Prioritized Dev Effort 6 - Implementing recommendations of p2 security review

In fall of 2022 the Eclipse Foundation funded an audit by OSTIF of the recent changes to p2 to support detached signatures. The results of this audit were announced on 31 Jan 2023 and included 4 concrete vulnerability issues (email link):

(Note: These issues are only visible to committers until full disclosure.)

This development effort is to fund implementing fixes the the listed issues. The issues list vulnerabilities, some with possible mitigation options. This development effort includes researching and achieving consensus with the Eclipse p2 maintainer community about the correct solution to each of these vulnerabilities. p2 is part of the Eclipse Equinox project, which is in turn part of the Eclipse project.

Expected deliverables/outcomes:
- Sufficient consensus that the Eclipse Project accepts the direction forward. If there is disagreement about the correct resolution, the Committer disagreement resolution process can be engaged. The p2 project lead is [listed on the PMI here]
- Merged Pull Requests against the p2 GitHub repo (https://projects.eclipse.org/projects/eclipse.equinox/who) or related repos as has been agreed.
The Eclipse Foundation IT Infrastructure does not have any expected impacts for this development effort
The means of verification of completion will require the individual bugs be completed and approved by an Eclipse p2 or Eclipse project committer.

An SoW for this dev effort may cover one or multiple issues, and as such this issue can be duplicated to cover the individual issues as needed.

Edited Mar 01, 2023 by Jonah Graham