On Fri, Jan 22, 2021 at 5:23 PM Wayne Beaton < wayne.bea...@eclipse-foundation.org> wrote:
> As the recent SolarWinds hack has reminded us, security is everyone's > concern. We owe it to the millions of developers and adopters who use our > technologies to take all reasonable steps to ensure the validity of the > software that we distribute. > > Responsibility to decide which Eclipse IDE packages are distributed as > official "Eclipse IDE" releases (e.g., the packages listed on the Eclipse > IDE packages download page <https://www.eclipse.org/downloads/packages/> or > are installable via the installer) rests with the Eclipse Foundation. That > is, the Eclipse Foundation has (and has always had) responsibility to > ensure that the content being distributed as official "Eclipse IDE" > releases meets a well-defined standard. > > The standard is set by the participation rules of the simultaneous release > and following the practices established for the simultaneous release, are > in our opinion, the best means of mitigating risk. > > In order for a package to be listed as an official "Eclipse IDE" release, > displayed on "package" download pages and included in the installer, these > rules must be followed: > > *All features to the package must come through the simultaneous release. *That > is, all Eclipse open source projects contributing features to projects must > participate in the simultaneous release and follow the participation rules > defined and maintained by the Eclipse Planning Council. By way of > clarification, content produced by other Eclipse open source projects may > be included, but only when that content is sponsored into the simultaneous > release by a project that is itself participating in the process (Eclipse > Jetty is an example of this). > > *All bundles must be signed using the EF's certificate. *Obvious > exceptions will be made in cases where signing is impossible. > > We will be applying this standard to the next release and for every > release thereafter. > > The means by which the simultaneous release participation rules are > changed is to engage with the Eclipse Planning Council via your Eclipse > Planning Council representative. > So if I understand correctly everything from above can be changed via the Planning Council. I'm especially interested in the signing as it's becoming harder and harder to keep up with external ecosystem due to way faster pace and being able to use different means of signing as discussed at https://www.eclipse.org/lists/p2-dev/msg05910.html becomes critical. But let's keep this discussion for the next Planning Council meeting. > > Please let me know if you have any questions or concerns. > > Wayne > -- > > Wayne Beaton > > Director of Open Source Projects | Eclipse Foundation > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Alexander Kurtakov Red Hat Eclipse Team
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
