This proposal has been approved and the Eclipse Common Security Infrastructure project has been created.
Visit the project page for the latest information and development.

Go to Project

Eclipse Common Security Infrastructure

Thursday, November 30, 2023 - 10:09 by Mikaël Barbero
Basics
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Project
Eclipse Common Security Infrastructure
Parent Project
Eclipse Technology
Proposal State
Created
Background

With the recent shift in the industry and upcoming regulations on the software supply chain security we believe that we need to foster the numerous open-source projects hosted by the Eclipse Foundation by providing them with tools and best practices to improve their security posture. These tools and best practices shall empower projects to have better visibility of existing threats and provide ways to address them without negatively affecting usability or productivity.

Scope

The Eclipse Common Security Infrastructure (CSI) project maintains and develops cyber security and supply chain management software tools and best practices common to multiple Eclipse projects or other open-source projects. Goals:

  • Provide visibility of existing infrastructure and resources to projects
  • Develop a set of policies for projects to ensure they adhere to secure software development standards
  • Provide tools to continuously monitor if projects adhere to a defined set of policies
  • Provide tools to empower projects to more easily apply best practices to their development and build environments
  • Enable collaboration between projects in terms of sharing experiences and tooling

The following components are examples of technology that is within the scope of Eclipse SBI:

  • Self-service configuration for project repositories
  • Operating system and artifact signing service
  • Secure repository guideline
  • SBOM (Software Bill of Material) and provenance attestation best practices and tools
Description

The Eclipse CSI project combines technologies and practices for security Eclipse Foundation Project Software Supply Chain.

Licenses
Eclipse Public License 2.0
Legal Issues

We do not believe there are any legal issues lurking in Eclipse CSI

Why Here?

Given the Eclipse-focused background and scope, creating Eclipse CSI as a project itself hosted at the Eclipse Foundation is very natural. Eclipse CSI makes securing up and maintaining projects easier. Creating the Eclipse CSI project allows people to contribute to Eclipse CSI on equal footing and hopefully will assist in growing a community for Eclipse CSI over time.

People
Project Leads
Mikaël Barbero
Marta Rybczynska
Thomas Neidhart
Committers
Mikaël Barbero
Marta Rybczynska
Thomas Neidhart
Tiago Lucas
Source Code
Initial Contribution

Copyright for the Eclipse CSI project's initial contribution is held by the Eclipse Foundation The initial contribution is hosted by the Eclipse Foundation already at the following URL:

  • Git repository for Otterdog
    • https://gitlab.eclipse.org/eclipsefdn/security/otterdog
  • Git repository for the Octopin
    • https://github.com/TinyGearsOrg/octopin
  • Best practices
    • https://github.com/eclipse-cbi/best-practices/tree/main/software-supply-chain
Source Repository Type
GitHub
Source Repositories
https://gitlab.eclipse.org/eclipsefdn/security/otterdog
https://github.com/TinyGearsOrg/octopin
https://github.com/eclipse-cbi/best-practices/tree/main/software-supply-chain