Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 369002 - Isolate CBI platform build from uncontrolled software sources
Summary: Isolate CBI platform build from uncontrolled software sources
Status: CLOSED MOVED
Alias: None
Product: CBI
Classification: Technology
Component: prototype (show other bugs)
Version: 2.0   Edit
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---   Edit
Assignee: CBI Dummy user CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 376112
  Show dependency tree
 
Reported: 2012-01-18 14:31 EST by Andrea Ross CLA
Modified: 2022-01-13 12:48 EST (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Ross CLA 2012-01-18 14:31:25 EST 
The CBI build for the Eclipse platform downloads software from places like oss.sonatype.org.

To comply with Eclipse Foundation IP policies and to ensure we can build the software far into the future as part of the long term support program, builds should pull from Foundation controlled sources like orbit, downloads.eclipse.org, maven.eclipse.org, and so forth.

This ticket tracks discussion and work for the Eclipse platform. Some of the work will be reusable for other projects.
Comment 1 Andrea Ross CLA 2012-02-10 15:00:07 EST 
Upping the priority on this ticket.
Comment 2 Andrea Ross CLA 2012-04-11 16:16:31 EDT 
Using the Eclipse platform for reference the build currently pulls from the following:

1) maven & tycho plugins 195 components
2) prereqs from downloads.eclipse.org 179 - mostly emf, ecf, ajdt, orbit
Comment 3 Krzysztof Daniel CLA 2012-06-21 02:31:10 EDT 
You may be interested in how Fedora solved that problem: https://bugzilla.redhat.com/show_bug.cgi?id=809575
Comment 4 Mikaël Barbero CLA 2022-01-13 12:48:21 EST 
While this resonates very much with recent awareness of supply chain security issues, I doubt we will implement anything specific to Eclipse Platform or Eclipse projects.

Let's rather provide best practices around SBOM generation and how to use it to analyze dependencies' provenance. See https://github.com/eclipse-cbi/best-practices/issues/1