Re: [openvsx-dev] Short-Term Security Improvements for Open VSX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [openvsx-dev] Short-Term Security Improvements for Open VSX

From: Christopher Guindon <chris.guindon@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Nov 2025 08:26:48 -0500
Delivered-to: openvsx-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/openvsx-dev/>
List-help: <mailto:openvsx-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/openvsx-dev>, <mailto:openvsx-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/openvsx-dev>, <mailto:openvsx-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

I want to share a follow-up to my email from earlier this month about the Short-Term Security Improvements work for OpenVSX.

The team has now shared the first round of design work for Milestone 1. This includes the architecture diagrams for the security checks, the workflow design, and mockups for the admin panel. These materials outline how the prepublish framework will operate and how flagged extensions will be reviewed and managed.

You can find the latest update here:
https://github.com/eclipse/openvsx/issues/1395#issuecomment-3550822313

The main tracking issue for the this initiative remains here:
https://github.com/eclipse/openvsx/issues/1331

Please take a moment to review the new diagrams and mockups at your earliest convenience. Your feedback now can help us catch any gaps early and streamline the next steps.

Cheers,

On Fri, 7 Nov 2025 at 13:39, Christopher Guindon <chris.guindon@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi all,

I wanted to share that the Eclipse Foundation has started a short-term engagement with external contractors to deliver Short-Term Security Improvements for Open VSX. This project began this week and is expected to conclude by January 30, 2026.
For this first phase, we’re focusing on implementing pre-publish security checks to ensure that all new extensions are automatically scanned before publication. In a future phase, we would like to extend this work to include proactive scanning of existing extensions.

This work focuses on strengthening Open VSX through:
Malware scanning to detect malicious or suspicious code
Name-squatting detection to prevent impersonation at the namespace or extension level
Secret and credential scanning to identify leaked API keys or credentials
Binary inspection to flag unexpected or potentially harmful binaries
Download flood control to prevent artificial inflation of extension popularity
Administrative interface for reviewing and managing flagged or quarantined extensions
Reporting and alerting tools to support manual review and transparency

We’re sharing our plans and progress with the community in the following issue, where we’ll also post updates as the work moves forward:
https://github.com/eclipse/openvsx/issues/1331#issuecomment-3503470384

I look forward to collaborating with all of you on this initiative. Your support and feedback—especially through code reviews and participation in discussions—will be key to making this engagement a success.

Cheers!

Christopher Guindon

Director, Software Development | Eclipse Foundation

Eclipse Foundation: The Community for Open Innovation and Collaboration

Twitter: @chrisguindon

References:
- [openvsx-dev] Short-Term Security Improvements for Open VSX
  - From: Christopher Guindon

Prev by Date: [openvsx-dev] Short-Term Security Improvements for Open VSX
Next by Date: [openvsx-dev] Committer Election for Thomas Neidhart on Eclipse Open VSX has started
Previous by thread: [openvsx-dev] Short-Term Security Improvements for Open VSX
Next by thread: [openvsx-dev] Committer Election for Thomas Neidhart on Eclipse Open VSX has started
Index(es):
- Date
- Thread

Breadcrumbs