Prioritized Dev Effort 6 - Implementing recommendations of p2 security review
In fall of 2022 the Eclipse Foundation funded an audit by OSTIF of the recent changes to p2 to support detached signatures. The results of this audit were announced on 31 Jan 2023 and included 4 concrete vulnerability issues (email link):
- Bug 575688 Most critical item
- Bug 577029
- Bug 581453
- Bug 581452
- Bug 581451
(Note: These issues are only visible to committers until full disclosure.)
This development effort is to fund implementing fixes the the listed issues. The issues list vulnerabilities, some with possible mitigation options. This development effort includes researching and achieving consensus with the Eclipse p2 maintainer community about the correct solution to each of these vulnerabilities. p2 is part of the Eclipse Equinox project, which is in turn part of the Eclipse project.
-
Expected deliverables/outcomes: -
Sufficient consensus that the Eclipse Project accepts the direction forward. If there is disagreement about the correct resolution, the Committer disagreement resolution process can be engaged. The p2 project lead is [listed on the PMI here] -
Merged Pull Requests against the p2 GitHub repo (https://projects.eclipse.org/projects/eclipse.equinox/who) or related repos as has been agreed.
-
-
The Eclipse Foundation IT Infrastructure does not have any expected impacts for this development effort -
The means of verification of completion will require the individual bugs be completed and approved by an Eclipse p2 or Eclipse project committer.
An SoW for this dev effort may cover one or multiple issues, and as such this issue can be duplicated to cover the individual issues as needed.