We have established the Eclipse Foundation Common Security Infrastructure (Eclipse CSI) project. This initiative is dedicated to the maintenance and development of cybersecurity and supply chain management software tools, alongside best practices that benefit numerous Eclipse Foundation projects and other open source projects.
Eclipse CSI will serve as the new repository for the OtterDog project, in addition to housing the resources for the SDLC Security Levels and the Security Handbook for Eclipse Foundation Projects.
The project's codebase is accessible on GitHub within the following organization: https://github.com/eclipse-csi.
The tally of Eclipse Foundation projects incorporating OtterDog has reached 80, marking an increase of 20 since early December.
Following the inception of the Eclipse CSI project, OtterDog's codebase has been transferred from https://gitlab.eclipse.org/eclipsefdn/security/otterdog to https://github.com/eclipse-csi/otterdog.
The release of version 0.4.0 signifies the initial support for running OtterDog as a GitHub App. This functionality automates the deployment of organization and repository configurations upon merging changes in the OtterDog configuration repository.
A comprehensive log of modifications can be found in the CHANGELOG.
Currently, 92% of our committers have activated 2FA on GitHub, with 64% of organizations achieving full member compliance. We announced in mid-January our intention to finalize the enforcement of 2FA for all committers on GitHub. This measure ensures that every organization will solely comprise members who have enabled 2FA. A detailed strategy is presented in this ticket: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/477#note_1610474.
For projects hosted on gitlab.eclipse.org, 66% of committers have enabled 2FA. Since December 11, committers are mandated to activate 2FA upon login—if not previously enabled—before proceeding with any further actions.
We celebrated this milestone with a blog post.
The Eclipse Foundation has been acknowledged as an official identity provider for Sigstore’s certificate authority. For Eclipse Foundation projects utilizing a Jenkins instance hosted at https://ci.eclipse.org, this new status as a recognized identity provider streamlines the integration of Sigstore into their builds. Details of this implementation process are shared in our blog post.