Serious Vulnerability in Log4j < 2.15.
A serious vulnerability
that affects versions of Apache Log4J between 2.0.0 and 2.14.1. Please take a few minutes to ensure that your project is not affected. Note that there are numerous vulnerabilities reported against versions < 2.0 as well (which are no longer "supported") and that it's probably just a good idea to update to the latest and greatest. Note that Log4j version 2.15 has been vetted through our IP Due Diligence process so you're good to go to incorporate that version into your project.
. The EMO has been transitioning its process tracking over to the Eclipse Foundation's GitLab infrastructure: where we have used Bugzilla in the past, we are now using GitLab issues
. Specifically, we're using GitLab issues to track creation, release, progress, and termination reviews. We're still experimenting a bit with how we work in GitLab issues, but by-in-large, the transition has been pretty smooth. I'll reinforce that I'm talking about issues that the EMO creates and manages
(that is, we don't expect committers to create these issues).
The change over to GitLab has afforded us an opportunity to work more interactively with committers through the process. We previously only used Bugzilla issues to track the EMO's process and generally avoided any substantial interaction with the project team regarding the nature of their release.
We've started leveraging GitLab's issue templates to build checklists that help the EMO provide better service to the project (note that the EMO creates these issues; you don't have to). We're being more consistent, for example, with regard to helping projects ensure that they have information
in their repositories that help the community discover and engage with the project.
Potential contributors have come to expect that projects have robust README/CONTRIBUTING files in every repository's root directory that help folks learn how to interact with the project team, along with a well-defined LICENSE file that describes the project's licensing, and a NOTICE file that describes the licensing of third-party content. The EMO has been working with project teams to help get these files into place.
Holiday shutdown. The Eclipse Projects Team will be completely offline starting on December 23/2022 and returning on January 3/2022. If you have plans that require EMO review during or shortly after this timeframe, please engage with us in early December.
Note that the Eclipse Projects Team monitors the emo@ inbox, so please expect a delay to any messages you send to that address.
Note that the IP Team will also be offline during our shutdown and any content that requires their review will be delayed during this period.
By way of reminder, an Eclipse Project can create official releases for a full calendar year following a successful release or progress review. Do take note that the content of your releases must be fully vetted by the Eclipse Foundation's IP Due Diligence Process prior to the release. Specifically, you should ensure that all contributors (who are not project committers) have signed the ECA, and that you've vetted all included third party content either by using the Eclipse Dash License Tool
or by working through the CQ process
Director of Open Source Projects | Eclipse Foundation