Platform and Equinox
Views, Dialogs and Toolbar |
|
Text Editors |
|
Onboarding information in editor area |
The editor area now shows the most important and useful commands and their key binding when no editor is open.
The information shown is dependent on the selected perspective. |
Preferences |
|
Themes and Styling |
|
Security |
|
CVE-2021-41033: Enforce https protocol |
To address CVE-2021-41033,
all access to external update sites and their artifacts is forced to use https, even when http is specified.
The following system properties can be used to affect this behavior:
Adding the line These rules can be specified as configuration-scoped preferences available via the Authorities tab of the Install/Update → Trust preferences:
The default preference value of each rule is determined by the corresponding system property. |
CVE-2021-41037: Track trusted hosts |
To address CVE-2021-41037,
all access to external update sites and their artifacts during installation and updates is tracked and reported so that you are made aware of the source of the content being installed and can decide whether to trust content from that source.
This provides an additional level of security in addition to the signing of artifacts.
Simply installing content, even without actually installing any associated artifacts, can in general reconfigure the installation and that could potentially be used for malicious purposes.
Also, simply because an artifact is signed, doesn't imply the artifact is necessarily trustworthy.
It is important to take into account the source of installed content before installing that content.
When installing new content as well as when installing updates, the following Trust Authorities dialog is displayed showing the sites that have been contacted, details about those sites, and details about the specific content being installed from each site:
All content must originate from sites explicitly accepted as trusted before installation proceeds and before library artifacts are downloaded. The trusted authorities can be remembered in the preferences to avoid being prompted repeatedly for authorities that have already been considered as trusted. Those recorded preferences are available for review and modification via the Authorities tab of the Install/Update → Trust preferences:
The system property |
PGP Key Revocation Handling |
In the event that a PGP key is compromised, the key may be revoked.
Artifacts signed before the revocation date are generally still valid,
but an attacker can create back-dated signatures.
Therefore, any artifact signed with a revoked key,
and any internal exception that occurs while processing the revocation information of the key,
will result in that artifact being treated as a suspicious artifact,
leading to a Trust Artifacts prompt:
You may still choose to install such content, but you will be reminded of the risk:
You should consider very carefully the source of the content as tracked for your review before taking this risk. |
Untrusted Artifact Handling |
As an extra security precaution, the handling of Cancel for the Trust Artifacts dialog has been modified:
In particular, if you choose to reject the content, i.e., if you press Cancel or close the dialog, any of the prompted artifacts that have been downloaded during the current install or update operation will be removed from disk to avoid caching of untrusted artifacts. |
General Updates |
|
Launch/Debug context menus directly shows relevant launch configurations |
In the "Run As/Debug As" context-menus, the shortcuts that can resolve directly to 1 or more
launch configurations (i.e., shortcuts which implement ILaunchShortcut2 ) are replaced by
the resolved launch directly.
This allows to more directly know which launch configuration will be used for the Run or Debug session so it will be easier to identify it afterwards if you intend to tweak it. It is also useful in case you have setup multiple launch configurations of the same for the project and often want to run different ones; for example for A/B testing or for distinct build actions. |
Logging API SLF4J version 2 |
The Eclipse Platform is now shipped with slf4j.api version 2 by default.
But even for version 2 the back-ward compatibility of the package org.sfl4j (but only for that package) has not been broken and slf4j.api exports the package org.sfl4j in version 1 and 2.
Therefore Plug-ins that only import and use the package org.slf4j in version 1 don't have to be touched.
Besides breaking changes in the other |