惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
罗磊的独立博客
H
Help Net Security
I
Intezer
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Troy Hunt's Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
J
Java Code Geeks
S
Security Affairs
T
The Blog of Author Tim Ferriss
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
The GitHub Blog
The GitHub Blog
F
Full Disclosure
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
腾讯CDC
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
Blog — PlanetScale
Blog — PlanetScale
T
Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
L
LINUX DO - 最新话题
Google Online Security Blog
Google Online Security Blog
S
Schneier on Security
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
P
Proofpoint News Feed
Project Zero
Project Zero
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 叶小钗

Adoptium Blog

Eclipse Temurin 8u492, 11.0.31, 17.0.19, 21.0.11, 25.0.3 and 26.0.1 Available Exploring Packaging Changes to Temurin JDK on AIX, Linux ppc64le and Linux s390x Eclipse Temurin 26 Available Celebrating Technical Achievements: 2025 Q4 Engineering milestones and community contributions Eclipse Temurin 8u482, 11.0.30, 17.0.18, 21.0.10 and 25.0.2 Available Adoptium's Plan to End Support for Solaris and Windows 32-bit Platforms Eclipse Temurin 8u472, 11.0.29, 17.0.17, 21.0.9 and 25.0.1 Available Eclipse Temurin 25 Available Eclipse Temurin JDK 24 enables JEP 493 Eclipse Temurin 8u462, 11.0.28, 17.0.16, 21.0.8 and 24.0.2 Available AQAvit in 2025 Eclipse Temurin 8u452, 11.0.27, 17.0.15, 21.0.7 and 24.0.1 Available Eclipse Temurin 24 Available Eclipse Temurin 8u442, 11.0.26, 17.0.14, 21.0.6 and 23.0.2 Available Eclipse Temurin 8u432, 11.0.25, 17.0.13, 21.0.5 and 23.0.1 Available Eclipse Temurin 23 Available Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation Eclipse Temurin 8u422, 11.0.24, 17.0.12, 21.0.4 and 22.0.2 Available Important Update: Removal of CentOS 7 Eclipse Temurin Images External audit of Temurin build and distribution processes The Scope of AQAvit Eclipse Temurin 8u412, 11.0.23, 17.0.11, 21.0.3 and 22.0.1 Available Eclipse Temurin 21 and 22 Available on RISC-V Eclipse Temurin 22 Available AQAvit Graduation Ceremony Tagged early access builds for all releases Eclipse Temurin 8u402, 11.0.22, 17.0.10 and 21.0.2 Available SLSA build level 3 compliance on Linux and macOS for Eclipse Temurin Eclipse Temurin 8u392, 11.0.21, 17.0.9 and 21.0.1 Available Reproducible Comparison Builds Eclipse Temurin 21 release delay Eclipse Temurin 11.0.20.1, 17.0.8.1 now available Early access builds for JDK21+ Eclipse Temurin 8u382, 11.0.20, 17.0.8 and 20.0.2 Available Peeling the Big Onion - Stripping out layers of indirection from test frameworks AdoptOpenJDK.jfrog.io has been deprecated! Adoptium Automated Deployment Of Nagios Eclipse Temurin 8u372, 11.0.19, 17.0.7 and 20.0.1 Available Adoptium Infrastructure Management With Nagios Eclipse Temurin 8u362, 11.0.18, 17.0.6 and 19.0.2 Available EMT4J – An Easier Upgrade for Java Applications Secure Software Development Framework (SSDF) at Adoptium A month after EclipseCon - Adoptium Community day summary, and more. Adoptium Welcomes Rivos A Short Exploration of Java Class Pre-Initialization Adoptium Welcomes Google Eclipse Temurin 19 Available Availability of JDK 8u352-b05 Early Access Build A Summary of the July 2022 Retrospectives Eclipse Temurin 8u342, 11.0.16, 17.0.4 and 18.0.2 Available Verifying GPG signatures for Temurin downloads Reproducible Builds at Eclipse Adoptium Eclipse Temurin Linux (RPM/DEB) installer packages Eclipse Temurin JREs are back! Eclipse Temurin 8u312, 11.0.13, and 17.0.1 Available Creating your own runtime using jlink Eclipse Temurin 17 Available Using Jlink in Dockerfiles instead of a JRE Adoptium Celebrates First Release Adoptium to Promote Broad Range of Compatible OpenJDK Builds Eclipse Adoptium Welcomes You
SLSA level 2 compliance for Eclipse Temurin
Stewart X Addison · 2022-11-26 · via Adoptium Blog

Introduction to SLSA

SLSA is a framework with individual levels that software producers can work towards to make their software more secure, and consumers can make decisions based on the software package’s security posture.

What does this mean in practice? Adoptium meets level 1 and 2 of the SLSA v0.1 specification for the production of Eclipse Temurin and the Eclipse Temurin Project page now has a badge to indicate this.

SLSA Level 1

Level 1 means that the build process is full scripted and automated. We are now producing and distributing Software Bill Of Material (SBOM) documents which are shipped alongside our release builds. We have been compliant with level 1 for some time: The level 1 requirements are:

  • Build - scripted build: Our build steps are defined completely by the Jenkins pipelines from the ci-jenkins-pipelines repository and the underlying scripts run on the build machines from the temurin-build repository - starting at make-adopt-build-farm.sh

  • Provenance - available: We create an SBOM in OWASP CycloneDX format along with our releases which contains all of the information about how the builds are produced, which should allow someone to rebuild if required for any reason. This includes the full set of parameters which we use to the makejdk_any_platform.sh script (invoked from make-adopt-build-farm.sh), the source repository tags (scmRef) which was used by the build process to produce the builds, the output from the openjdk configure invocation and various other pieces of information. We are continually evolving the specific details which we include in the SBOM. If you want to join in the discussion on the content, you can find the conversation in temurin-build#3013 or talk to us in the #secure-dev slack channel in the Adoptium workspace.

SLSA Level 2

Level 2 adds in additional requirements to provide some tamper resistance of the build process, including having all of our code version controlled. We achieve this through our use of GitHub for both the OpenJDK product code and the code that runs the build and distribution processes through our Jenkins CI server. The requirements here are:

  • Source - Version controlled. All of our source code is stored in GitHub in the jdkXX repositories such as jdk17u, which we mirror from the openjdk project. These are version controlled and have tags for each release which we build from. Contributors agree to the rules of the Eclipse Contributor Agreement (ECA)

  • Build - Build service. All of the build steps are run using our Jenkins build service (https://ci.adoptium.net) which is used to perform the builds, generate the SBOMs, and build the installers where applicable. The output from the builds are then posted into GitHub release repositories named as temurinXX-binaries (e.g. temurin17-binaries and also exposed via our API and download pages.

  • Provenance - Authenticated. We sign the SBOMs for the latest set of releases to guarantee their authenticity.

  • Provenance - service generated. The GPG signatures for the binary are generated as an integral part of the build process for the binaries and will be done in the same way for the signing of the SBOMs - the current SBOM signing was done retrospectively in our Jenkins instance. The Jenkins instance hosts the private keys from the Eclipse Foundation which are used to perform the signature generation.

Next steps for the project

Are we finished? Absolutely not! We are continuing to work towards achieving the higher levels of SLSA and have already achieved many of the requirements of higher levels. But for now, we are proud to be able to claim full compliance with SLSA level 2.

We are currently tracking forward progress to meeting the higher level requirements at adoptium#160. We already meet some of the requirements of higher levels - in some cases there are differences in the criteria which we meet on different platforms. For example, we have worked to make our build process reproducible and on Linux, Windows and macOS for JDK17 (LTS) and JDK19+ we have created and shipped binary reproducible builds with the exception of some instances where the class data sharing archive is not identical.

We are working towards implementing the other parts of the higher SLSA levels which we do not yet meet. Some of these, such as the Ephemeral environment requirement, may take some time to achieve on all platforms and you can follow the current status in the SLSA tracking issue, or on the SLSA page on our site.