Life at Eclipse

Musings on the Eclipse Foundation, the community and the ecosystem

Posts Tagged ‘Open Source

European Cyber Resiliency Act: Potential Impact on the Eclipse Foundation

with 5 comments

Europe has proposed new legislation intended to improve the state of cybersecurity for software and hardware products made available in Europe. The Cyber Resiliency Act (“CRA”) will mandate that all manufacturers take security into account across both their development processes and the lifecycle of their products once in the hands of consumers. 

This document discusses the legislation and the potential impact it may have on the Eclipse Foundation and its 400+ projects and community. Many of the issues noted could have a similar impact on other open source organizations and projects. It is written based on our reading of the current draft legislation and a number of assumptions stated below. Note that is consciously does not include a discussion of possible revisions to the legislation, although we may post a followup which does. It also does not include any discussion concerning the warranty and product liability provisions of the legislation as we have not yet analyzed the impact those may have on us.

We are sincerely looking for comments and feedback, as it is quite possible that we have misunderstood or misinterpreted the documents.

It is important to stress that the Eclipse Foundation is better positioned to deal with the fallout from the CRA than many other open source organizations. We have staff. We have some resources. We have common community processes and practices shared across our many projects. We have CI/CD infrastructure shared by most (but not all) of our projects. We have a security team, written security policies and procedures, and are a CVE numbering authority. Despite being in a better position than most, we fear that the obligations set forth by the legislation will cripple the Eclipse Foundation and its community. 

There are a number of other excellent summaries of the worrisome impact of this legislation on the open source ecosystem. We highly recommend reading:

Both of those articles primarily focus on the potential impact of the CRA on individual open source projects. Olaf’s document in particular suggests improvements to the draft. In this document we want to focus on the impact on an organization such as the Eclipse Foundation and its open source projects if the CRA was approved in its current form. How the CRA should or could be amended is being discussed elsewhere. The purpose of this document is to provide a resource explaining the impact of the legislation as it stands today.

It is important to note that the CRA does make a laudable attempt to carve out free and open source software but only “…outside the course of a commercial activity…”. Maarten Aertsen does an excellent job of summarizing the problems with this carve out. In particular he references a definition of commercial activity used in EU Blue guide to the implementation of EU product rules which states:

Commercial activity is understood as providing goods in a business related context. Non-profit organisations may be considered as carrying out commercial activities if they operate in such a context. This can only be appreciated on a case by case basis taking into account the regularity of the supplies, the characteristics of the product, the intentions of the supplier, etc. In principle, occasional supplies by charities or hobbyists should not be considered as taking place in a business related context.

Assumptions

  • The CRA references the term “product” over 600 times but does not appear to define it. The act does define the term ‘product with digital elements’. For the purposes of this document we will assume that for the purposes of the CRA, any Eclipse Foundation project software made generally available to the public as a downloadable, installable, and executable binary would be considered a ‘product with digital elements’ under the regulation.
    • In addition, there are at least some EF projects which may be considered ‘critical product with digital elements’ (e.g. Kura, Keyple, ioFog, fog05) or ‘highly critical product with digital elements’ (e.g. Oniro, Leda, 4diac) .
  • The CRA defines ‘manufacturer’ as “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge”. For the purposes of this document, we will assume that the Eclipse Foundation would be considered the manufacturer of the binaries produced by its projects. Among other reasons justifying this assumption, the Eclipse Foundation asserts that it owns the trademark rights for each of its projects and the binaries they release and (resources permitting) we market them as works of the Eclipse Foundation. 
  • As mentioned above there is an attempt to exclude free and open source software produced outside the course of a commercial activity from the scope of the legislation. For the purposes of this document we will assume that Eclipse Foundation project software would be considered as produced under the course of a commercial activity, and would therefore be subject to the legislation. This assumption is based on the following:
    • The Eclipse Foundation is not a charity. It is a Belgian-incorporated international nonprofit association of hundreds of business members. 
    • Eclipse Foundation projects are not, generally speaking, developed by hobbyists. While some are, our projects are commonly developed by full-time employees of our member companies or by individuals who are making a living from consulting services related to their project work. 
    • Eclipse Foundation projects provide goods in a business related context. By that we mean that EF projects are largely intended to provide software which is immediately ready for adoption by businesses either as a component within a commercial product or by use by employees in their daily work.
    • Eclipse Foundation projects provide a regularity of supply. As one extreme example, the Eclipse IDE takes great pride in having not missed a single release date in over 15 years.
    • Eclipse Foundation projects deliver high quality software, equivalent to the quality found in commercial products. So the “characteristics of the product” are equivalent to commercial products. 

Having said all of the above it is important to remind the reader that all Eclipse Foundation projects provide their software for free, on a non-profit basis, and under OSI-approved open source licenses which permit further use, study, modification, and distribution. 

Impact Assessment

CE Markings for Software Products

Fundamentally, the core of the proposed legislation is to extend the CE Mark regime to all products with digital elements sold in Europe. Our assumption based on the current text is that this process will be applied to open source software made available under open source licenses and provided free of charge, ostensibly under licenses which disclaim any liability or warranty. We are deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe.

Without a clearer exemption for open source, in order to comply with the legislation the Eclipse Foundation will be required to:

  • Develop, document, and implement policies and procedures for every project at the Eclipse Foundation to ensure they are conformant with the requirements of the CRA including:
    • All of the development and post-release security requirements set forth in Annex I, including providing notification and update mechanisms. 
    • All of the user documentation requirements set forth in Annex II.
    • All of the product technical documentation set forth in Annex V, including “…complete information on the design and development of the product…including, where applicable, drawings and schemes and/or a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing.”
  • For each EF project release, prepare the project-specific documentation required by Annex V, including “…an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained…”.
  • Determine for each project whether it meets the definition of ‘product with digital elements’, ‘critical product with digital elements’, or ‘highly critical product with digital elements’.
    • For each project which is a ‘product with digital elements’, establish, complete, and document a CE mark self assessment process.
    • For each ‘critical product with digital elements’ or ‘highly critical product with digital elements’ engage with an external CE auditing body and complete the additional processes required to get the CE mark approval. Note that it is not clear to us what the costs in time, resources, and money would be to implement these external audit processes. Our assumption is that they would be substantial.

      It is also important to note that in most other domains regulated with CE markings they are done where there are well known standards, specifications, and/or certification processes in place. These are not in place for most Eclipse Foundation open source projects. This could significantly increase the costs and risks associated with conformance.
  • For each single project release, document that the relevant CE mark process is followed (as described above), that an EU declaration of conformity is written and signed by an officer of the foundation, that the CE mark is affixed, and that the technical documentation and EU declaration of conformity is made available for at least 10 years after the release. Note that we estimate that in any given year the Eclipse Foundation’s projects make available several hundred releases.

Article 4(3)

Member States shall not prevent the making available of unfinished software which does not comply with this Regulation provided that the software is only made available for a limited period required for testing purposes and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.

Many Eclipse Foundation projects make integration, nightly, weekly, and milestone builds available under their open source licenses available indefinitely. The intent is to provide for community testing and for traceability. These binaries are marked as such, but the terms under which they are provided do not require that they be used for testing purposes only. 

It is not clear how this requirement could be implemented by any open source project using modern CI/CD infrastructure and operating under the principle of transparency. Even if the binaries were marked as “testing purposes only”, the open source licenses they are provided under do, in fact, permit uses other than testing. Further, it is common practice to provide intermediate builds for extended periods of time (often permanently) to provide testers with access to past builds for problem identification and remediation. Discontinuing that practice would be significantly disruptive. And any solution based on providing intermediate builds under non-open source licenses would be impossible for Eclipse Foundation projects, as the EF does not own the copyright and obtaining the approval of all contributors would be impractical. In summary, compliance with this CRA requirement would represent a significant blow to open source development best practices. 

Article 5(1) and Section 1 of Annex I

(1) Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks

At a minimum this would require the development and enforcement of written policies requiring every project to assess their level of cybersecurity risk and to implement processes to ensure that there is a determination of the risk level and a justification for the development processes adopted.

(2) Products with digital elements shall be delivered without any known exploitable vulnerabilities
(3) On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
(a) …(j)

These would require a material change to our community’s release processes to require attestations that there are no known vulnerabilities and to comply with the many requirements listed. 

(k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

With a few exceptions, EF projects do not “call home”, require any sort of user registration, and do not provide a mechanism for notifying all users that an update is either available or required. Implementing these requirements would require a whole new infrastructure to be mandated across all projects. 

Article 5(2) and Section 2 of Annex I “Vulnerability Handling Requirements”

In general, the Eclipse Foundation is in decent shape to deal with many of the stated requirements. As noted above we have a security team, written security policies and procedures, and are a CVE numbering authority. However, there are two notable elements in the requirements. 

(1) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product

This would impose a legal requirement to produce SBOMs for all EF projects. Although it is something we aspire to, this is a very significant effort. It would also require actively monitoring all project dependencies for known vulnerabilities in dependencies. This is generally considered an unsolved problem within the open source ecosystem with no known path to implementation.

(3) apply effective and regular tests and reviews of the security of the product with digital elements;

These would require a material change to our community’s development processes to mandate a whole class of testing which is not currently mandated for our projects. This is a very significant effort both to implement and to maintain.

Written by Mike Milinkovich

January 15, 2023 at 9:22 pm

Open Source Security at the Eclipse Foundation

Open source software is the single most important engine for innovation today. The ability to freely combine software components, frameworks, and platforms frees developers from constantly reinventing the wheel and allows them to focus on the new innovations that users want. Free software also enables business models to scale in ways that proprietary software would never allow. Globally and in all sectors of the economy, building on top of open source software is the dominant approach to delivering successful software systems today. 

However, with great success comes great responsibility. From Heartbleed to SolarWinds to Log4j, securing open source software and its global supply chain has never been more important. The reasons for this are many, but among them is that for too long open source has been treated by many of its consumers as “free as in free beer” where they should have been treating it as “free as in a free puppy.” Contributing to the sustainability of the projects and communities that deliver open source is really no longer a choice. It is a necessity.

At the Eclipse Foundation, we believe that foundations have a role to play in addressing the challenges of securing open source and its supply chain. Specifically, we want to provide services to our projects that help improve their security posture. But doing so requires additional staff and resources. That’s why we are so grateful for the financial support from the OpenSSF’s Alpha-Omega project, being announced today. This money will allow us to start building a team to roll out many of the ideas in our Open Source Software Supply Chain Best Practices document under the leadership of Mikael Barbero, our Head of Security. 

Some of the ways that we are going to put this funding to good use include:

  • Automate the generation of static source-based SBOMs for all Eclipse Foundation project repositories.
  • Implement a SLSA-based project badging program for Eclipse Foundation projects.
  • Initiate a number of security audits for high-profile Eclipse Foundation projects.

We are also going to provide regular and public updates to the community about our progress and initiatives.

Software security is a never-ending process. This funding is the first step in a journey. We appreciate the support of the Alpha-Omega project, and are committed to using it effectively. 

Written by Mike Milinkovich

June 19, 2022 at 7:28 pm

AQAvit Brings Quality Assurance to Adoptium Marketplace and Java Ecosystem

The launch of the Adoptium Marketplace on May 26 is exciting news for the millions of developers, researchers, and organizations who rely on TCK-tested compatible Java runtimes. As noted in the announcement, by providing a vendor neutral home for the OpenJDK ecosystem, the marketplace makes it easier than ever to access Java SE-conformant binaries necessary for cloud native and enterprise deployments.

But there’s more to the story. For a long time, compatibility has been the name of the game when it came to Java implementations. The Adoptium Marketplace has been set up to take the Java ecosystem to the next stage of its development. 

That’s where Eclipse AQAvit comes in. It brings quality assurance metrics into the marketplace, so that the Java community can begin to select binaries not just based on compatibility but on quality. 

Eclipse AQAvit Brings Quality Assurance to Java

Everything in the marketplace will be compatible with the relevant version of the Java SE Technology Compatibility Kit (TCK). 

But TCK compatibility doesn’t tell you anything about the quality of the implementation. In recent years, the number of OpenJDK-based runtime distributions has absolutely exploded. And although many vendors maintain their own release quality tests, OpenJDK distros have historically not been built to any consistent quality standard. It has become increasingly clear that the Java ecosystem needs a consistent, multi-vendor definition of quality.

Ensuring high-quality binaries are ready for production deployment is crucial for the Adoptium Marketplace. The AQAvit project team compiled tens of thousands of tests and built a few of their own to produce a comprehensive, systematic way of ensuring the quality of runtimes available. The AQAvit Quality Verification Suite covers a broad set of requirements, ensuring binaries provide superior: 

  • Performance
  • Security
  • Resilience
  • Endurance

They also ensure that the binaries can pass a wide variety of application test suites and can verify new functionality during runtime development. That’s what’s unique about the Adoptium Marketplace: it provides peace of mind knowing that the binaries are not only compatible but will actually meet the demanding requirements of your enterprise applications.

Contributing Helps Ensure AQAvit Meets Your Needs

And in the spirit of open source, you give a little to get a lot.

Many of the founding members of the Adoptium Working Group are Java developers and vendors, including Alibaba Cloud, Azul, Huawei, IBM, iJUG, Karakun AG, Microsoft, New Relic, and Red Hat. The marketplace enables working group members to promote their Java SE compatible releases verified to Eclipse AQAvit’s quality criteria. Their membership helps support the cloud-based infrastructure that drives Adoptium’s efficiency as a shared community project. In other words, the working group collaborates to create and provide access to high-performance, enterprise-caliber, cross-platform, open source-licensed, and Java-compatible binaries of OpenJDK builds, through the marketplace. 

Contributing to the AQAvit project is one of the best ways to ensure access to runtimes that meet specific needs. We encourage Java community members to get involved and contribute additional tests to cover the use cases their applications require. They’ll be incorporated in the AQAvit test suite, so every binary going forward will have to meet that standard. This way enterprises and developers can be confident any AQAvit-verified binaries they use will function as needed. 

Security Updates for Java

Quality assurance is a big part of what makes the Adoptium Marketplace unique, but it’s not the whole picture. Security fixes are also an important focus.

Once upon a time, you could count on getting security fixes for old versions of Java for a long time. After all, if you’ve deployed a set of applications on a version, you’re probably going to want to use it for a long time. 

That’s no longer the case elsewhere. But all the distributions in the Adoptium Marketplace will be kept up to date with the latest security patches or those patches will be backported to older LTS versions. This way you can be sure that your applications are secure, no matter which version of Java you’re running them on. Of course, this goes for new versions of Java too.

Everything Users Need in One Place

The Adoptium Marketplace brings together all these elements — quality assurance, adaptability to community needs, security updates for every version, sustainability — into a one-stop shop for binaries. Ultimately, this delivers five key assurances to end users:

  • The binary has been tested and is compatible with the relevant version of the Java SE TCK
  • The binary was built in accordance with open source principles
  • The binary has been fully verified using the AQAvit quality verification criteria, having passed through multiple tests to ensure it meets industry quality standards
  • The binary is as secure as possible, with the latest security updates included
  • The binary is brought to you by a vendor committed to supporting and participating in a multi-vendor, vendor-neutral collaboration

If your organization is considering participating in the Adoptium Working Group, have a look at the Charter and Participation Agreement. Or if you have questions, email us at membership@eclipse.org

Written by Mike Milinkovich

May 31, 2022 at 7:33 am

Security Leadership at the Eclipse Foundation

As everyone who is involved in the software industry is well aware, security is a significant topic these days. In particular, open source supply chain security is top of mind across the entire ICT industry. The Eclipse Foundation, its community, its projects, and its working groups all have a strong motivation to be leaders in advocating and implementing security best practices. Our members, adopters, users, and stakeholders all desire that their security risks be mitigated to the degree possible. 

One thing that is clear, however, is that simply putting the burden of added security work on the shoulders of our committers and project leaders is not an option. This topic needs to be addressed by services provided by the Eclipse Foundation to our project community or it will fail. Without strong support in terms of release and build engineering, tooling, and education, developers simply do not have the time, interest, or skills necessary to be responsible for implementing security best practices. It is equally true that security, and particularly supply chain security, requires a programmatic approach. Security is not an attribute that you simply add to existing software.

So we need to provide services to our projects to implement our Open Source Software Supply Chain Best Practices. We envisage this as a collection of services provided to our projects by staff to protect our code repositories, secure third party artifacts, provide security audits, secure build pipelines, and protect build outputs. 

The Eclipse Foundation has long had a security policy, and is a CVE numbering authority. We have a long track record of taking security seriously. However, we are not going to be able to accomplish more without leadership. So, to that end, I am very pleased to announce that we have recently promoted Mikaël Barbero as our new Head of Security. Mikaël is well known to our community as having led our Common Build Infrastructure for many years, as well as having authored the best practices document referenced above. Mikaël will be providing leadership to our security initiatives, and will be working closely with our projects and our IT staff to steadily improve security across the Eclipse community. Some of this work will complement or leverage related efforts to improve our IP processes and provide software bill of materials (SBOMs) for all of our projects. We expect to make a number of program announcements over the coming months, so stay tuned. Please join me in welcoming Mikaël in his new role.

Written by Mike Milinkovich

May 12, 2022 at 7:41 am

Eclipse Software Defined Vehicle: Building the Future of Automotive

Today the Eclipse Foundation is announcing a new working group dedicated to developing a new and innovative software platform for the world’s automotive industry. The Eclipse Software Defined Vehicle (SDV) initiative has the support of leading companies across the automotive, IT, cloud, and services industries, all of which are necessary to create the platform and ecosystem that will drive innovation for the next generation of mobility solutions. 

The automotive industry today is undergoing a radical transformation. Electrification, autonomous vehicles, advanced driver assistance systems, and ever-increasing consumer expectations about their in-car digital experience, are all happening at once. These trends are dramatically transforming the system architectures embedded in vehicles. Automotive architectures are moving from networks of special purpose devices to something that more closely resembles servers on wheels, where more powerful general purpose computers are responsible for implementing and coordinating the various systems in the automobile, including the ones which keep us and our families safe on the road. And these systems architectures are rapidly changing how automotive software needs to be built.

The vision of SDV is to radically transform the automotive industry by collaboratively developing a common software platform that all participants in the automotive industry can use in an openly licensed, royalty-free manner. From an IT  technology perspective this is not particularly radical. After all, open source platforms and “software defined everything” (e.g. storage, networking, data center, radio, etc.) are two of the defining trends in the IT industry over the past decade (or more). In the case of open source platforms the trend has been driven by eliminating the cost of non-differentiating software, decreasing the time to market in delivering complex systems, and reducing risk by relying on proven software platforms and components. “Software defined everything” has largely been driven by Moore’s Law and the resulting cost savings of replacing special purpose devices with general purpose computers running special purpose software. 

But from an industry perspective, the technical implications of an openly licensed SDV software platform for the automotive industry are very radical. It will dramatically reshape the automotive industry similar to how software-defined networking reshaped the telecommunications industry. Free software platforms which provide a software stack for the core non-differentiating technologies will quickly lead to disruptive technical and business innovations across the value chain in any industry. 

The Eclipse SDV initiative is primarily radical because it is among the first truly open industry collaborations in automotive. Historically, automotive industry groups have delivered standards or specifications available only to members of their respective consortia. Often these innovations were encumbered with FRAND-style licensing arrangements which hindered wide adoption. Eclipse SDV is going to provide a radical departure from this “business as usual” approach in automotive by focusing on open source software stacks, liberally licensed software specifications, and a community-based, collaborative approach to innovation rather than the top-down, architecture-driven, consensus-based models of the past. The mantra of Eclipse SDV is “code first”, and that is definitely a radical idea in automotive. We are humbled by the trust that Accenture, Arm, AVL, Bosch, Capgemini, Continental Automotive, DMI, ETAS, Futurewei Technologies, Karakun, Microsoft, Red Hat, Reycom, SUSE, and ZF are placing in the Eclipse Foundation to act as the steward for this exciting initiative. 

I want to sincerely thank everyone who helped get this initiative off the ground and raise awareness about its value to organizations across the automotive industry.

I also want to encourage automotive industry stakeholders of all sizes and with any goals to consider joining the working group. The breadth and depth of in-vehicle software creates opportunities across every area of automotive development — from deployment, configuration, and communications to monitoring, safety, and security. If you or your organization are interested in learning more joining Eclipse SDV, please contact us

With the Eclipse Foundation’s commitment to transparency, vendor neutrality, and a shared voice, all participants have an equal opportunity to shape the future of the SDV Working Group and play a vital role in the future evolution of the automotive industry.  

To learn more about getting involved in the Software-Defined Vehicle Working Group, visit sdv.eclipse.org or email us at membership@eclipse.org

Written by Mike Milinkovich

March 8, 2022 at 8:56 am