Life at Eclipse

Musings on the Eclipse Foundation, the community and the ecosystem

Archive for the ‘Open Source’ Category

Open Source Security at the Eclipse Foundation

Open source software is the single most important engine for innovation today. The ability to freely combine software components, frameworks, and platforms frees developers from constantly reinventing the wheel and allows them to focus on the new innovations that users want. Free software also enables business models to scale in ways that proprietary software would never allow. Globally and in all sectors of the economy, building on top of open source software is the dominant approach to delivering successful software systems today. 

However, with great success comes great responsibility. From Heartbleed to SolarWinds to Log4j, securing open source software and its global supply chain has never been more important. The reasons for this are many, but among them is that for too long open source has been treated by many of its consumers as “free as in free beer” where they should have been treating it as “free as in a free puppy.” Contributing to the sustainability of the projects and communities that deliver open source is really no longer a choice. It is a necessity.

At the Eclipse Foundation, we believe that foundations have a role to play in addressing the challenges of securing open source and its supply chain. Specifically, we want to provide services to our projects that help improve their security posture. But doing so requires additional staff and resources. That’s why we are so grateful for the financial support from the OpenSSF’s Alpha-Omega project, being announced today. This money will allow us to start building a team to roll out many of the ideas in our Open Source Software Supply Chain Best Practices document under the leadership of Mikael Barbero, our Head of Security. 

Some of the ways that we are going to put this funding to good use include:

  • Automate the generation of static source-based SBOMs for all Eclipse Foundation project repositories.
  • Implement a SLSA-based project badging program for Eclipse Foundation projects.
  • Initiate a number of security audits for high-profile Eclipse Foundation projects.

We are also going to provide regular and public updates to the community about our progress and initiatives.

Software security is a never-ending process. This funding is the first step in a journey. We appreciate the support of the Alpha-Omega project, and are committed to using it effectively. 

Written by Mike Milinkovich

June 19, 2022 at 7:28 pm

AQAvit Brings Quality Assurance to Adoptium Marketplace and Java Ecosystem

The launch of the Adoptium Marketplace on May 26 is exciting news for the millions of developers, researchers, and organizations who rely on TCK-tested compatible Java runtimes. As noted in the announcement, by providing a vendor neutral home for the OpenJDK ecosystem, the marketplace makes it easier than ever to access Java SE-conformant binaries necessary for cloud native and enterprise deployments.

But there’s more to the story. For a long time, compatibility has been the name of the game when it came to Java implementations. The Adoptium Marketplace has been set up to take the Java ecosystem to the next stage of its development. 

That’s where Eclipse AQAvit comes in. It brings quality assurance metrics into the marketplace, so that the Java community can begin to select binaries not just based on compatibility but on quality. 

Eclipse AQAvit Brings Quality Assurance to Java

Everything in the marketplace will be compatible with the relevant version of the Java SE Technology Compatibility Kit (TCK). 

But TCK compatibility doesn’t tell you anything about the quality of the implementation. In recent years, the number of OpenJDK-based runtime distributions has absolutely exploded. And although many vendors maintain their own release quality tests, OpenJDK distros have historically not been built to any consistent quality standard. It has become increasingly clear that the Java ecosystem needs a consistent, multi-vendor definition of quality.

Ensuring high-quality binaries are ready for production deployment is crucial for the Adoptium Marketplace. The AQAvit project team compiled tens of thousands of tests and built a few of their own to produce a comprehensive, systematic way of ensuring the quality of runtimes available. The AQAvit Quality Verification Suite covers a broad set of requirements, ensuring binaries provide superior: 

  • Performance
  • Security
  • Resilience
  • Endurance

They also ensure that the binaries can pass a wide variety of application test suites and can verify new functionality during runtime development. That’s what’s unique about the Adoptium Marketplace: it provides peace of mind knowing that the binaries are not only compatible but will actually meet the demanding requirements of your enterprise applications.

Contributing Helps Ensure AQAvit Meets Your Needs

And in the spirit of open source, you give a little to get a lot.

Many of the founding members of the Adoptium Working Group are Java developers and vendors, including Alibaba Cloud, Azul, Huawei, IBM, iJUG, Karakun AG, Microsoft, New Relic, and Red Hat. The marketplace enables working group members to promote their Java SE compatible releases verified to Eclipse AQAvit’s quality criteria. Their membership helps support the cloud-based infrastructure that drives Adoptium’s efficiency as a shared community project. In other words, the working group collaborates to create and provide access to high-performance, enterprise-caliber, cross-platform, open source-licensed, and Java-compatible binaries of OpenJDK builds, through the marketplace. 

Contributing to the AQAvit project is one of the best ways to ensure access to runtimes that meet specific needs. We encourage Java community members to get involved and contribute additional tests to cover the use cases their applications require. They’ll be incorporated in the AQAvit test suite, so every binary going forward will have to meet that standard. This way enterprises and developers can be confident any AQAvit-verified binaries they use will function as needed. 

Security Updates for Java

Quality assurance is a big part of what makes the Adoptium Marketplace unique, but it’s not the whole picture. Security fixes are also an important focus.

Once upon a time, you could count on getting security fixes for old versions of Java for a long time. After all, if you’ve deployed a set of applications on a version, you’re probably going to want to use it for a long time. 

That’s no longer the case elsewhere. But all the distributions in the Adoptium Marketplace will be kept up to date with the latest security patches or those patches will be backported to older LTS versions. This way you can be sure that your applications are secure, no matter which version of Java you’re running them on. Of course, this goes for new versions of Java too.

Everything Users Need in One Place

The Adoptium Marketplace brings together all these elements — quality assurance, adaptability to community needs, security updates for every version, sustainability — into a one-stop shop for binaries. Ultimately, this delivers five key assurances to end users:

  • The binary has been tested and is compatible with the relevant version of the Java SE TCK
  • The binary was built in accordance with open source principles
  • The binary has been fully verified using the AQAvit quality verification criteria, having passed through multiple tests to ensure it meets industry quality standards
  • The binary is as secure as possible, with the latest security updates included
  • The binary is brought to you by a vendor committed to supporting and participating in a multi-vendor, vendor-neutral collaboration

If your organization is considering participating in the Adoptium Working Group, have a look at the Charter and Participation Agreement. Or if you have questions, email us at membership@eclipse.org

Written by Mike Milinkovich

May 31, 2022 at 7:33 am

Eclipse Theia is the next generation of Eclipse!

For over 20 years the Eclipse IDE platform, along with the Eclipse Rich Client Platform (RCP), have provided core technologies for building richly featured language IDEs, products, and applications that are portable across Windows, Mac, and Linux desktops. However, time moves on and the next generation of desktop products and applications are now being built with web technologies. In many scenarios there is a need to support both desktop and web deployments with the same functionality, and obviously those who have this requirement would ideally like to support it using a single platform. 

With this shift towards web and cloud development, many Eclipse platform adopters are now evaluating how to best migrate their existing tools, IDEs and applications. One technology to consider is Eclipse Theia. Theia is a platform that can be used for building both web and desktop IDEs and tools, based on modern, state-of-the-art web technologies (TypeScript, CSS, HTML). This often leads to the question: Is Eclipse Theia the next generation of Eclipse?

EclipseSource, a member of the Eclipse Cloud DevTools Working Group,  recently published a blog post asking this question. The article discusses requirements for a tool platform and how both Eclipse desktop and Eclipse Theia address these requirements. Ultimately, they come to the conclusion that Eclipse Theia can indeed be considered the next generation platform for building portable applications. And I agree. Eclipse Theia is indeed the next generation tooling and applications platform from the Eclipse Foundation!

Just to be clear, this is not an announcement of the deprecation of the Eclipse IDE, the Eclipse Tool Platform or Eclipse RCP. These projects are stable, widely used, well maintained, and will continue to be so for a long time. The timeframe of course depends on the health and activity of the ecosystem and the community, which is now the focus of the Eclipse IDE Working Group created last year to ensure the long-term sustainability of the Eclipse IDE and Platform. I highly recommend any company building products or critical business applications on the Eclipse platform to join that group. At the same time, we are clearly seeing a shift of developer tools and IDEs towards web-based technology, and ultimately the cloud. As a result, many projects currently based on Eclipse desktop technologies are asking what comes next.

The Eclipse ecosystem has always combined sustainability, innovation, and vendor neutral collaboration. For the last 20 years, the Eclipse desktop ecosystem has been an exemplar of this, and it will continue to be a focus of the Foundation. At the same time, we continue to innovate, e.g. with Eclipse Theia and other related technologies such as Eclipse Che, Eclipse GLSP, and EMF.cloud. This is the beauty of an industry-driven open source ecosystem like Eclipse. It addresses the requirements of adopters to have a stable platform, while also providing paths to move forward and innovate.

Despite not sharing a single line of code, in many ways Theia is an evolution of the Eclipse Tools Platform. Theia builds on wisdom distilled from two decades of engineering at Eclipse, in order to inspire the next generation. Besides the obvious benefit of simply offering a web-based technology stack, Theia is slimmer, and able to lean more heavily on aspects of the web technology stack. It does not, for example, provide its own UI technology (as Eclipse needed to do with SWT). It also doesn’t provide a new module system (as Eclipse did with OSGi). Instead, it is based on available technologies such as HTML/TypeScript, Node, VS Code extensions, and the Monaco Code Editor. This is great for the sustainability of the project. By maintaining less code and reusing more standard technologies, development resources can be focused more on the core capabilities of the platform.

Theia also has a very healthy community of active contributors, adopters and funding organizations. It is seeing widespread and mainstream adoption, serving as the platform for notable commercial technologies, including the Arduino IDE, Arm’s mbed studio, and the Google Cloud Shell Editor. There is also a wealth of extensions freely available for Theia at the Open VSX Registry

Theia on openHub

I should also point out that along with Theia, there are several additional technologies that help create a solid ecosystem for the next generation tool platform at the Eclipse Foundation. To mention just a few, Eclipse Che offers online workspace management; Eclipse GLSP provides support for building diagram editors in the browser; Eclipse CDT.cloud for building customizable web-based C/C++ tools and EMF.cloud moves the Eclipse modeling ecosystem to the web.

We are very happy to see Theia flourishing and the robustness of its community.  Theia certainly is the central building block of the new generation of tools that want to benefit from web-based technologies and cloud deployments. And so, yes, in this context, Theia and its ecosystem can be considered the next generation of Eclipse Platform.

2022-04-19: Edited to update the contributors logo graphic

Written by Mike Milinkovich

April 19, 2022 at 7:57 am

Posted in Open Source

Tagged with ,

Eclipse Software Defined Vehicle: Building the Future of Automotive

Today the Eclipse Foundation is announcing a new working group dedicated to developing a new and innovative software platform for the world’s automotive industry. The Eclipse Software Defined Vehicle (SDV) initiative has the support of leading companies across the automotive, IT, cloud, and services industries, all of which are necessary to create the platform and ecosystem that will drive innovation for the next generation of mobility solutions. 

The automotive industry today is undergoing a radical transformation. Electrification, autonomous vehicles, advanced driver assistance systems, and ever-increasing consumer expectations about their in-car digital experience, are all happening at once. These trends are dramatically transforming the system architectures embedded in vehicles. Automotive architectures are moving from networks of special purpose devices to something that more closely resembles servers on wheels, where more powerful general purpose computers are responsible for implementing and coordinating the various systems in the automobile, including the ones which keep us and our families safe on the road. And these systems architectures are rapidly changing how automotive software needs to be built.

The vision of SDV is to radically transform the automotive industry by collaboratively developing a common software platform that all participants in the automotive industry can use in an openly licensed, royalty-free manner. From an IT  technology perspective this is not particularly radical. After all, open source platforms and “software defined everything” (e.g. storage, networking, data center, radio, etc.) are two of the defining trends in the IT industry over the past decade (or more). In the case of open source platforms the trend has been driven by eliminating the cost of non-differentiating software, decreasing the time to market in delivering complex systems, and reducing risk by relying on proven software platforms and components. “Software defined everything” has largely been driven by Moore’s Law and the resulting cost savings of replacing special purpose devices with general purpose computers running special purpose software. 

But from an industry perspective, the technical implications of an openly licensed SDV software platform for the automotive industry are very radical. It will dramatically reshape the automotive industry similar to how software-defined networking reshaped the telecommunications industry. Free software platforms which provide a software stack for the core non-differentiating technologies will quickly lead to disruptive technical and business innovations across the value chain in any industry. 

The Eclipse SDV initiative is primarily radical because it is among the first truly open industry collaborations in automotive. Historically, automotive industry groups have delivered standards or specifications available only to members of their respective consortia. Often these innovations were encumbered with FRAND-style licensing arrangements which hindered wide adoption. Eclipse SDV is going to provide a radical departure from this “business as usual” approach in automotive by focusing on open source software stacks, liberally licensed software specifications, and a community-based, collaborative approach to innovation rather than the top-down, architecture-driven, consensus-based models of the past. The mantra of Eclipse SDV is “code first”, and that is definitely a radical idea in automotive. We are humbled by the trust that Accenture, Arm, AVL, Bosch, Capgemini, Continental Automotive, DMI, ETAS, Futurewei Technologies, Karakun, Microsoft, Red Hat, Reycom, SUSE, and ZF are placing in the Eclipse Foundation to act as the steward for this exciting initiative. 

I want to sincerely thank everyone who helped get this initiative off the ground and raise awareness about its value to organizations across the automotive industry.

I also want to encourage automotive industry stakeholders of all sizes and with any goals to consider joining the working group. The breadth and depth of in-vehicle software creates opportunities across every area of automotive development — from deployment, configuration, and communications to monitoring, safety, and security. If you or your organization are interested in learning more joining Eclipse SDV, please contact us

With the Eclipse Foundation’s commitment to transparency, vendor neutrality, and a shared voice, all participants have an equal opportunity to shape the future of the SDV Working Group and play a vital role in the future evolution of the automotive industry.  

To learn more about getting involved in the Software-Defined Vehicle Working Group, visit sdv.eclipse.org or email us at membership@eclipse.org

Written by Mike Milinkovich

March 8, 2022 at 8:56 am

Accelerating Innovation Through Open Source  – A New Eclipse Foundation eBook 

Open source plays a vital role in today’s software-driven world. It’s shifted from commoditizing existing technologies, to the way new innovations achieve mainstream adoption. This can be seen in the many examples of industry-leading tools and technologies that are built on open source software, such as Eclipse ioFog, Eclipse Theia and Eclipse Che. 

Our new ebook explores the many reasons why organizations around the world, across almost every industry, are developing open source strategies. Businesses that are actively involved in open source software are able to innovate more efficiently, encourage creativity on their teams, and attract and retain skilled developers. 

Of course, the organizations that benefit the most from open source participation are the ones who are putting time and effort into it. In our new ebook, you’ll find out how joining the Eclipse Foundation enables organizations of all types and sizes to contribute to and benefit from open source software under a vendor-neutral governance and legal framework that is unique in the open source world. 

For organizations who are already invested in open source through the creation of an Open Source Program Office (OSPO), we explore how foundation membership eases the burdens of ensuring the secure and responsible use of open source, fostering community engagement, driving contributions, and creating new projects.

We also take a look at how the move towards “software-defined everything” is impacting the automotive industry in a number of different ways. Communities such as the OpenADx Working Group, openMDM Working Group, and Eclipse Kuksa project are bringing automotive industry players together to collaborate on the non-competitive aspects of automotive development. This collaboration helps organizations reduce costs by avoiding repetitive development efforts. 

A growing number of global corporations are playing a critical role in the development of open source projects through their participation in communities and working groups within the Eclipse Foundation. With 18 working groups and over 415 projects, our members are committed to innovating through open source.

To learn more about how the Eclipse Foundation helps organizations achieve their innovation goals, download Accelerating Innovation Through Open Source.

Written by Mike Milinkovich

February 16, 2022 at 9:03 am

Posted in Foundation, Open Source