikael Barbero via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx>
Date: Wednesday, 26. June 2024 at 22:28
To: eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx>
Cc: Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels

Dear Architecture Council members,

This is a request for review and feedback on a new security framework proposal, Eclipse Foundation Secure Supply Chain Lifecycle (EF3SCL). EF3SCL is a pragmatic security framework designed to promote actionable security practices and provide a clear progression path for Eclipse Foundation projects to secure their supply chains.

The draft document for EF3SCL can be found here: https://github.com/eclipse-csi/gradually/blob/main/EF3SCL.md

We have shared this framework with several other groups. To gather all feedback and allow for inter-group discussion, we have initiated a discussion thread on GitHub. In this thread, we provide context and reasoning behind the creation of this framework. We would greatly appreciate it if you could share your comments there.

We look forward to your valuable feedback and guidance.

Cheers,

Mikaël Barbero

Head of Security | Eclipse Foundation

🐦 @mikbarbero

📅 Book an appointment

Eclipse Foundation: The Community for Open Innovation and Collaboration

Follow-Ups:
- Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
  - From: Mikael Barbero

References:
- [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
  - From: Mikael Barbero

Prev by Date: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Next by Date: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Previous by thread: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Next by thread: Re: [eclipse.org-architecture-council] RFC: Eclipse Foundation Secure Software Supply Chain Levels
Index(es):
- Date
- Thread

Breadcrumbs