Creation Review

Type
Creation
State
Successful
End Date of the Review Period

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.

Proposal

Eclipse Common Security Infrastructure

Thursday, November 30, 2023 - 10:09 by Mikaël Barbero
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Parent Project
Proposal State
Created
Background

With the recent shift in the industry and upcoming regulations on the software supply chain security we believe that we need to foster the numerous open-source projects hosted by the Eclipse Foundation by providing them with tools and best practices to improve their security posture. These tools and best practices shall empower projects to have better visibility of existing threats and provide ways to address them without negatively affecting usability or productivity.

Scope

The Eclipse Common Security Infrastructure (CSI) project maintains and develops cyber security and supply chain management software tools and best practices common to multiple Eclipse projects or other open-source projects. Goals:

  • Provide visibility of existing infrastructure and resources to projects
  • Develop a set of policies for projects to ensure they adhere to secure software development standards
  • Provide tools to continuously monitor if projects adhere to a defined set of policies
  • Provide tools to empower projects to more easily apply best practices to their development and build environments
  • Enable collaboration between projects in terms of sharing experiences and tooling

The following components are examples of technology that is within the scope of Eclipse SBI:

  • Self-service configuration for project repositories
  • Operating system and artifact signing service
  • Secure repository guideline
  • SBOM (Software Bill of Material) and provenance attestation best practices and tools
Description

The Eclipse CSI project combines technologies and practices for security Eclipse Foundation Project Software Supply Chain.

Why Here?

Given the Eclipse-focused background and scope, creating Eclipse CSI as a project itself hosted at the Eclipse Foundation is very natural. Eclipse CSI makes securing up and maintaining projects easier. Creating the Eclipse CSI project allows people to contribute to Eclipse CSI on equal footing and hopefully will assist in growing a community for Eclipse CSI over time.

Initial Contribution

Copyright for the Eclipse CSI project's initial contribution is held by the Eclipse Foundation The initial contribution is hosted by the Eclipse Foundation already at the following URL:

  • Git repository for Otterdog
    • https://gitlab.eclipse.org/eclipsefdn/security/otterdog
  • Git repository for the Octopin
    • https://github.com/TinyGearsOrg/octopin
  • Best practices
    • https://github.com/eclipse-cbi/best-practices/tree/main/software-supply-chain
Source Repository Type