Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 369002

Summary: Isolate CBI platform build from uncontrolled software sources
Product: [Technology] CBI Reporter: Andrea Ross <andrea.ross>
Component: prototypeAssignee: CBI Dummy user <cbi.prototype-inbox>
Status: CLOSED MOVED QA Contact:
Severity: normal    
Priority: P2 CC: andrea.ross, denis.roy, gunnar, mikael.barbero, milesparker, pwebster
Version: 2.0   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on:    
Bug Blocks: 376112    

Description Andrea Ross CLA 2012-01-18 14:31:25 EST 
The CBI build for the Eclipse platform downloads software from places like oss.sonatype.org.

To comply with Eclipse Foundation IP policies and to ensure we can build the software far into the future as part of the long term support program, builds should pull from Foundation controlled sources like orbit, downloads.eclipse.org, maven.eclipse.org, and so forth.

This ticket tracks discussion and work for the Eclipse platform. Some of the work will be reusable for other projects.
Comment 1 Andrea Ross CLA 2012-02-10 15:00:07 EST 
Upping the priority on this ticket.
Comment 2 Andrea Ross CLA 2012-04-11 16:16:31 EDT 
Using the Eclipse platform for reference the build currently pulls from the following:

1) maven & tycho plugins 195 components
2) prereqs from downloads.eclipse.org 179 - mostly emf, ecf, ajdt, orbit
Comment 3 Krzysztof Daniel CLA 2012-06-21 02:31:10 EDT 
You may be interested in how Fedora solved that problem: https://bugzilla.redhat.com/show_bug.cgi?id=809575
Comment 4 Mikaƫl Barbero CLA 2022-01-13 12:48:21 EST 
While this resonates very much with recent awareness of supply chain security issues, I doubt we will implement anything specific to Eclipse Platform or Eclipse projects.

Let's rather provide best practices around SBOM generation and how to use it to analyze dependencies' provenance. See https://github.com/eclipse-cbi/best-practices/issues/1