Eclipse Plunges into OSS Supply Chain Security
The Eclipse Foundation will be getting more hands-on in helping to secure the open source software supply chain after accepting a contribution from the Open Source Security Foundation (OpenSSF) this week.
OpenSSF’s Alpha-Omega Project has committed $400,000 to the Eclipse Foundation to fund additional staff and resources to implement many of the ideas in the Eclipse Foundation’s Open Source Software Supply Chain Best Practices document, said Brian Behlendorf, general manager of the Linux Foundation’s OpenSSF in a blog post co-authored by Michael Scovetta, principal security program manager at Microsoft, and Michael Winser, group product manager for software supply chain security and CI/CD at Google.
“The funding from the OpenSSF Alpha-Omega project will allow the Eclipse Foundation to start to dedicate full-time staff to the security topic, perform targeted security audits for a couple of our high-profile projects and roll out programs to help our community,” Mike Milinkovich, executive director of the Eclipse Foundation, told The New Stack. “Security is a huge topic that spans a wide range of technologies and processes for an open source community as large as the Eclipse Foundation’s. Our ultimate goal is to provide our projects with enhanced tools, processes and training to improve security across the board.”
The new Eclipse team will work under the leadership of Mikael Barbero, the foundation’s head of security.
Some of the ways Eclipse plans to use the funding include:
- Automate the generation of static source-based software bills of materials (SBOMs) for all Eclipse Foundation project repositories.
- Implement a supply-chain Levels for Software Artifacts (SLSA)-based project badging program for Eclipse Foundation projects.
- Initiate a number of security audits for high-profile Eclipse Foundation projects.
The OpenSSF support recognizes the importance of many of the Eclipse Foundation’s projects to the industry and the broader open source ecosystem. Projects such as the Eclipse IDE, Eclipse Jetty, Eclipse Temurin and Eclipse Mosquitto are widely adopted and are key pieces of infrastructure for many enterprises and industrial organizations.
“With our professional staff and mature processes, the Eclipse Foundation has the skills and capacity to ensure that this funding is used to improve supply chain security for the benefit of our committers, projects, members, users and adopters,” Milinkovich said.
In addition to its contribution to Eclipse, OpenSSF’s Alpha-Omega Project also committed $400,000 to the Python Software Foundation (PSF) to create a new role to provide security expertise for Python, the Python Package Index (PyPI), and the rest of the Python ecosystem, as well as funding a security audit.
“This investment will enable the PSF to formalize existing security practices and to make more proactive security improvements,” Behlendorf said in the post. “The new role will be responsible for identifying and addressing security issues across PSF projects such as CPython and PyPI, and applying full-time knowledge and expertise along with volunteers to implement key improvements in a timely manner.”
Launched With $5 Million
OpenSSF launched its Alpha-Omega Project in February to improve the security of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google supported the project with an initial investment of $5 million.
Speaking with The New Stack at the launch of the Alpha-Omega Project, Behlendorf said the effort would improve global OSS supply chain security by systematically looking for new, as-yet-undiscovered vulnerabilities in open source code, then working with project maintainers to get them fixed. “Alpha” works with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring and remediation guidance to their open source maintainer communities, he said.
Omega is about applying more automation to looking for critical vulnerabilities, Scovetta said. “It’s about finding more vulnerabilities and fixing more vulnerabilities across the spectrum,” he said.
“Bringing money to the table right now, we think is one of the most important things we can do to directly find shovel-ready work and apply people to those shovels to get things done,” Winser said.