This security advisory provides additional technical details following our initial statement and the corresponding CVE record. TL;DR A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized extension uploads. It did not affect existing extensions or admin functions. The issue was reported on May 4, 2025, fully fixed by June 24, and followed by a complete audit. No evidence of compromise was found, but 81 extensions were proactively deact...| Opera Omnia
On May 4th, the Eclipse Foundation (EF) Security Team received a notification from researchers at Koi Security regarding a potential issue in the Eclipse Open VSX marketplace extension publication process. The EF Security Team immediately contacted the Eclipse Open VSX team, and upon confirming the issue, work on a fix was promptly initiated. Following several iterations and thorough testing (necessary due to the intrusive nature of the change to the extension build process) the fix was succe...| mikael.barbero.tech
We are pleased to announce that the Eclipse Foundation has been selected by the Sovereign Tech Agency for a new service agreement. Through this collaboration, the Sovereign Tech Fund—a program of the Sovereign Tech Agency—will invest in the development, improvement, and maintenance of open digital base technologies worldwide, driving significant security enhancements across Eclipse Foundation projects. Why This Matters Open source software is the backbone of countless industries and techn...| mikael.barbero.tech
Recent reports indicate that cybercriminals are exploiting the Windows DLL side-loading technique using the legitimate jarsigner.exe executable to propagate malware. This binary is commonly included in Java distributions such as Eclipse Temurin, which is also bundled with the Eclipse Integrated Development Environment (IDE). This has understandably raised concerns about the role of our software and whether the Eclipse Foundation or its projects bear any responsibility. As the Head of Security...| mikael.barbero.tech
On November 20, 2024, the Board of Director of the Eclipse Foundation approved version 1.2 of its Security Policy. This update brings significant enhancements aimed at improving the management, resolution, and disclosure of vulnerabilities within the Eclipse community. Here’s a rundown of the key changes and what they mean for Eclipse projects and users.| mikael.barbero.tech
In the fast-paced world of software development, open source has emerged as a catalyst for innovation. But with this rapid growth comes an equally crucial responsibility: security. As open source continues to reshape the digital landscape, ensuring robust security measures is no longer optional; it’s essential. That’s why Open Community Experience (OCX) is placing a strong emphasis on the latest advancements in open source security. What Is OCX 2024? OCX 2024 is a conference taking place ...| mikael.barbero.tech
The Eclipse Foundation is pleased to announce the successful implementation of two-factor authentication (2FA) for all committers on both gitlab.eclipse.org and github.com. This initiative, aimed at bolstering the security of our source code repositories, mandates that all users with write access to an Eclipse Project repository (commonly known as committers) on GitHub and the Eclipse Foundation GitLab instance must use 2FA. Two-factor authentication adds an extra layer of security by requiri...| mikael.barbero.tech
A software provenance attestation is a signed document that associates metadata with an artifact, encompassing details like the artifact’s origin, build steps, and dependencies. This information is critical for verifying the artifact’s authenticity and integrity. Featuring a cryptographic signature, provenance attestation ensures the document remains unaltered, playing a vital role in mitigating supply chain attacks. By scrutinizing the provenance of binaries, users can thwart the executi...| mikael.barbero.tech
In the ever-evolving landscape of open-source software development, the creation and distribution of artifacts—such as compiled binaries, libraries, and documentation—represent the tangible results of a multifaceted process. These artifacts are more than just a collection of code; they are the final product of myriad decisions, alterations, and contributions, each with its unique narrative. It’s essential to grasp these narratives or the provenance of these artifacts, to secure the supp...| Blogs on Opera Omnia
As part of our ongoing commitment to fortifying the security of our software development processes, we’re excited to announce a significant enhancement for all Eclipse Foundation projects utilizing our Jenkins infrastructure. This advancement comes with the integration of Sigstore, a cutting-edge solution designed to bolster the security and integrity of software supply chains. By exploring the integration of Sigstore within the Eclipse Foundation’s Jenkins setup, this article sets out to...| mikael.barbero.tech
In the realm of open-source software, security of the supply chain is not just a concern—it’s a crucial battleground. The Eclipse Foundation, at the forefront of this fight, has taken a decisive step with its 2023 initiative to enforce two-factor authentication (2FA) across its platforms. This move is more than a security upgrade; it’s a testament to the Foundation’s commitment to safeguarding the open-source software supply chain against escalating threats.| mikael.barbero.tech
We’re excited to announce that the Eclipse Foundation has successfully conducted a security audit for Eclipse Mosquitto, marking our fourth project audit this year. To enhance security, all Mosquitto users are urged to upgrade to the latest available version. All issues identified by the audit have been fixed in the source code. An Eclipse IoT project, Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations, from powerful serve...| mikael.barbero.tech
We’re proud to share that the Eclipse Foundation has completed the security audit for Eclipse Jetty, one of the world’s most widely deployed web server and servlet containers. All users are encouraged to upgrade to versions containing changes addressing all conclusions of the audit: Eclipse Jetty 12.0.0, 11.0.16, 10.0.16, and 9.4.53.| mikael.barbero.tech
Today, the Eclipse Foundation released the results of our security audit for Eclipse JKube, a collection of tools for building Java applications that can be deployed to a cloud environment. Findings from the audit have been addressed in the 1.13 release leading to a new feature.| mikael.barbero.tech
Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects. Today, we’re taking another step forward with the completion of the security audit for Equinox p2, the provisioning component of the Eclipse IDE.| mikael.barbero.tech
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the Eclipse Foundation, the Rust Foundation, and the Open Source Security Foundation (OpenSSF) partnered to field a software supply chain security survey. Th...| mikael.barbero.tech
Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months.| mikael.barbero.tech
Advanced shell prompts, such as those provided by theme engines like oh-my-zsh and oh-my-posh, have become increasingly popular among software developers due to their convenience, versatility, and customizability. However, the use of plugins that are executed outside of any sandbox and have full access to the developer shell environment, presents significant security risks, especially for Open Source Software developers.| mikael.barbero.tech
Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Our previous analysis helped us prioritize work area where improvements would be the most significant. Let’s see where we are today.| mikael.barbero.tech
Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it worse, the attack surface of the supply chain is wide. Covering it all requires a deep scrutinity of many factors. However, there is a simple thing, easy, and free, that every open source dev...| mikael.barbero.tech
As stewards of the Eclipse Marketplace, the Eclispe Foundation is responsible for providing a safe place for the Eclipse IDE users to download their plugins. While the Eclipse Marketplace does not host or transmit the plugins bits, it provides links to (p2) repositories containing them. Until today, there was no restriction on those links. Beginning December 15, 2022, the Eclipse Marketplace will no longer support links to repositories over plain HTTP. The goal is to protect users of the Ecli...| mikael.barbero.tech
A postmortem about the incident that could have affected artifacts on repo.eclipse.org| mikael.barbero.tech
TL;DR Infrastructure improvements and migration described in last year post is eventually happening, with some tweaks.| mikael.barbero.tech
TL;DR Projects hosted by the Eclipse Foundation will soon benefit from a brand new enterprise-grade continuous integration (CI) infrastructure. Expected improvements are: resiliency, scalability and nimbleness. We are doing this move with tremendous support from our friends at CloudBees and RedHat with their respective products Jenkins Enterprise and OpenShift Container Platform.| mikael.barbero.tech
Key takeaways: Do you want to see a Chromium based SWT Browser implementation? Please donate (or reach out to me if you want to do corporate donations) and the Eclipse Foundation will make it happens via the Friends of Eclipse Enhancement Program (FEEP). Browser support in SWT has always been a complicated story. By default (meaning without any hint from the application developers and the users), SWT relies on “native” renderers (Internet Explorer on Windows, WebKit on macOS and WebKitGTK...| mikael.barbero.tech
For the very first time, a Devoxx conference is happening in the USA, in San Jose, CA. It starts on March 21, 2017 and is 3 days long. Devoxx conferences are famous in Europe (organized in Belgium, France, UK, Poland, and Morocco) for their high quality talks from amazing speakers. They are also very high rated because it is organized by developers for developers. Talks are all highly technical and the required experience from the targeted audience ranges from beginners to experts. So, with m...| mikael.barbero.tech
The Eclipse Foundation is actively seeking bids on 10 new FEEP Development Efforts, along with 5 outstanding Development Efforts that have not yet been bid. The objective is to have this work completed in the 1st quarter of 2017.| mikael.barbero.tech
The call for papers for EclipseConverge 2017 is open. It is the first step toward what ought to be another great Eclipse event. For those who may not know, Eclipse Converge is a new event for the Eclipse community. It is a one-day summit dedicated exclusively to Eclipse technologies, with the goal of allowing our North American developer community to meet and share ideas.| mikael.barbero.tech
You remember the Friends of Eclipse Enhancement Program, right? It is a program that utilizes all the donations made through the Friends of Eclipse program to make significant and meaningful improvements and enhancements to the Eclipse IDE/Platform. I think it is a good time for me to provide you with an update about what we have done in the last quarter with this program.| mikael.barbero.tech
FEEP does sound like a bird call, but it stands for Friend of Eclipse Enhancement Program. Yes, it is a mouthful. You may wonder what it stand for… Well, let me tell you!| mikael.barbero.tech
Two weeks ago I was in Paris for Devoxx France 2016 where I’ve presented what’s new in the upcoming Eclipse release (aka Neon — to be released in June). During the talk, I’ve been asked if Eclipse will eventually cancel a background task (a job in the Eclipse terminology) when it is asked for. Who never fulminate against a progress bar stating that cancel has been requested and that the task does not finish quickly?| mikael.barbero.tech
The Eclipse Foundation recently received financial support from the OpenSSF’s Alpha-Omega project. We are thrilled to be able to help our projects improve the security of their Software Supply Chain. We have a number of initiatives that are being started, but today we will focus on the 1026 git repositories of the 254 Eclipse Projects hosted at Github, spread among 50 different organizations.| mikael.barbero.tech