Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [thingweb-dev] Project vserver changes
Hello Ege,

>What is meant by schedule?

We're looking for a regular cadence of updates for the OS(at a minimum), and it's up the project if that's every 2/4/6 weeks/months.  So picking a cadence and letting the security team know that 'Every period of time X, we will/are running updates' should cover it.  

Be prepared for the security team to follow up and possibly ask for confirmation.  You'll have to talk to them about what that confirmation would look like when they ask for it.

> What kind of actions are typically received?

Mostly data deletion, although there have been a few cases requesting data access.  

We don't know your system/service as well as you do(or should :) ), so we rely on the project, which this requirement makes more formal than it has been.

Hope that helps.

-Matt.
 

On Mon, Nov 11, 2024 at 6:56 PM Ege Korkan <egekorkan@xxxxxxxxx> wrote:

Dear Matt,

 

We have talked about this in our weekly call and have some questions:

 

  • What is meant by schedule? We can easily update every couple month since we have a much leaner setup now. It can be more frequent too or on demand (new Ubuntu LTS version should be updated etc.)
  • Responsible people due to GDPR notices: What kind of actions are typically received? We do not store any user data nor do we plan to.

 

In any case, we really appreciate that the foundation is providing such a service. We would like to keep it.

 

Best,

Ege

 

From: Eclipse Webmaster <webmaster@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wednesday, 6. November 2024 at 23:03
To: thingweb-dev@xxxxxxxxxxx <thingweb-dev@xxxxxxxxxxx>
Subject: Project vserver changes

Hello,

 

  As part of our ongoing work to improve security there is an upcoming change in how we handle project virtual servers, and how they are expected to be managed by your team you need to be aware of.

 

By way of background, the Eclipse Foundation discontinued project virtual servers from its offering many years ago. All currently operating virtual servers are part of a grandfathered offering.

 

Starting in Q1 2025, we are requiring that all projects that have a virtual server hosted by or sponsored by the Foundation submit and maintain an update schedule.  This schedule should indicate who on the project team is responsible for managing the server, and establish a consistent update cadence for both software and the OS that your project will follow.

 

Members of the project that are identified as responsible will also be added to our GDPR notices if they do not already receive them, so they can action any GDPR requests the Foundation receives.

 

If the project doesn’t have anyone that is willing to take on such responsibilities, we should begin discussing the graceful shutdown of your project virtual server.


Please submit your schedule to security@xxxxxxxxxxxxxxxxxxxxxx by February 17, 2025 or engage with the Security or Infra(infrastructure@xxxxxxxxxxxxxxxxxxxxxx) teams via email by that time.  If we don’t hear from you by the due date, we’ll file an issue to schedule the shutdown, after which your data will be held briefly before it is removed.

 

-Matt.



--
-Webmaster

Back to the top