Life at Eclipse

Musings on the Eclipse Foundation, the community and the ecosystem

Posts Tagged ‘Eclipse Foundation

Security Leadership at the Eclipse Foundation

with 3 comments

As everyone who is involved in the software industry is well aware, security is a significant topic these days. In particular, open source supply chain security is top of mind across the entire ICT industry. The Eclipse Foundation, its community, its projects, and its working groups all have a strong motivation to be leaders in advocating and implementing security best practices. Our members, adopters, users, and stakeholders all desire that their security risks be mitigated to the degree possible. 

One thing that is clear, however, is that simply putting the burden of added security work on the shoulders of our committers and project leaders is not an option. This topic needs to be addressed by services provided by the Eclipse Foundation to our project community or it will fail. Without strong support in terms of release and build engineering, tooling, and education, developers simply do not have the time, interest, or skills necessary to be responsible for implementing security best practices. It is equally true that security, and particularly supply chain security, requires a programmatic approach. Security is not an attribute that you simply add to existing software.

So we need to provide services to our projects to implement our Open Source Software Supply Chain Best Practices. We envisage this as a collection of services provided to our projects by staff to protect our code repositories, secure third party artifacts, provide security audits, secure build pipelines, and protect build outputs. 

The Eclipse Foundation has long had a security policy, and is a CVE numbering authority. We have a long track record of taking security seriously. However, we are not going to be able to accomplish more without leadership. So, to that end, I am very pleased to announce that we have recently promoted Mikaël Barbero as our new Head of Security. Mikaël is well known to our community as having led our Common Build Infrastructure for many years, as well as having authored the best practices document referenced above. Mikaël will be providing leadership to our security initiatives, and will be working closely with our projects and our IT staff to steadily improve security across the Eclipse community. Some of this work will complement or leverage related efforts to improve our IP processes and provide software bill of materials (SBOMs) for all of our projects. We expect to make a number of program announcements over the coming months, so stay tuned. Please join me in welcoming Mikaël in his new role.

Written by Mike Milinkovich

May 12, 2022 at 7:41 am

EE4J Code Arrives

Last week the EE4J project achieved an important milestone when the source code for the API and reference implementation of JSON-P JSR-374 project was pushed by Dmitry Kornilov into its GitHub repository in the EE4J organization. This is the first project of the initial nine proposed to reach this stage.

This may seem like a small step in a very large process, but it is a concrete demonstration of the commitment to move forward with the migration of Java EE to the Eclipse Foundation. The Oracle team and the Eclipse Foundation staff had a ton of work to do to make this possible. This is definitely one of those cases where the visible code contributions are just the visible tip of an iceberg’s worth of effort.

Here are just a few examples of the work that went on to get to this stage:

  • The names of the projects such as Glassfish represent important trademarks in the industry. Oracle transferred ownership of these project names to the Eclipse Foundation so that they can be held and protected for the community.
  • The EMO staff reviewed the projects proposals, ran the project creation review, provisioned the repositories and set up the committer lists.
  • The Oracle team packaged up the source code and updated the file headers to reflect the new EPL-2.0 licensing.
  • The EMO IP staff scanned the code and ensured that all was well before approving it for initial check-in.

Now that the collective team has run through this process with JSON-P we will be working to get the remaining eight initial projects pushed out as quickly as possible. Hopefully by the end of this month. Meanwhile, more projects will be proposed and we will be migrating a steady stream of Java EE projects into EE4J.

Exciting times!

Written by Mike Milinkovich

January 15, 2018 at 11:51 am

Proposal: Funding Eclipse Platform Development

Last month I announced that the Eclipse Foundation is going to begin using personal and corporate donations to fund Eclipse platform development. Of course, the devil is in the details, and as an open source community we need to define an open and transparent process for how work is prioritized, and funds are allocated. Today, we are publicizing a draft document that lays out such a process.

One thing that we know is that the process can seem sort of heavyweight when you first read it. Be assured that we will be putting together some open-ended work packages to ensure that it remains lightweight and agile as possible.

If you have any comments or feedback, please post them on the ide-dev@eclipse.org list (subscribe here).

We are looking forward to your feedback!

Written by Mike Milinkovich

September 29, 2015 at 8:00 am

Posted in Foundation

Tagged with