Life at Eclipse

Musings on the Eclipse Foundation, the community and the ecosystem

Eclipse Foundation Celebrates Pride Month

From all of us at the Eclipse Foundation, we’d like to wish the LGBTQ+ community a happy Pride Month.

As June winds down, we’d like to recognize the Eclipse Community’s continuing efforts to foster an open and welcoming environment for everyone. 

Our Community Code of Conduct outlines the standards of behavior for everyone in our community. These standards include the usage of inclusive and welcoming language, being respectful of differing viewpoints, and showing empathy towards members of differing communities.

With contributors and committers from all over the world with different life experiences, we understand that it takes all of us to maintain a culture where everyone can feel like they belong. We also understand that our efforts to create safe and accepting spaces for people of all races, faiths, sexual orientations and gender identities do not end at simply upholding our Code of Conduct. 

That’s why we’re welcoming feedback on how we can increase our inclusion and diversity efforts. If you have any ideas on how we can work to improve in this area, please contact  emo@eclipse.org.

Written by Mike Milinkovich

June 27, 2022 at 8:43 am

Posted in Foundation

Open Source Security at the Eclipse Foundation

Open source software is the single most important engine for innovation today. The ability to freely combine software components, frameworks, and platforms frees developers from constantly reinventing the wheel and allows them to focus on the new innovations that users want. Free software also enables business models to scale in ways that proprietary software would never allow. Globally and in all sectors of the economy, building on top of open source software is the dominant approach to delivering successful software systems today. 

However, with great success comes great responsibility. From Heartbleed to SolarWinds to Log4j, securing open source software and its global supply chain has never been more important. The reasons for this are many, but among them is that for too long open source has been treated by many of its consumers as “free as in free beer” where they should have been treating it as “free as in a free puppy.” Contributing to the sustainability of the projects and communities that deliver open source is really no longer a choice. It is a necessity.

At the Eclipse Foundation, we believe that foundations have a role to play in addressing the challenges of securing open source and its supply chain. Specifically, we want to provide services to our projects that help improve their security posture. But doing so requires additional staff and resources. That’s why we are so grateful for the financial support from the OpenSSF’s Alpha-Omega project, being announced today. This money will allow us to start building a team to roll out many of the ideas in our Open Source Software Supply Chain Best Practices document under the leadership of Mikael Barbero, our Head of Security. 

Some of the ways that we are going to put this funding to good use include:

  • Automate the generation of static source-based SBOMs for all Eclipse Foundation project repositories.
  • Implement a SLSA-based project badging program for Eclipse Foundation projects.
  • Initiate a number of security audits for high-profile Eclipse Foundation projects.

We are also going to provide regular and public updates to the community about our progress and initiatives.

Software security is a never-ending process. This funding is the first step in a journey. We appreciate the support of the Alpha-Omega project, and are committed to using it effectively. 

Written by Mike Milinkovich

June 19, 2022 at 7:28 pm

AQAvit Brings Quality Assurance to Adoptium Marketplace and Java Ecosystem

The launch of the Adoptium Marketplace on May 26 is exciting news for the millions of developers, researchers, and organizations who rely on TCK-tested compatible Java runtimes. As noted in the announcement, by providing a vendor neutral home for the OpenJDK ecosystem, the marketplace makes it easier than ever to access Java SE-conformant binaries necessary for cloud native and enterprise deployments.

But there’s more to the story. For a long time, compatibility has been the name of the game when it came to Java implementations. The Adoptium Marketplace has been set up to take the Java ecosystem to the next stage of its development. 

That’s where Eclipse AQAvit comes in. It brings quality assurance metrics into the marketplace, so that the Java community can begin to select binaries not just based on compatibility but on quality. 

Eclipse AQAvit Brings Quality Assurance to Java

Everything in the marketplace will be compatible with the relevant version of the Java SE Technology Compatibility Kit (TCK). 

But TCK compatibility doesn’t tell you anything about the quality of the implementation. In recent years, the number of OpenJDK-based runtime distributions has absolutely exploded. And although many vendors maintain their own release quality tests, OpenJDK distros have historically not been built to any consistent quality standard. It has become increasingly clear that the Java ecosystem needs a consistent, multi-vendor definition of quality.

Ensuring high-quality binaries are ready for production deployment is crucial for the Adoptium Marketplace. The AQAvit project team compiled tens of thousands of tests and built a few of their own to produce a comprehensive, systematic way of ensuring the quality of runtimes available. The AQAvit Quality Verification Suite covers a broad set of requirements, ensuring binaries provide superior: 

  • Performance
  • Security
  • Resilience
  • Endurance

They also ensure that the binaries can pass a wide variety of application test suites and can verify new functionality during runtime development. That’s what’s unique about the Adoptium Marketplace: it provides peace of mind knowing that the binaries are not only compatible but will actually meet the demanding requirements of your enterprise applications.

Contributing Helps Ensure AQAvit Meets Your Needs

And in the spirit of open source, you give a little to get a lot.

Many of the founding members of the Adoptium Working Group are Java developers and vendors, including Alibaba Cloud, Azul, Huawei, IBM, iJUG, Karakun AG, Microsoft, New Relic, and Red Hat. The marketplace enables working group members to promote their Java SE compatible releases verified to Eclipse AQAvit’s quality criteria. Their membership helps support the cloud-based infrastructure that drives Adoptium’s efficiency as a shared community project. In other words, the working group collaborates to create and provide access to high-performance, enterprise-caliber, cross-platform, open source-licensed, and Java-compatible binaries of OpenJDK builds, through the marketplace. 

Contributing to the AQAvit project is one of the best ways to ensure access to runtimes that meet specific needs. We encourage Java community members to get involved and contribute additional tests to cover the use cases their applications require. They’ll be incorporated in the AQAvit test suite, so every binary going forward will have to meet that standard. This way enterprises and developers can be confident any AQAvit-verified binaries they use will function as needed. 

Security Updates for Java

Quality assurance is a big part of what makes the Adoptium Marketplace unique, but it’s not the whole picture. Security fixes are also an important focus.

Once upon a time, you could count on getting security fixes for old versions of Java for a long time. After all, if you’ve deployed a set of applications on a version, you’re probably going to want to use it for a long time. 

That’s no longer the case elsewhere. But all the distributions in the Adoptium Marketplace will be kept up to date with the latest security patches or those patches will be backported to older LTS versions. This way you can be sure that your applications are secure, no matter which version of Java you’re running them on. Of course, this goes for new versions of Java too.

Everything Users Need in One Place

The Adoptium Marketplace brings together all these elements — quality assurance, adaptability to community needs, security updates for every version, sustainability — into a one-stop shop for binaries. Ultimately, this delivers five key assurances to end users:

  • The binary has been tested and is compatible with the relevant version of the Java SE TCK
  • The binary was built in accordance with open source principles
  • The binary has been fully verified using the AQAvit quality verification criteria, having passed through multiple tests to ensure it meets industry quality standards
  • The binary is as secure as possible, with the latest security updates included
  • The binary is brought to you by a vendor committed to supporting and participating in a multi-vendor, vendor-neutral collaboration

If your organization is considering participating in the Adoptium Working Group, have a look at the Charter and Participation Agreement. Or if you have questions, email us at membership@eclipse.org

Written by Mike Milinkovich

May 31, 2022 at 7:33 am

Security Leadership at the Eclipse Foundation

As everyone who is involved in the software industry is well aware, security is a significant topic these days. In particular, open source supply chain security is top of mind across the entire ICT industry. The Eclipse Foundation, its community, its projects, and its working groups all have a strong motivation to be leaders in advocating and implementing security best practices. Our members, adopters, users, and stakeholders all desire that their security risks be mitigated to the degree possible. 

One thing that is clear, however, is that simply putting the burden of added security work on the shoulders of our committers and project leaders is not an option. This topic needs to be addressed by services provided by the Eclipse Foundation to our project community or it will fail. Without strong support in terms of release and build engineering, tooling, and education, developers simply do not have the time, interest, or skills necessary to be responsible for implementing security best practices. It is equally true that security, and particularly supply chain security, requires a programmatic approach. Security is not an attribute that you simply add to existing software.

So we need to provide services to our projects to implement our Open Source Software Supply Chain Best Practices. We envisage this as a collection of services provided to our projects by staff to protect our code repositories, secure third party artifacts, provide security audits, secure build pipelines, and protect build outputs. 

The Eclipse Foundation has long had a security policy, and is a CVE numbering authority. We have a long track record of taking security seriously. However, we are not going to be able to accomplish more without leadership. So, to that end, I am very pleased to announce that we have recently promoted Mikaël Barbero as our new Head of Security. Mikaël is well known to our community as having led our Common Build Infrastructure for many years, as well as having authored the best practices document referenced above. Mikaël will be providing leadership to our security initiatives, and will be working closely with our projects and our IT staff to steadily improve security across the Eclipse community. Some of this work will complement or leverage related efforts to improve our IP processes and provide software bill of materials (SBOMs) for all of our projects. We expect to make a number of program announcements over the coming months, so stay tuned. Please join me in welcoming Mikaël in his new role.

Written by Mike Milinkovich

May 12, 2022 at 7:41 am

The Eclipse IDE Working Group Celebrates Its First Anniversary

Today we celebrate the one year anniversary of the Eclipse IDE Working Group. A year ago, the Eclipse Foundation launched this Working Group focused on the Eclipse IDE and the Eclipse Simultaneous Release (SimRel). We would like to share some of our successes since the launch of the Working Group in April 2021. 

Highlights

  • 20 Years of the Eclipse IDE: 2021 was a momentous year for the Eclipse IDE, as we celebrated its 20 year anniversary!
  • Welcome Ed! Ed Merks joined us as a SimRel Architect and Release Engineer. Ed’s first set of tasks included preparing PGP signing support for the 2022-06 release and mapping out the project dependencies.
  • Productive collaboration Our collaboration with the Planning Council has been very effective. We have identified the top issues as outlined by the Planning Council and have a plan to address them.

PGP: A Community Success Story

A great community success story for the Eclipse IDE Working Group is the delivery of a fully-functional, secure PGP implementation for Eclipse 4.23 (SimRel 2022-03). This enhancement augments Eclipse’s existing security support which is based on jar signing. Jar signing has the significant drawback that artifacts originating from external dependencies must be modified in order to sign them, i.e., jar signatures are intrinsic to the artifact. In contrast, PGP signatures are extrinsic to the artifact and have long been used in Maven repositories to provide certification of origin. Eclipse’s PGP support facilitates significantly streamlined consumption of Maven-based artifacts by Eclipse projects, making it easier for our community to exploit and deliver the latest and greatest libraries with each quarterly simultaneous release.

The initial proof-of-concept PGP implementation was contributed by Mickael Istria. In combination with Mickael’s on-going participation, along with Christoph Läubrich’s technical insights, the working group has helped to harden the PGP implementation to industrial-strength quality for the SimRel 2022-03 delivery. Even the existing support for jar signing has been improved, as users can now easily save trusted X.509 certificates to avoid repeated trust prompts as is typical with self-signed certificates. Issue 11 provides a detailed track record of all the activities around PGP signing during the 2022-03 release cycle as well as additional background information.

With this groundwork in place, our community as a whole can exploit PGP signing for broader adoption in the Eclipse 4.24 (SimRel 2022-06) delivery this coming June.

Planning Council’s Top 3 Items

The Planning Council plays an important role in the Eclipse IDE WG. The Planning Council can be seen as the “technical” arm of the WG. At the beginning of the first year, under the leadership of Mélanie Bats, the Planning Council was tasked by the Steering Committee to identify the top issues affecting the successful release and adoption of the Eclipse IDE as a platform and a product.

After much brainstorming and debate the Planning Council recommended the “top three” items to the Steering Committee to focus on:

  • The “Bus Factor“, particularly of the release engineering processes of the Simultaneous Release (SimRel).
  • Identifying individual project risks, for example identifying which projects contributing to the SimRel are under-resourced and understanding which downstream projects are affected.
  • Updating the graphical layer Eclipse where it is lagging behind operating system changes, for example improving dark mode, better operating system and web browser integration.

The Steering Committee took these items and translated them to action points that are now being carried out and has allocated a substantial portion of the IDE WG’s budget to improving these common parts of the Eclipse IDE. The highlights of this work include:

  • Hiring Ed Merks as the SimRel release engineer.
  • Ed has also found time to start mapping out the incredibly complicated dependency graphs between the dozens of different projects contributing to the SimRel to better understand the impact of any particular project discontinuing participation and to fully understand the dependency chain of each bundle in the SimRel repository.
  • The Eclipse Foundation has created new guidelines for funding work such as the graphical layer improvements. This is the most recent action point and already some bugs are being fixed under this program.

One year into the Eclipse IDE WG and Jonah Graham is now the chair of  the Planning Council. The Planning Council is pleased to see some concrete actions taking place under the new Working Group. The structures and processes in the Working Group have progressed well and additional funding of the IDE WG will see direct improvements in the quality, stability and adoption of the Eclipse IDE.

Engage in the Working Group

We still have much to do! If you are interested in joining us and supporting the development of the Eclipse IDE technology stack, improving the user experience of the platform, and making it more attractive for organisations, let us know. We welcome the opportunity to speak with everyone who wants to help shape the future of the Eclipse IDE.

The resources funded by the IDE Working Group members are really paying dividends for our community, both for the producers and for the consumers. If you’re a consumer, please consider investing in our community’s ongoing success by supporting the Eclipse IDE with funding, contributions, new ideas, new points of view, and by getting directly involved in development efforts. Better funding enables us to achieve more, and more hands make the work lighter.

If you are interested in becoming a Working Group member, you can get in touch with us by completing the membership form or by sending an email to the Membership Coordination Team. If you are interested in becoming a sponsor, let us know.

Stay In Touch

We love exchanging ideas, so if you have any questions or would like to know more about what we do here, connect with us!  You can also join our meetings to find out more about what we’re up to. They are open to the community and take place every 2 weeks from 2:30pm to 3:30pm (CET) on Tuesdays. Or you can contact a member of the steering committee, we’re always happy to talk to you.

Written by Mike Milinkovich

April 26, 2022 at 8:01 am

Posted in Foundation

Tagged with ,