[platform-dev] Still open Jakarta EE, MicroProfile and Adoptium Bugzilla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[platform-dev] Still open Jakarta EE, MicroProfile and Adoptium Bugzilla Tickets

From: Jan Westerkamp <jan.westerkamp@xxxxxxx>
Date: Fri, 13 Oct 2023 17:09:58 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ijug.eu; dmarc=pass action=none header.from=ijug.eu; dkim=pass header.d=ijug.eu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AHcpPcCe/KwFj+tiYUMMV0UuUhArTgki2TmojSRtm9U=; b=Kap0BBcUgWxRP4LokQdpLrdmqNq9m8r4AXXmZ8MaqmBbntuPDEcuRHXuT60nZ40k2m1D/GyRTeuJS83m3l4naM7GE5mpzhXWIVt9xIC4taSH1jXT1CFtxAOfb1TdjF6fsfuZoqbjZG9fcarv3qzfMjf7oRSs7hZPyvalPgJxRVGE1uJhy512opRBf/DaX8Lm5JHHYw/UUxjSkSQLmD+f0Cv3babRqcMCzkLH9CtojrIDqmvHxAEK6HnTAQu5C/C41/P3fg+IqthnnWHTTIF73DeY0QZ6Nviuzm2C6+pZQUnpOUwPcMleQfc6Y1nR8FVJLxz2HrJhXHstPm3Bjlu2IQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kRUtoMvtMjJWD/4djCMM9dhOwga1VbXlSaUwQeEbyEx359zPrlza6+AbuU1H8B4oaNewsyHeQta9/xoalC06zu9A6LNtNlv8UzNNJfPHCFk4A0l7VL9yYdC24Uw7SceRZ6e5fG16wDNO4x7qRG2hE+zbEykTeqp7VWIK8Ze2XQ9F2vj87Z/WryHPnb4Ix92CcLuij5BT0c4pZNle+twBBwcGrYmwOYr8klUqw1wQ2KWonCg9ZCZfD0o6vwIa6+H3taJ3p7uOKYyWTtaipk8DYaDHb8g2rU1/zlxK1R4OsEw5tP0aEkfSr56hj5IQGbXMmTQBr+AK9IwYP87Ls9hKUQ==
Delivered-to: platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/platform-dev/>
List-help: <mailto:platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/platform-dev>, <mailto:platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/platform-dev>, <mailto:platform-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla Thunderbird

Hi Marta,

can you help me regarding how to proceed with these tickets, please?


Jakarta EE:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=581580

https://bugs.eclipse.org/bugs/show_bug.cgi?id=581588


MicroProfile:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=581579

https://bugs.eclipse.org/bugs/show_bug.cgi?id=581586


Adoptium:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=581589

The recent MicroProfile 6.1 made some small progress to fix them, butexcept two component specs all others are still affected, even whenaddressing this was part of the release plan.We have a similar issue is on the Jakarta EE side, where we (Ed Burnsand Ivar) discussed how to address this in the new Jakarta PlatformMaintenance Call a few weeks ago and Ivar suggested to meet with you atEclipseCon to find solutions for that.

A main issue is, that these tickets are not public (for good reasons)and there is now defined way how to communicate the existence and statusof them to the component spec leads to let them fix the issues andplan/do a release with the fixes.

I tried to address them in the WGs multiple times, but my observationis, that the priority to address (at least these) CVEs in the first twoprojects is relatively low (in contrast to the Adoptium and AsciiDoc,where the last was the origin of two of the issues with a response timeof about 2 h and fix within less than a week!). When you want to getthem fixed, you need to do it by yourself - which is always helpful, butshould not be the only solution. ;-) Especially you need to haveCommitter rights and I generally prefer the four-eyes-principle.

This communication responsibility gap might be a general issue forEclipse projects and Ivar suggested to bring this up to the ArchitectureBoard at EclipseCon to discuss this with Wayne to improve the processes.The new OpenSSF Security Insights 1.0 Specification(https://openssf.org/blog/2023/10/11/openssf-introduces-the-specification-security-insights-1-0/)might be helpful too to address this.

Also there where some discussions about the impact of these issues andthe need to fix them - especially when being just before the release andneed an excuse not to fix them yet...

From my perspective, these concrete examples have not the highestseverity too, but they have the potential for Supply-Chain-Attack andshould be fixed, especially as there are solutions and workaroundavailable to fix most of them with minimum effort. In special cases,end-users could be affected by them too. Unfortunately the people alsodo not discuss them on the original tickets at all, where thisdiscussion should happen form my point of view.At the end, somebody need to make a decision about the actions have tobeen taken and I think this is the point where the Eclipse Security Teamcame into responsibility, right?

Also, do you still track these Bugzilla issues at all? Meanwhile theyneed to be reported on GitLab, but they where not mirrored or referencedthere as far as we could find out.

Last, but not least: The 90 days period is over and then the currentprocess requires to make them public. What does this mean in this context?

I hope we can find some time at EclipseCon to discuss this in person andfind some practical solutions for the concrete and general issues.I will be in Ludwigsburg and attending the EclipseCon Java Community Dayon next Monday and plan to leave late on that day/night. It would benice to meet you there!


Best Regards,

Jan

Prev by Date: [platform-dev] Tycho 4.0.4-SNAPSHOT evaluation
Next by Date: [platform-dev] Creating new Bundle
Previous by thread: [platform-dev] Tycho 4.0.4-SNAPSHOT evaluation
Next by thread: [platform-dev] Creating new Bundle
Index(es):
- Date
- Thread

Breadcrumbs