Life at Eclipse

Musings on the Eclipse Foundation, the community and the ecosystem

The Open Source Community is Building Cybersecurity Processes for CRA Compliance

tl;dr – Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices.

In an effort to meet the real challenges of cybersecurity in the open source ecosystem, and to demonstrate full cooperation with, and to support the implementation of, the European Union’s Cyber Resilience Act (CRA), Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are announcing an initiative to establish common specifications for secure software development based on open source best practices.

This collaborative effort will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process and a new working group. As Europe’s largest open source foundation, which also supports a robust open specification process, the Eclipse Foundation is a natural home for this effort. Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well. The starting point for this highly technical standardisation effort will be today’s existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence. 

The reasons for this collaboration extend beyond compliance. In an era where software, particularly open source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure by design and robust supply chain security standards well before the new regulation comes into force in 2027.

While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation. The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.

The CRA will lead to numerous standards requests from the Commission to the European Standards Organisations. And these are only the European requirements – additional demands from the US and other regions can be anticipated.

The CRA also creates a new type of economic actor – the “Open Source Software Steward”. It is in this context that we, as open source foundations, want to respond to the challenge of establishing common specifications for secure software development.

This challenge is compounded by the following:

  • Today’s global software infrastructure is over 80% open source. The software stack that underpins any product with digital elements is typically built using open source software. As a result, it is fair to say that when we discuss the “software supply chain,” we are primarily, but not exclusively, referring to open source. 
  • Traditional standards organisations have had limited interactions with open source communities and the broader software/IT industry. To make matters more complicated, their governance models currently do not provide opportunities for open source communities to engage. 
  • Open source communities have a limited history of dealing with traditional standards organisations. To make matters more complicated, their resource constraints make it difficult for them to engage.
  • Standards setting is typically a long process, and time is of the essence. 

So while these new cybersecurity standards must be developed with the requirements of open source development processes and communities in mind, there is no clear path on how to do so in the time available. It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises.

Despite these challenges, a foundation for progress exists. The leading open source communities and foundations have for years developed and practised secure software development processes. These are processes that have often defined or set industry best practices around things such as coordinated disclosure, peer review, and release processes. These processes have been documented by each of these communities, albeit sometimes using different terminology and approaches. We hypothesise that the cybersecurity process technical documentation that already exists amongst the open source communities can provide a useful starting point for developing the cybersecurity processes required for regulatory compliance.

We hope that our specifications could inform the formal standardisation processes of at least one of the European Standards Organisations. Given the tight time horizon for implementation of the CRA, we believe that this immediate start will provide a constructive environment to host the technical discussions necessary for the stewards, contributors, and adopters of open source to meet the requirements set forth in these new regulations. 

We invite you to join our collaborative effort to create specifications for secure open source development: Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges. To stay updated on this initiative, sign up for our mailing list.

Written by Mike Milinkovich

April 2, 2024 at 3:00 am

Posted in Foundation, Open Source, Strategy

Tagged with , , , ,

Eclipse and OpenAtom: Pioneering Open Source Innovation

We’re thrilled to share that the Eclipse Foundation has signed a collaboration agreement with the OpenAtom Foundation, China’s first open source foundation. Together, we will be driving the development of Oniro, an open source project that builds upon the versatile OpenHarmony operating system. Our aim is to create a modular and globally compatible operating system platform and ecosystem, catering to a wide spectrum of smart devices.

Oniro is more than an open source project. To our knowledge, this marks the first instance of two open source foundations engaging in such detailed technical collaboration – a significant step towards cultivating a global ecosystem for open intelligent devices. The collaborative approach not only ensures a competitive landscape, but also opens doors for participation by organisations worldwide, affirming the far-reaching impact of open source on technical innovation.

OpenHarmony: A Robust Platform

OpenHarmony shines in its versatility, offering robust support for a wide array of smart devices that not only showcases scalability, but also highlights its adaptability. Designed for scalable management of distributed systems, OpenHarmony stands out as a flexible platform capable of accommodating IoT solutions of varying scale.

In recent years, OpenHarmony has made some noteworthy advancements. It’s been certified in over 200 devices and now supports more than 40 development boards. With a vibrant community of over 6,200 contributors and over 16 million lines of code, it has fostered 42 distributions and played a pivotal role in launching over 200 devices.

Oniro: Tailoring OpenHarmony for Western Markets

The goal of the Oniro Project is to elevate the OpenHarmony platform by developing a suite of Western market-focused modifications and add-ons, while preserving compatibility with the core platform. This dynamic collaboration encompasses advancements in application frameworks, system-level components, software development tools, and a toolchain ensuring adherence to regulatory compliance, intellectual property compliance, and licensing.

As per Statista’s 2023 forecast, the worldwide count of connected devices is anticipated to nearly double by 2030, reaching an impressive 29.42 billion IoT devices. Oniro is well positioned to actively participate in this expansive growth with strong execution of the 3 fundamental principles on which this project is built: seamless interoperability, modularization, and a visually appealing user interface. These principles not only embody the core mission of Oniro, but also position it as the go-to option for a broad range of applications, including consumer electronics, home appliances, industrial IoT devices, smart home devices, and multimedia devices.

Join the Innovation Journey

As OpenHarmony and Oniro join forces, exciting times are ahead. We invite you to be part of this journey, contribute your ideas, and participate in the magic that unfolds when open source organisations collaborate. Stay tuned for more updates as we collectively build a future where innovation knows no bounds!

Written by Mike Milinkovich

January 30, 2024 at 7:55 am

Posted in Foundation

Good News on the Cyber Resilience Act

As the title says, there is good news to share on the progress of the European Union’s proposed Cyber Resilience Act (“CRA”) as the final revisions agreed to in the trilogue negotiations appear to largely exclude the open source community from its scope.

I have written (here and here) and spoken extensively about our concerns with the European Union’s proposed Cyber Resilience Act (“CRA”) in the past. As originally drafted, the CRA would have had an enormous negative impact on both the open source community and the EU’s innovation economy. In short, it would have required most open source projects (and every open source project that matters) made available in Europe to meet unrealistic regulatory requirements related to their secure software development and maintenance. OSS projects would have also been required to affix the CE Mark on their releases certifying that these regulatory requirements had been met, which additionally would have required outside audits performed for critical infrastructure projects such as operating systems. You can read the links above if you want to get a full understanding of the dire implications of the original draft of the CRA.

While the Eclipse Foundation has always shared the goals of the CRA to improve the state of security in the software industry, we have been very vocal in expressing our concerns with how unrealistic requirements could damage the open source community and Europe’s innovation economy. We have been very active in raising community awareness of the issues over the past year. For example, we helped facilitate two open letters co-signed with many of our peer organizations detailing the issues (here and here). 

But we also invested a great deal of time and energy in constructively engaging with policymakers by providing explanations of the functioning of our ecosystems and technologies. The European Commission, the European Parliament, the Council through the Spanish Presidency, as well as numerous policy makers at the national level have all been open to our contributions and recognise our efforts to protect European open innovation. I would like to thank my colleagues Gesine Freund, Enzo Ribagnac, Mikaël Barbero, and Gaël Blondelle for their many contributions to this process. 

We were not alone in these efforts. An assuredly incomplete list of other open source organizations that contributed to raising awareness includes: Apache Software Foundation, Internet Society, Free Software Foundation Europe, Linux Foundation, Mozilla Foundation, NLNet Labs, Open Source Initiative, Python Software Foundation, The Document Foundation, and many others. OpenForum Europe played a pivotal role in facilitating communication between these groups, and Ciarán O’Riordan at the OFE deserves recognition for his yeoman’s effort in coordinating the community’s input throughout the discussions on the CRA. 

On December 1st it was announced that the EU co-legislators had reached political agreement on the CRA. Although the final text is still being worked on, we are happy to report the open source community has been listened to. The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms. It also creates a new form of economic actor, the “open source steward,” which acknowledges the role played by foundations and platforms in the open source ecosystem. This is the first time this has appeared in a regulation, and it will be interesting to see how this evolves. The Eclipse Foundation will be investing a great deal of effort into helping refine this concept and its implementation to ensure it aligns with the norms of the open source community. The final revisions also extended the implementation phase to three years, which means full compliance with the CRA will likely start in early 2027. OpenForum Europe’s recent press release on the CRA is certainly worth a read for additional context. 

It is important to recognize and thank the many people that were involved in achieving this significantly better outcome. Both those who were involved from the side of the co-legislators who genuinely listened and made extensive improvements, and the many people from the open source community who invested their time and energy into explaining the unique requirements of the open source community. 

But this journey is only beginning. 

It is important to note that while the CRA has been revised to largely exclude the open source community from its scope, this legislation will still have an enormous impact on the software industry as a whole. 

Open source projects will not be required to directly implement the mandated processes described in the CRA. But every commercial product made available in the EU which is built on top of those open source projects will. For the first time in the software industry’s history, it will soon have regulatory requirements for secure software development and maintenance. I predict this will put pressure on projects and communities to enhance their processes to assist in downstream commercialization. 

After all, if a project is used in hundreds of products, doing the bulk of the CE Mark conformance work in the project rather than repeating the effort hundreds of times makes enormous sense. But as we all know, OSS projects at the moment simply do not have the resources to do this. It is impossible to know how all of this will play out, but an optimistic hypothesis is that once companies are required by law to meet secure software development practices they will be incented to invest in the upstream projects they rely upon. The Eclipse Foundation will be working hard to ensure that we evolve to support the needs of our committers, projects, and members in order to support the implementation of these new regulatory requirements. We will be discussing this early in the new year. 

Interesting times!

Written by Mike Milinkovich

December 19, 2023 at 4:01 am

Posted in Foundation

Celebrating Eclipse Theia’s Milestone: Full Compatibility with VS Code Extension API

We are thrilled to announce a landmark achievement in the evolution of Theia: full compatibility with the Visual Studio Code (VS Code) extension API, marking a significant milestone in the journey of Theia towards becoming a universally adaptable development environment.

Unleashing a World of Features with VS Code Extensions

Theia has supported hosting VS Code extensions for many years. The integration of the VS Code extension API unlocked an unprecedented array of features for Theia-based applications. This compatibility means that users can leverage the extensive ecosystem of VS Code extensions, bringing thousands of new capabilities to Theia. With the completion of a recent initiative, Theia now is fully compatible with the VS Code API allowing the vast majority of VS Code extensions to be used in any Theia-based application. Of particular note is the recent addition of support for notebook editors, a game-changer that opens Theia to new audiences, such as data scientists, who rely heavily on notebook interfaces for languages like Python.

A Symphony of Collaboration

This achievement is not just a technical milestone; it is a testament to the power of collaborative open-source development. The original VS Code API compatibility implementation was contributed by Red Hat. The journey to full compatibility, initiated by STMicroelectronics and crafted through the concerted efforts of EclipseSource, Ericsson, Typefox, and other contributors, has been one of shared vision and united effort. STMicroelectronics and EclipseSource played a pivotal role in establishing an open, structured process for regular API comparison and issue tracking. This approach facilitated a broad-based contribution, allowing various organizations to contribute effectively to the project.

Empowering the Developer Community

The compatibility with the VS Code API multiplies Theia’s effectiveness as a development platform. For developers, this means access to the latest and most advanced tools available in the VS Code ecosystem, significantly enhancing both the adopter and user experience with Theia.

Overcoming Challenges through Open Source Collaboration

The journey to this point wasn’t without challenges. Initially, contributions were focused only on specific missing API features needed for particular extensions used by contributors. However, the structured process initiated by STMicroelectronics set a new direction – aiming for complete compatibility. This approach significantly simplified the distribution and parallelization of work. As a result, this process galvanized the open-source community, leading to a surge in contributions and exemplifying the true spirit of collaborative innovation.

Maintaining the Pace: The Future Roadmap

For nearly half a year, Theia has maintained full compatibility with the VS Code extension API. The commitment to this standard is unwavering. With regular scans of new VS Code API updates, contributors that Theia stays in lockstep with the latest advancements, continually integrating new features and capabilities.

Join Us in this Continual Journey

As we celebrate this milestone, we also look to the future. Theia’s journey is ongoing, and the path ahead is as exciting as the accomplishments behind us. We invite the developer community, contributors, and enthusiasts to join us in this vibrant and continually evolving project. Together, we will keep pushing the boundaries of what’s possible in open-source development environments.

Let’s continue to shape the future of software development tools with Theia. Your contributions, feedback, and engagement are not just welcome – they are essential to our shared success.

Here are a couple of links to get you started in your journey with Eclipse Theia:

Written by Mike Milinkovich

December 18, 2023 at 7:09 am

Posted in Foundation, Open Source

Tagged with , ,

Introducing Eclipse ThreadX

TL;DR – Get Engaged!

What We’re Announcing

Every once in a while, a new open source initiative comes along which is truly an industry changing event. Today, Microsoft announced that Azure RTOS, including all of its components, is going to be made available as the Eclipse ThreadX open source project. This new project is exactly what the highly fragmented embedded software market has needed for a very long time. ThreadX is going to be the world’s first open source real time operating system which is:

  1. Mature and scalable technology. ThreadX has been developed for over 20 years, is currently running on over 12 billion devices around the world, and is highly regarded as a high-performance, highly deterministic, real time operating system.
  2. Made available under a permissive open source license. ThreadX is going to be licensed under the MIT license, which provides highly permissive license terms for users and adopters.
  3. Governed under a vendor-neutral open source foundation. ThreadX is going to be governed by the Eclipse Foundation and its development process. This will guarantee a vendor-neutral governance model to manage the evolution and sustainability of ThreadX for the benefit of the entire industry.

    AND
  4. Certified for functional safety and security. ThreadX is IEC 61508, IEC 62304, ISO 26262, and EN 50128 conformance certified by SGS-TÜV Saar. ThreadX has also achieved EAL4+ Common Criteria security certification. These certifications are a big differentiator, and are unprecedented in the industry. They are a game changer, as there are currently no open source RTOS’s which have them. 

While there are other open source RTOS’s out there, none have all of the four attributes listed above. We are optimistic that, because of these attributes, ThreadX is going to rapidly expand its adoption in a wide range of use cases including aerospace, automotive, IoT, medical, transportation, automation, and consumer wearables. 

Next Steps

In addition to the project, we are also announcing the creation of an interest group focused on developing an industry-supported, sustainable funding model for ThreadX. We are excited that AMD, Cypherbridge, Microsoft, NXP, PX5, Renesas, ST Microelectronics, Silicon Labs, and Witekio (an Avnet company) have all committed to supporting this conversation. We highly encourage every company with an interest in embedded technology to join to help create the future. 

The ThreadX interest group’s sole focus will be on establishing a working group focused on the following:

  1. Consolidate the project: There is going to be a great deal of focus on getting ThreadX moved under Eclipse Foundation governance as quickly as possible. This will involve transferring and re-licensing the code and documentation, and assigning the trademarks over the next few weeks. In parallel, we are looking for developers who have experience with the ThreadX code base to get involved as key resources from Cypherbridge, PX5, and Witekio have already done. The intent is to have the first release of ThreadX under Eclipse Foundation governance completed by the end of January 2024.
  2. Preserve the certifications: As I mentioned above, the safety and security certifications are a key differentiator for ThreadX. Maintaining those certifications while under open source governance is going to be a key factor in the evolution of ThreadX as an open source project. Fortunately, the Eclipse Foundation has been thinking about and staffing for this capability for a long time as our IoT and Software Defined Vehicle communities have similar requirements. Our intent is to develop best practices for the ThreadX community and, if required, modify and enhance our Eclipse Foundation Development Process to support the additional process requirements necessary to support safety and security. The documentation which will enable downstream adopters of ThreadX to certify their products will be made available under open licenses. This will significantly shorten the lifecycle of safety-certified products based on Eclipse ThreadX.
  3. Build the community: ThreadX represents an amazing opportunity to build an open source embedded software developer community. There will be a great deal of focus on nurturing new contributions, driving adoption via developer advocacy, and creating cross-pollination with our other communities within the Eclipse Foundation such as IoT and SDV, all while preserving the processes required for the certifications which differentiate ThreadX.
  4. Promote the brand: Returning to the original ThreadX name is purposefully intended to assure the many current adopters of this technology that this is and will remain the RTOS that they trust for their products. The new mission will be to associate the ThreadX brand with vendor-neutral governance, communicate clear market positioning, and establish compatibility programs that will provide value to current and future adopters.
  5. Grow the ecosystem: With over 10 billion devices deployed using ThreadX, it is clear that this is an important and mature technology. To ensure a sustainable future for ThreadX we need to obtain the support, participation, and contributions of all ecosystem participants: silicon/SBC manufacturers, embedded system integrators, and tool vendors. We highly encourage every company with an interest in embedded technology to join the interest group to help define and secure the future of ThreadX.

Eclipse ThreadX presents the industry with a game-changing opportunity. Having a performant, mature, safety and security certified, permissively-licensed, open source RTOS under vendor-neutral governance will enable new business and product opportunities around the world. We are very excited to work with the community to make ThreadX a huge success.

Written by Mike Milinkovich

November 21, 2023 at 11:00 am

Posted in Foundation, Open Source

Tagged with , , , ,

« Older Entries