Replies: 2 comments 2 replies
-
The Eclipse top-level project has an aggregation build that builds all the subprojects projects, Equinox, PDE, JDT, and Platform. https://ci.eclipse.org/releng/job/Builds/job/I-build-4.29/ It produces this unified update site: https://download.eclipse.org/eclipse/updates/4.29-I-builds/ It also produces download pages such as this one: https://download.eclipse.org/eclipse/downloads/drops4/S-4.29M1-202307051800/index.php So how the sub-projects are built and made available is already coordinated today. The 3rd party dependencies are also coordinated across the sub-projects via You mention a "common ticket", but of course GitHub has issues, not tickets and these cannot be common across organizations. An issue could be created that references other related issues in other organizations. We could create such a common/umbrella issue here: https://github.com/eclipse-platform/.github/issues That could help group/coordinate related "sub-issues" across organizations. |
Beta Was this translation helpful? Give feedback.
-
I suppose we will also need to (eventually?) imagine how to do such coordination across a much larger set of projects that comprise the Eclipse Simultaneous Release, not just across the Eclipse top-level project's subprojects: https://projects.eclipse.org/releases/2023-06 Coordinating all this effectively, with some level of secrecy, will be even more challenging. |
Beta Was this translation helpful? Give feedback.
-
Imagine a situation where a common serious security issue has been found in multiple elements of the Platform simultaneously. This is quite common in the industry: a vulnerable code pattern, copy-pasting, or usage of the same library...
Attackers have time to exploit unfixed subprojects if one sub-project releases or commits a fix before others. It is a good practice to release such a fix simultaneously in all sub-projects.
Eclipse Platform already has important interactions between projects, so it should be quite easy to implement coordinated fixes and disclosures. Projects will need to know where such synchronization takes place. It might be the PMC, using a common ticket etc. Here, all sub-project decide on a common date and then release their advisories and CVE descriptions.
Beta Was this translation helpful? Give feedback.
All reactions