惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AI
AI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google DeepMind News
Google DeepMind News
T
Tenable Blog
博客园_首页
S
Securelist
Spread Privacy
Spread Privacy
Google Online Security Blog
Google Online Security Blog
Forbes - Security
Forbes - Security
Engineering at Meta
Engineering at Meta
U
Unit 42
L
LINUX DO - 热门话题
量子位
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
MyScale Blog
MyScale Blog
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
Martin Fowler
Martin Fowler
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Latest
Security Latest
Scott Helme
Scott Helme
V
Vulnerabilities – Threatpost
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
InfoQ
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
T
The Blog of Author Tim Ferriss
aimingoo的专栏
aimingoo的专栏
V2EX - 技术
V2EX - 技术
T
Tailwind CSS Blog
月光博客
月光博客
Recent Announcements
Recent Announcements
G
Google Developers Blog
F
Full Disclosure
W
WeLiveSecurity
宝玉的分享
宝玉的分享
腾讯CDC
G
GRAHAM CLULEY
Vercel News
Vercel News
Simon Willison's Weblog
Simon Willison's Weblog
美团技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Help Net Security
Help Net Security

Adoptium Blog

Eclipse Temurin 8u492, 11.0.31, 17.0.19, 21.0.11, 25.0.3 and 26.0.1 Available Exploring Packaging Changes to Temurin JDK on AIX, Linux ppc64le and Linux s390x Eclipse Temurin 26 Available Celebrating Technical Achievements: 2025 Q4 Engineering milestones and community contributions Eclipse Temurin 8u482, 11.0.30, 17.0.18, 21.0.10 and 25.0.2 Available Adoptium's Plan to End Support for Solaris and Windows 32-bit Platforms Eclipse Temurin 8u472, 11.0.29, 17.0.17, 21.0.9 and 25.0.1 Available Eclipse Temurin 25 Available Eclipse Temurin JDK 24 enables JEP 493 Eclipse Temurin 8u462, 11.0.28, 17.0.16, 21.0.8 and 24.0.2 Available AQAvit in 2025 Eclipse Temurin 8u452, 11.0.27, 17.0.15, 21.0.7 and 24.0.1 Available Eclipse Temurin 24 Available Eclipse Temurin 8u442, 11.0.26, 17.0.14, 21.0.6 and 23.0.2 Available Eclipse Temurin 8u432, 11.0.25, 17.0.13, 21.0.5 and 23.0.1 Available Eclipse Temurin 23 Available Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation Eclipse Temurin 8u422, 11.0.24, 17.0.12, 21.0.4 and 22.0.2 Available Important Update: Removal of CentOS 7 Eclipse Temurin Images External audit of Temurin build and distribution processes The Scope of AQAvit Eclipse Temurin 8u412, 11.0.23, 17.0.11, 21.0.3 and 22.0.1 Available Eclipse Temurin 21 and 22 Available on RISC-V Eclipse Temurin 22 Available AQAvit Graduation Ceremony Tagged early access builds for all releases Eclipse Temurin 8u402, 11.0.22, 17.0.10 and 21.0.2 Available SLSA build level 3 compliance on Linux and macOS for Eclipse Temurin Eclipse Temurin 8u392, 11.0.21, 17.0.9 and 21.0.1 Available Reproducible Comparison Builds Eclipse Temurin 21 release delay Eclipse Temurin 11.0.20.1, 17.0.8.1 now available Early access builds for JDK21+ Eclipse Temurin 8u382, 11.0.20, 17.0.8 and 20.0.2 Available Peeling the Big Onion - Stripping out layers of indirection from test frameworks AdoptOpenJDK.jfrog.io has been deprecated! Adoptium Automated Deployment Of Nagios Eclipse Temurin 8u372, 11.0.19, 17.0.7 and 20.0.1 Available Adoptium Infrastructure Management With Nagios Eclipse Temurin 8u362, 11.0.18, 17.0.6 and 19.0.2 Available EMT4J – An Easier Upgrade for Java Applications SLSA level 2 compliance for Eclipse Temurin A month after EclipseCon - Adoptium Community day summary, and more. Adoptium Welcomes Rivos A Short Exploration of Java Class Pre-Initialization Adoptium Welcomes Google Eclipse Temurin 19 Available Availability of JDK 8u352-b05 Early Access Build A Summary of the July 2022 Retrospectives Eclipse Temurin 8u342, 11.0.16, 17.0.4 and 18.0.2 Available Verifying GPG signatures for Temurin downloads Reproducible Builds at Eclipse Adoptium Eclipse Temurin Linux (RPM/DEB) installer packages Eclipse Temurin JREs are back! Eclipse Temurin 8u312, 11.0.13, and 17.0.1 Available Creating your own runtime using jlink Eclipse Temurin 17 Available Using Jlink in Dockerfiles instead of a JRE Adoptium Celebrates First Release Adoptium to Promote Broad Range of Compatible OpenJDK Builds Eclipse Adoptium Welcomes You
Secure Software Development Framework (SSDF) at Adoptium
Stewart X Addison · 2022-11-28 · via Adoptium Blog

Introduction to the framework

The Secure Software Development Framework (SSDF) is special publication 800-218 from the National Institute of Standards and Technology agency of the US Department of Commerce's Computer Security Resource Center division. It is a set of development practices which can be used to establish secure development processes for your software and was based on development practices from multiple other organisations. Its goal is to reduce vulnerabilities in the software that organisations ship. With President Biden's executive order 14028 from 17th May 2021 being signed in an attempt to improve cybersecurity, the SSDF document also includes mappings to the executive order's bullet points.

Why SSDF and not [insert other framework here]?

There are other models available and if there are others that might have relevant things not covered by SSDF then please let us know so we can evaluate whether it's worth including extra things from them. We found that of the alternative models available such as BSA (which maps to SSDF) and SLSA we found the SSDF publication to be suitably thorough and in many cases is more detailed than the alternatives we had looked at. While we continue this work we are, along with other Eclipse Foundation projects, aiming to comply with the SLSA levels too as we perform this work, and with SSDF and SLSA we have complementary frameworks with both helping to enhance the software development lifecycle security and SLSA specifically allowing us to demonstrate iterative progress via the levels it has. Our recent blog post announcing SLSA level 2 compliance is an example of this.

What are we doing?

As a starting point we have been performing analysis to determine where the Adoptium project, and Eclipse Temurin specifically to start with, is in terms of the points in the specifications. Our process will be:

  1. Determine which items in the specification we believe we already adhere to
  2. Collate the information on each of the SSDF points to clarify where we currently stand relative to what is needed
  3. Determine next steps in order to help us achieve increased compliance with the items we deem most important
  4. Implement actions to get to the best security for the product that we can and increase trust in our deliverables

What have you done so far?

One of the important things in the secure software specification relate to Software Bill Of Materials (SBOMs) and we have started producing SBOMs along with the Temurin builds using CycloneDX as part of our regular build process. While the full content of it is still a work in progress and will be enhanced over time - and you can have your say in this issue - we have a good baseline of data about what has been used to produce each of our builds across all of our platforms. The JSON-formatted SBOMs can be obtained along with the Eclipse Temurin builds.

Additionally, we have been working towards having fully reproducible builds which are binary identical and can be rebuilt by others if desired in order to prove that we have built what we say we have, in the way we said we did. That way, a cautious user could rebuild what we have to verify that it is correct and has not been compromised during the build and distribution process, but take advantage of all of our extensive testing and distribution without having to do that themselves. This video shows how far we have come to enable binary identical builds on Linux, but we have also done similar activities on macOS and Windows platforms too and our JDK19 deliverables at the time of writing are almost completely reproducible when built-in an equivalent environment - the class data sharing archives in lib/server/*.cds are the only files that are not always reproducible. You can read some details of this in our reproducible build blog.

Also, in addition to the SHA checksums which we have been providing for a long time now, we have also recently (July 2022) started adding GPG signatures for our downloads, which can be used to verify that the downloads have not been tampered with since they were produced by our Jenkins pipelines.

In terms of GitHub security we have also recently activated two person reviews on all the critical repositories that are required for the build and release pipelines as well as enforcing 2FA for all committers on the project.

How can I see how things are progressing?

The top level issue that we are using to track the work is https://github.com/adoptium/adoptium/issues/120 and we have lots of sub-tasks for the different sections of the SSDF document.

The major sections of the SSDF document are as follows and we have individual issues covering each of them

What are your next steps?

While the exact steps are always going to be somewhat fluid, these are some of the current planned next steps for the short term:

  • Continue to improve the SBOM detail (build#3013)
  • Improve our security of our code repositories including increasing mandatory reviewers for PRs
  • Improve isolation of build machines from the rest of the Jenkins infrastructure
  • Evaluating the feasibility of building in docker images across remaining Linux platforms (ppc64le and s390x)
  • Various other administrative security controls and logging on our infrastructure.