Adoptium® Secure Software Development Practices

The Adoptium project produces high quality Java runtimes for use in mission-critical environments. It is important to the project and our users that the software we deliver is both safe and secure. Adoptium follows a set of fundamental, sound, and secure software development practices based on established secure software development practices that can be verified to establish the integrity of our deliverables.

Secure Development Practices

Our secure development objectives are to:

  • Ensure our community, processes, and technology are designed for secure software development.

  • Protect all components of the process and software from tampering and unauthorized access.

  • Produce well-secured software with minimal security vulnerabilities throughout.

  • Respond appropriately to vulnerabilities and prevent similar vulnerabilities from occurring in the future.

Adoptium meets these secure engineering objectives by adhering to the following practices:

Provenance and Trusted Sources

Adoptium builds source from trusted source repositories, and takes dependencies and tools from trusted locations. The Temurin build project contains the open source programs or "recipes" for building our releases. These build scripts run on virtual machines and operating systems sourced by the project from trusted providers, and use tools such as compilers and installers from trusted locations. The runtime itself is built from source code maintained by OpenJDK and other notable third-party projects with a strong history of governance and oversight to ensure that the resulting binary only contains the code and behavior expected.

Adoptium collects, safeguards, maintains, and shares provenance data for all components of each software release in a software bill of materials. We regularly verify the integrity and check the provenance of each dependency to identify potential problems.

Version Control and Tagging

All the code maintained by Adoptium projects is held in GitHub version controlled repositories under the Adoptium organization and administered by the Eclipse Foundation. Our code is open source and available for scrutiny by the community, but access to change the code is limited to elected and strongly authenticated committers. We use the version control features of the repository to track all changes made to the code with accountability to the individual committer’s account, and require secondary reviews, additional automated checks, and community oversight to ensure that the changes are safe and secure.

Eclipse Temurin releases are built from version controlled sources that are tagged as release quality in OpenJDK, and the resulting binaries are published as tagged releases in our GitHub repository. These release artifacts are made available directly to end users and redistributors via the Adoptium API, website, and repository.

Infrastructure as Code

To ensure that our infrastructure is securely managed we define and provision machines using the principles of Infrastructure as Code (IaC). The majority of Adoptium’s build and test infrastructure runs on virtual machines operated by large cloud service providers. Adoptium defines the requirements and configuration of those machines using IaC definitions that are kept under version control in the Adoptium infrastructure project. This enables the community to check that the details of the infrastructure used to produce Adoptium’s artefacts, and reuse those same definitions to configure machines they trust in order to run the same build and test software as the project.

IaC provides resiliance to configure and implement measures to secure the environments’ hosting infrastructures following a zero trust architecture defining the changes in hardware provisioning, and availability to run our infrastrucutre on different suppliers thereby ensuring we have the ability to cross-check results on a daily basis.

Reproducible Builds

An important part of Adoptium’s secure engineering practice is for community members to be able to verify the builds we produce. This is made possible by having binary verified reproducible builds, meaning that with the same sources, tools, and machine configuration anyone can produce a byte-for-byte identical result. We ensure that our source code, build scripts, and infrastrucure is well-defined and version controlled. We publish information on how to reproduce Adoptium binaries, and encourage others to verify those builds by checking that their build results match given the same inputs and processes.

Adoptium provides Software Bill of Material (SBOM) attestations for the provenance of Eclipse Temurin builds. The SBOM is available alongside each of our Temurin release artifacts.

Testing and Code-signing

Adoptium validates and verifies the Eclipse Temurin releases using an extensive suite of software tests. These tests are maintained by the Adoptium AQAvit project. These tests are designed to ensure the binaries are ready for mission-critical production usage. AQAvit tests check the functional correctness, security position, performance characteristics, and durability of each binary before it is released.

AQAvit tests include both those developed in-house at the project and third-party test suites and applications to ensure that the binary behaves as expected. Quality assurance is staged throughout the release process, with nightly testing of development work to ensure that anomalies are quickly identified and addressed in addition to rigorous release testing.

Java specification compliance tests and AQAvit quality assurance tests must pass before an Eclipse Temurin binary is ready for release. Only when all the release tests have been completed is the binary published, together with the supporting metadata and software bill of materials. Adoptium provides a cryptographically secure code signature that ensures the release binary is uniquely identifiable as being the official Adoptium release.

Audits and Verification

All aspects of an Adoptium release are conducted in the open, beyond the Java compatibility testing using the Oracle Technology Compatibility Kit (TCK). The TCK is not open code and our licence with Oracle does not allow for the compatibility testing to be conducted in public. However, the AQAvit testing is all open source code and the results are made available for public scrutiny. The source code is kept in open source repositories, and the tools used are described in our infrastructure files. We welcome audits and verification of the build, test, and publish activities of the project.

Temurin release binaries all have a corresponding cryptographic hash available to end users via the API, website, and Github release repository. Binaires are signed with the Eclipse code signing certificate that is issued by an established certificate authority so that our users' operating systems or other tools and services can confirm the validity of signatures before use.

Adoptium takes all security vulnerabilities seriously, and adheres to the Eclipse Foundation Vulnerability Reporting Policy. Notification of potential or actual vulnerabilities in the products or secure software development practices must follow that reporting policy.


Contributors

  • tellison
  •  gdams
Help us make these docs great!
All Adoptium docs are open source. See something that's wrong or unclear?
Edit this page