[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse.org-architecture-council] [Bug 337004] New: Eclipse Security Policy and Procedures

https://bugs.eclipse.org/bugs/show_bug.cgi?id=337004
Product/Component: Community / Architecture Council

           Summary: Eclipse Security Policy and Procedures
    Classification: Eclipse Foundation
           Product: Community
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Architecture Council
        AssignedTo: eclipse.org-architecture-council@xxxxxxxxxxx
        ReportedBy: wayne@xxxxxxxxxxx


One more thing for our plate: I need to draft a security policy and procedures
document, and I'd like your help.

The motivation here is that we have discovered a handful of security issues
across several projects. As our projects continue to diversify and find
adoption in diverse areas, we expect that additional security issues will be
uncovered. We at the Foundation would rather like to be prepared to deal with
these issues.

Of course, we need to balance this with the ever-increasing demands on project
resources, so I do intend to be sensitive to that.

As for a policy, the expect that our eclipse.org-wide policy will be something
along the lines of "We care about security" as it is impossible for eclipse.org
to implement specific policies with regard to timeliness of fixes, rebuilds,
and that sort of thing. Ultimately, the response to a disclosed security issue
is wholly dependent on the individual projects. In that regard, I'm thinking
that we'd all be better served by a well-documented set of best practices for
dealing with security issues, coupled with support processes and infrastructure
where possible/sensible.

To keep the scope of this bug as focussed as possible, I'd like to restrict the
conversation here to that of actual policy, and I'll open subtasks/blocker bugs
to cover discussion of specific procedures/best practices.

-- 
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.