Update security for quicksilver
Change-Id: I7bf83fcaba8b9274be1fd0df4509510400895d96
Signed-off-by: Christopher Guindon <chris.guindon@eclipse-foundation.org>
diff --git a/_projectCommon.php b/_projectCommon.php
index 00a5410..d12108d 100755
--- a/_projectCommon.php
+++ b/_projectCommon.php
@@ -1,17 +1,24 @@
<?php
-/*******************************************************************************
- * Copyright (c) 2011, 2015 Eclipse Foundation and others.
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
*
* Contributors:
* Wayne Beaton (Eclipse Foundation)- initial API and implementation
- *******************************************************************************/
-$theme = "solstice";
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+require_once ($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
+
$App->Promotion = TRUE;
+// Define your project-wide Nav bars here.
+$Nav = new Nav();
$Nav->addNavSeparator("Security", 'index.php');
$Nav->addCustomNav("Email the Security Team", "mailto:security@eclipse.org", "_self", 2);
$Nav->addCustomNav("Policy", "policy.php", "_self", 2);
@@ -19,4 +26,4 @@
$Nav->addNavSeparator("Projects", "/projects");
$Nav->addCustomNav("List of Projects", "/projects/listofprojects.php", "_self", 2);
$Nav->addCustomNav("Project Tools", "/projects/tools", "_self", 2);
-?>
\ No newline at end of file
+$Theme->setNav($Nav);
\ No newline at end of file
diff --git a/content/en_index.php b/content/en_index.php
new file mode 100644
index 0000000..b47ce4a
--- /dev/null
+++ b/content/en_index.php
@@ -0,0 +1,104 @@
+<?php
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+/*
+ * Assemble the base URL and the interesting arguments
+ * separately. We'll combine them into a URL and a form.
+ */
+$bugzilla = 'https://bugs.eclipse.org/bugs/enter_bug.cgi';
+$options = array(
+ 'product' => 'Community',
+ 'component' => 'Vulnerability Reports',
+ 'keywords' => 'security',
+ 'groups' => 'Security_Advisories'
+);
+
+/*
+ * Assemble the bits into the artifacts that we're going to
+ * need.
+ */
+$args = array();
+$inputs = array();
+foreach($options as $key => $value) {
+ $args[] = $key . '=' . preg_replace('/\s/','%20', $value);
+ $inputs[] = "<input type=\"hidden\" name=\"$key\" value=\"$value\"/>";
+}
+$inputs[] = "<button type=\"submit\">Report a potential vulnerability now</button>";
+
+$link = "$bugzilla?" . implode('&', $args);
+$form = "<form method=\"get\" action=\"$bugzilla\">" . implode('', $inputs) . "</form>";
+
+?>
+
+<h1><?php print $pageTitle; ?></h1>
+<p>
+ <i>ISO 27005 defines vulnerability as: "A weakness of an asset
+ or group of assets that can be exploited by one or more
+ threats."</i>
+</p>
+<h2>The Eclipse Security Team</h2>
+<p>The Eclipse Security Team provides help and advice to Eclipse
+ projects on security issues and is the first point of contact for
+ handling security vulnerabilities. Members of the Security Team are
+ committers on Eclipse Projects and members of the Eclipse
+ Architecture Council.
+</p>
+<p>
+ Contact the <a href="mailto:security@eclipse.org">Eclipse Security
+ Team</a>.
+</p>
+<h2>Reporting a Security Vulnerability</h2>
+<p>Vulnerabilities can be reported either via email to the Eclipse
+ Security Team or directly with a project via the Eclipse Foundation's
+ Bugzilla instance.
+</p>
+<p>
+ The general security mailing list address is <a
+ href="mailto:security@eclipse.org">security@eclipse.org</a>. Members
+ of the Eclipse Security Team will receive messages sent to this
+ address. This address should be used only for reporting undisclosed
+ vulnerabilities; regular issue reports and questions unrelated to
+ vulnerabilities in Eclipse software will be ignored. Note that this
+ email address is not encrypted.
+</p>
+<p>
+ The community is also encouraged to report vulnerabilities using the
+ <a href="<?php echo $link; ?>">Eclipse Foundation's Bugzilla
+ instance</a>. Note that you will require an Eclipse Foundation account
+ to create an issue report, but by doing so you will be able to participate
+ directly in the resolution of the issue.
+</p>
+<p>
+ <?php print $form; ?>
+</p>
+<p>
+ Issue reports related to vulnerabilities must be marked as
+ "committers-only", either automatically by clicking the provide
+ link, by the reporter, or by a committer during the triage process. Note that issues marked
+ "committers-only" are visible to all Eclipse committers. By
+ default, a "committers-only" issue is also accessible to the
+ reporter and individuals explicitly indicated in the "cc" list.
+</p>
+<h2>Disclosure</h2>
+<p>
+ Disclosure is initially limited to the reporter and all Eclipse
+ Committers, but is expanded to include other individuals, and the
+ general public. The timing and manner of disclosure is governed by
+ the <a href="policy.php">Eclipse Security Policy</a>.
+</p>
+<p>
+ Publicly disclosed issues are listed on the <a href="known.php">Disclosed
+ Vulnerabilities Page</a>.
+</p>
\ No newline at end of file
diff --git a/content/en_known.php b/content/en_known.php
new file mode 100644
index 0000000..18cd520
--- /dev/null
+++ b/content/en_known.php
@@ -0,0 +1,29 @@
+<?php
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+require_once($_SERVER['DOCUMENT_ROOT'] . "/projects/classes/debug.php");
+trace_file_info(__FILE__);
+
+require_once($_SERVER['DOCUMENT_ROOT'] . "/projects/classes/Bug.class.php");
+$bugs = findResolvedSecurityBugs();
+?>
+
+<h1><?php echo $pageTitle; ?></h1>
+<?php
+ print "<ul>";
+ foreach ($bugs as $bug) {
+ print "<li>" . $bug->asHtml() . "</li>";
+ }
+ print "</ul>";
\ No newline at end of file
diff --git a/content/en_policy.php b/content/en_policy.php
new file mode 100644
index 0000000..f0b08a8
--- /dev/null
+++ b/content/en_policy.php
@@ -0,0 +1,205 @@
+<?php
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+?>
+
+<h1><?php print $pageTitle; ?></h1>
+<a name="Overview"></a>
+<h2>Overview</h2>
+<p>The purpose of the Eclipse Security Policy is to set forth the
+ general principles under which the Eclipse Foundation will manage the
+ reporting, management, discussion, and disclosure of Vulnerabilities
+ discovered in Eclipse software. This Security Policy applies to all
+ software distributed by the Eclipse Foundation, including all
+ software authored by Eclipse Committers and third-parties. This IP
+ Policy should at all times be interpreted in a manner that is
+ consistent with the Purposes of the Eclipse Foundation as set forth
+ in the Eclipse Foundation Bylaws.
+</p>
+<p>The document uses the ISO 27005 definition of vulnerability:
+ "A weakness of an asset or group of assets that can be exploited
+ by one or more threats."
+</p>
+<p>This document uses terms from the <a
+ href="http://www.eclipse.org/projects/dev_process/development_process.php"
+ class="external text"
+ title="http://www.eclipse.org/projects/dev_process/development_process.php"
+ rel="nofollow">Eclipse Development Process</a>.
+</p>
+<a name="Eclipse_Security_Team"></a>
+<h2>Eclipse Security Team</h2>
+<p>The Security Team is the first line of defense: it is effectively a
+ triage unit with security expertise. Ultimately, Vulnerabilities are
+ resolved by individual projects with assistance from the Security
+ Team.
+</p>
+<p>The Security Team is composed of a small number of security
+ experts. At any point in time, there are no more than seven (7)
+ members, including a minimum of one representative each from the
+ Eclipse and RT Top-Level Projects, and a representative of the
+ EMO(ED). All members are appointed by EMO(ED).
+</p>
+<p>Mail sent to the security mail address is sent exclusively to all
+ members of the Security Team. Anybody can send mail to this address.
+</p>
+<a name="Reporting"></a>
+<h2>Reporting</h2>
+<p>Vulnerabilities can be reported either via email or directly with a
+ project via Bugzilla.
+</p>
+<p>The general security mailing list address is security@eclipse.org.
+ Members of the Eclipse Security Team will receive messages sent to
+ this address. This address should be used only for reporting
+ undisclosed Vulnerabilities; regular issue reports and questions
+ unrelated to Vulnerabilities in Eclipse software will be ignored.
+ Note that this email address is not encrypted.
+</p>
+<p>The community is encouraged to report Vulnerabilities using the
+ standard Eclipse Bugzilla instance. Issue reports related to
+ Vulnerabilities must be marked as "committers-only", either by the
+ reporter, or by a committer during the triage process.
+</p>
+<p>Note that issues marked "committers-only" are visible to all Eclipse
+ committers. By default, a "committers-only" issue is also accessible to
+ the reporter and individuals explicitly indicated in the "cc" list.
+ These defaults can be overridden to further restrict access at the
+ discretion of the committer and project leadership.
+</p>
+<dl>
+ <dd>
+ <i>Note that Bugzilla sends out emails as issues are modified. Email
+ is inherently insecure.</i>
+ </dd>
+</dl>
+<a name="Discussion"></a>
+<h2>Discussion</h2>
+<p>Initial discussion of an open Vulnerability may occur privately
+ amongst members of the Security Team. Discussion should be moved to a
+ Bugzilla record in a timely manner.
+</p>
+<a name="Resolution"></a>
+<h2>Resolution</h2>
+<p>A Vulnerability is considered resolved when either a patch or
+ workaround is available, or it is determined that a fix is not
+ possible or desirable.
+</p>
+<p>The Eclipse IP Team will give priority to contribution
+ questionnaires (CQs) required to resolve Vulnerabilities.
+</p>
+<p>It is left to the discretion of the Security Team and project
+ leadership to determine what subset of the project committers are
+ best suited to resolve Vulnerabilities. The Security Team and project
+ leaders may also—at their discretion—assemble external
+ resources (e.g. subject matter experts) or call on the expertise of
+ the Architecture Council.
+</p>
+<a name="Distribution"></a>
+<h2>Distribution</h2>
+<p>Once a Vulnerability has been resolved, the updated software must
+ be made available to the community.
+</p>
+<p>At a minimum, updated software is made available via normal project
+ distribution channels (e.g. downloads and update sites).
+</p>
+<p>The Eclipse Planning Council must be made aware of Vulnerabilities in
+ software that is part of the simultaneous release. The Eclipse Planning
+ Council will determine whether or not a "respin" of the simultaneous
+ release repository and EPP packages is required. The Eclipse Planning Council
+ will coordinate the timing of the "respin" with the Project
+ Leadership.
+</p>
+<a name="Disclosure"></a>
+<h2>Disclosure</h2>
+<p>Disclosure is initially limited to the reporter and all Eclipse
+ Committers, but can be expanded to include other individuals.
+</p>
+<p>All Vulnerabilities must be disclosed, regardless of the
+ resolution. Users and administrators of Eclipse software must made
+ aware that a vulnerability exists so they can assess risk, and take
+ the appropriate action to protect their users, servers and systems
+ from potential exploit.
+</p>
+<a name="Timing"></a>
+<h3>Timing</h3>
+<p>The timing of disclosure is left to the discretion of the project
+ leadership, including the Project Lead(s), PMC, and EMO(ED). In the
+ absence of specific guidance from the project leadership, the
+ following guidelines are recommended:
+</p>
+<ul>
+ <li>Vulnerabilities for which there is a patch, workaround or fix,
+ should be disclosed to the community immediately.
+ </li>
+ <li>Vulnerabilities—regardless of state—must be disclosed to the
+ community after a maximum three months.
+ </li>
+</ul>
+<p>Vulnerabilities need not necessarily be resolved at the time of
+ disclosure.
+</p>
+<a name="Quiet_Disclosure"></a>
+<h3>Quiet Disclosure</h3>
+<p>
+ A Vulnerability can be <i>quietly</i> disclosed by simply removing
+ the 'committers_only' flag. The issue's history will record that the
+ flag has been removed, and the issue will become visible for everyone
+ in searches.
+</p>
+<p>In general, quiet disclosure is appropriate only for issues that are
+ identified by a committer as having been erroneously marked as
+ Vulnerabilities.
+</p>
+<a name="Progressive_Disclosure"></a>
+<h3>Progressive Disclosure</h3>
+<p>Knowledge of a Vulnerability can be easily extended to individuals
+ by adding them to the "cc" list on the issue. A Vulnerability may--at
+ the discretion of the committer--be disclosed to specific
+ individuals. A committer may, for example, provide access to a
+ subject-matter expert to solicit help or advice. The Vulnerability
+ may also be disclosed to known adopters to allow them an opportunity
+ to mitigate their immediate risk and prepare for a forthcoming
+ resolution.
+</p>
+<p>Contacts added to an unresolved Vulnerability must be individuals.
+ Groups (e.g. mailing lists)--with the exception of
+ security@eclipse.org--should never be copied on a Vulnerability issue.
+</p>
+<a name="Full_Disclosure"></a>
+<h3>Full Disclosure</h3>
+<p>All Vulnerabilities must ultimately be fully disclosed to the
+ community at large.
+</p>
+<p>
+ All Vulnerabilities affecting projects that participate in the
+ Simultaneous Release must be reported to the Eclipse Planning Council prior
+ to full disclosure to the community at large. Disclosure of a
+ Vulnerability must be coordinated with the distribution of the
+ updated software from the Project's own distribution channels, the
+ Simultaneous Release repository, and EPP packages (please see <a
+ href="#Distribution" title="">Distribution</a>).
+</p>
+<p>To complete the disclosure of a Vulnerability, the committers-only
+ flag must be removed from the issue and the 'security' keyword added.
+ Issues in this state are automatically reported on the security page
+ and RSS feed.
+</p>
+<a name="Escalation"></a>
+<h3>Escalation</h3>
+<p>
+ A security vulnerability may--at the discretion of the project
+ leadership--be escalated to a outside body such as <a
+ href="http://www.cert.org" class="external text"
+ title="http://www.cert.org" rel="nofollow">CERT</a>. The EMO can
+ provide assistance.
+</p>
\ No newline at end of file
diff --git a/index.php b/index.php
index eb5dc7b..7827d8d 100755
--- a/index.php
+++ b/index.php
@@ -1,124 +1,32 @@
<?php
-/*******************************************************************************
- * Copyright (c) 2011, 2015 Eclipse Foundation and others.
-* All rights reserved. This program and the accompanying materials
-* are made available under the terms of the Eclipse Public License v1.0
-* which accompanies this distribution, and is available at
-* http://www.eclipse.org/legal/epl-v10.html
-*
-* Contributors:
-* Wayne Beaton (Eclipse Foundation)- initial API and implementation
-*******************************************************************************/
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+require_once ($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
+
$App = new App();
-$Nav = new Nav();
-$Menu = new Menu();
-include($App->getProjectCommon());
+$Theme = $App->getThemeClass();
-$pageTitle = "Eclipse Security";
-$pageAuthor = "";
-$pageKeywords = "Eclipse, projects, security";
+include ($App->getProjectCommon());
-/*
- * Assemble the base URL and the interesting arguments
- * separately. We'll combine them into a URL and a form.
- */
-$bugzilla = 'https://bugs.eclipse.org/bugs/enter_bug.cgi';
-$options = array(
- 'product' => 'Community',
- 'component' => 'Vulnerability Reports',
- 'keywords' => 'security',
- 'groups' => 'Security_Advisories'
-);
-
-/*
- * Assemble the bits into the artifacts that we're going to
- * need.
- */
-$args = array();
-$inputs = array();
-foreach($options as $key => $value) {
- $args[] = $key . '=' . preg_replace('/\s/','%20', $value);
- $inputs[] = "<input type=\"hidden\" name=\"$key\" value=\"$value\"/>";
-}
-$inputs[] = "<button type=\"submit\">Report a potential vulnerability now</button>";
-
-$link = "$bugzilla?" . implode('&', $args);
-$form = "<form method=\"get\" action=\"$bugzilla\">" . implode('', $inputs) . "</form>";
+$pageTitle = "Eclipse Security";
+$Theme->setPageTitle($pageTitle);
+$Theme->setPageKeywords("Eclipse, projects, security");
ob_start();
-?>
-<div id="maincontent">
- <div id="midcolumn">
- <h1><?php echo $pageTitle; ?></h1>
- <p>
- <i>ISO 27005 defines vulnerability as: "A weakness of an asset
- or group of assets that can be exploited by one or more
- threats."</i>
- </p>
+include("content/en_" . $App->getScriptName());
+$html = ob_get_clean();
- <h2>The Eclipse Security Team</h2>
- <p>The Eclipse Security Team provides help and advice to Eclipse
- projects on security issues and is the first point of contact for
- handling security vulnerabilities. Members of the Security Team are
- committers on Eclipse Projects and members of the Eclipse
- Architecture Council.</p>
- <p>
- Contact the <a href="mailto:security@eclipse.org">Eclipse Security
- Team</a>.
- </p>
-
- <h2>Reporting a Security Vulnerability</h2>
- <p>Vulnerabilities can be reported either via email to the Eclipse
- Security Team or directly with a project via the Eclipse Foundation's
- Bugzilla instance.</p>
- <p>
- The general security mailing list address is <a
- href="mailto:security@eclipse.org">security@eclipse.org</a>. Members
- of the Eclipse Security Team will receive messages sent to this
- address. This address should be used only for reporting undisclosed
- vulnerabilities; regular issue reports and questions unrelated to
- vulnerabilities in Eclipse software will be ignored. Note that this
- email address is not encrypted.
- </p>
- <p>
- The community is also encouraged to report vulnerabilities using the
- <a href="<?php echo $link; ?>">Eclipse Foundation's Bugzilla
- instance</a>. Note that you will require an Eclipse Foundation account
- to create an issue report, but by doing so you will be able to participate
- directly in the resolution of the issue.
- </p>
- <p>
- <?php echo $form; ?>
- </p>
- <p>
- Issue reports related to vulnerabilities must be marked as
- "committers-only", either automatically by clicking the provide
- link, by the reporter, or by a committer during the triage process. Note that issues marked
- "committers-only" are visible to all Eclipse committers. By
- default, a "committers-only" issue is also accessible to the
- reporter and individuals explicitly indicated in the "cc" list.
- </p>
-
- <h2>Disclosure</h2>
- <p>
- Disclosure is initially limited to the reporter and all Eclipse
- Committers, but is expanded to include other individuals, and the
- general public. The timing and manner of disclosure is governed by
- the <a href="policy.php">Eclipse Security Policy</a>.
- </p>
- <p>
- Publicly disclosed issues are listed on the <a href="known.php">Disclosed
- Vulnerabilities Page</a>.
- </p>
- </div>
-</div>
-
-<?php
-$html = ob_get_contents();
-ob_end_clean();
-
-$App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
-?>
\ No newline at end of file
+$Theme->setHtml($html);
+$Theme->generatePage();
\ No newline at end of file
diff --git a/known.php b/known.php
index 31961b5..cd57b57 100755
--- a/known.php
+++ b/known.php
@@ -1,49 +1,32 @@
<?php
-/*******************************************************************************
- * Copyright (c) 2011, 2015 Eclipse Foundation and others.
-* All rights reserved. This program and the accompanying materials
-* are made available under the terms of the Eclipse Public License v1.0
-* which accompanies this distribution, and is available at
-* http://www.eclipse.org/legal/epl-v10.html
-*
-* Contributors:
-* Wayne Beaton (Eclipse Foundation)- initial API and implementation
-*******************************************************************************/
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+require_once ($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
+
$App = new App();
-$Nav = new Nav();
-$Menu = new Menu();
-include($App->getProjectCommon());
+$Theme = $App->getThemeClass();
-require_once($_SERVER['DOCUMENT_ROOT'] . "/projects/classes/debug.php");
-trace_file_info(__FILE__);
+include ($App->getProjectCommon());
-require_once($_SERVER['DOCUMENT_ROOT'] . "/projects/classes/Bug.class.php");
-$bugs = findResolvedSecurityBugs();
-
-$pageTitle = "Known Eclipse Security Vulnerabilities";
-$pageAuthor = "";
-$pageKeywords = "Eclipse, projects, security";
+$pageTitle = "Known Eclipse Security Vulnerabilities";
+$Theme->setPageTitle($pageTitle);
+$Theme->setPageKeywords("Eclipse, projects, security");
ob_start();
-?>
-<div id="maincontent">
- <div id="midcolumn">
- <h1><?php echo $pageTitle; ?></h1>
- <?php
- echo "<ul>";
- foreach ($bugs as $bug) {
- echo "<li>" . $bug->asHtml() . "</li>";
- }
- echo "</ul>";
- ?>
- </div>
-</div>
-<?php
-$html = ob_get_contents();
-ob_end_clean();
+include("content/en_" . $App->getScriptName());
+$html = ob_get_clean();
-$App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
-?>
\ No newline at end of file
+$Theme->setHtml($html);
+$Theme->generatePage();
\ No newline at end of file
diff --git a/policy.php b/policy.php
index c1af62b..3010f1a 100755
--- a/policy.php
+++ b/policy.php
@@ -1,13 +1,32 @@
<?php
-/*******************************************************************************
- * Copyright (c) 2011 Eclipse Foundation and others.
-* All rights reserved. This program and the accompanying materials
-* are made available under the terms of the Eclipse Public License v1.0
-* which accompanies this distribution, and is available at
-* http://www.eclipse.org/legal/epl-v10.html
-*
-* Contributors:
-* Wayne Beaton (Eclipse Foundation)- initial API and implementation
-*******************************************************************************/
-include 'policy_2011.php';
-?>
\ No newline at end of file
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+require_once ($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
+
+$App = new App();
+$Theme = $App->getThemeClass();
+
+include ($App->getProjectCommon());
+
+$pageTitle = "Eclipse Security Policy";
+$Theme->setPageTitle($pageTitle);
+$Theme->setPageKeywords("Eclipse, projects, security");
+
+ob_start();
+include("content/en_" . $App->getScriptName());
+$html = ob_get_clean();
+
+$Theme->setHtml($html);
+$Theme->generatePage();
\ No newline at end of file
diff --git a/policy_2011.php b/policy_2011.php
index 9e66e3c..4c93f6a 100755
--- a/policy_2011.php
+++ b/policy_2011.php
@@ -1,205 +1,16 @@
<?php
-/*******************************************************************************
- * Copyright (c) 2011, 2015 Eclipse Foundation and others.
-* All rights reserved. This program and the accompanying materials
-* are made available under the terms of the Eclipse Public License v1.0
-* which accompanies this distribution, and is available at
-* http://www.eclipse.org/legal/epl-v10.html
-*
-* Contributors:
-* Wayne Beaton (Eclipse Foundation)- initial API and implementation
-*******************************************************************************/
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
-$App = new App();
-$Nav = new Nav();
-$Menu = new Menu();
-include($App->getProjectCommon());
+/**
+ * Copyright (c) 2011, 2015, 2018 Eclipse Foundation and others.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ * Christopher Guindon (Eclipse Foundation)
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
-$pageTitle = "Eclipse Security Policy";
-$pageAuthor = "";
-$pageKeywords = "Eclipse, projects, security";
-
-require_once dirname(__FILE__) . '/../projects/classes/images.inc';
-
-ob_start();
-?>
-<div id="maincontent">
- <div id="midcolumn">
- <h1><?php echo $pageTitle; ?></h1>
- <a name="Overview"></a>
- <h2>Overview</h2>
- <p>The purpose of the Eclipse Security Policy is to set forth the
- general principles under which the Eclipse Foundation will manage the
- reporting, management, discussion, and disclosure of Vulnerabilities
- discovered in Eclipse software. This Security Policy applies to all
- software distributed by the Eclipse Foundation, including all
- software authored by Eclipse Committers and third-parties. This IP
- Policy should at all times be interpreted in a manner that is
- consistent with the Purposes of the Eclipse Foundation as set forth
- in the Eclipse Foundation Bylaws.</p>
- <p>The document uses the ISO 27005 definition of vulnerability:
- "A weakness of an asset or group of assets that can be exploited
- by one or more threats."
- </p>
- This document uses terms from the <a
- href="http://www.eclipse.org/projects/dev_process/development_process.php"
- class="external text"
- title="http://www.eclipse.org/projects/dev_process/development_process.php"
- rel="nofollow">Eclipse Development Process</a>.
- </p>
-
- <a name="Eclipse_Security_Team"></a>
-
- <h2>Eclipse Security Team</h2>
- <p>The Security Team is the first line of defense: it is effectively a
- triage unit with security expertise. Ultimately, Vulnerabilities are
- resolved by individual projects with assistance from the Security
- Team.</p>
- <p>The Security Team is composed of a small number of security
- experts. At any point in time, there are no more than seven (7)
- members, including a minimum of one representative each from the
- Eclipse and RT Top-Level Projects, and a representative of the
- EMO(ED). All members are appointed by EMO(ED).</p>
- <p>Mail sent to the security mail address is sent exclusively to all
- members of the Security Team. Anybody can send mail to this address.
- </p>
- <a name="Reporting"></a>
- <h2>Reporting</h2>
- <p>Vulnerabilities can be reported either via email or directly with a
- project via Bugzilla.</p>
- <p>The general security mailing list address is security@eclipse.org.
- Members of the Eclipse Security Team will receive messages sent to
- this address. This address should be used only for reporting
- undisclosed Vulnerabilities; regular issue reports and questions
- unrelated to Vulnerabilities in Eclipse software will be ignored.
- Note that this email address is not encrypted.</p>
- <p>The community is encouraged to report Vulnerabilities using the
- standard Eclipse Bugzilla instance. Issue reports related to
- Vulnerabilities must be marked as "committers-only", either by the
- reporter, or by a committer during the triage process.</p>
- <p>Note that issues marked "committers-only" are visible to all Eclipse
- committers. By default, a "committers-only" issue is also accessible to
- the reporter and individuals explicitly indicated in the "cc" list.
- These defaults can be overridden to further restrict access at the
- discretion of the committer and project leadership.</p>
- <dl>
- <dd>
- <i>Note that Bugzilla sends out emails as issues are modified. Email
- is inherently insecure.</i>
- </dd>
- </dl>
- <a name="Discussion"></a>
- <h2>Discussion</h2>
- <p>Initial discussion of an open Vulnerability may occur privately
- amongst members of the Security Team. Discussion should be moved to a
- Bugzilla record in a timely manner.</p>
- <a name="Resolution"></a>
- <h2>Resolution</h2>
- <p>A Vulnerability is considered resolved when either a patch or
- workaround is available, or it is determined that a fix is not
- possible or desirable.</p>
- <p>The Eclipse IP Team will give priority to contribution
- questionnaires (CQs) required to resolve Vulnerabilities.</p>
- <p>It is left to the discretion of the Security Team and project
- leadership to determine what subset of the project committers are
- best suited to resolve Vulnerabilities. The Security Team and project
- leaders may also—at their discretion—assemble external
- resources (e.g. subject matter experts) or call on the expertise of
- the Architecture Council.</p>
- <a name="Distribution"></a>
- <h2>Distribution</h2>
- <p>Once a Vulnerability has been resolved, the updated software must
- be made available to the community.</p>
- <p>At a minimum, updated software is made available via normal project
- distribution channels (e.g. downloads and update sites).</p>
- <p>The Eclipse Planning Council must be made aware of Vulnerabilities in
- software that is part of the simultaneous release. The Eclipse Planning
- Council will determine whether or not a "respin" of the simultaneous
- release repository and EPP packages is required. The Eclipse Planning Council
- will coordinate the timing of the "respin" with the Project
- Leadership.</p>
- <a name="Disclosure"></a>
- <h2>Disclosure</h2>
- <p>Disclosure is initially limited to the reporter and all Eclipse
- Committers, but can be expanded to include other individuals.</p>
- <p>All Vulnerabilities must be disclosed, regardless of the
- resolution. Users and administrators of Eclipse software must made
- aware that a vulnerability exists so they can assess risk, and take
- the appropriate action to protect their users, servers and systems
- from potential exploit.</p>
- <a name="Timing"></a>
- <h3>Timing</h3>
- <p>The timing of disclosure is left to the discretion of the project
- leadership, including the Project Lead(s), PMC, and EMO(ED). In the
- absence of specific guidance from the project leadership, the
- following guidelines are recommended:</p>
- <ul>
- <li>Vulnerabilities for which there is a patch, workaround or fix,
- should be disclosed to the community immediately.</li>
- <li>Vulnerabilities—regardless of state—must be disclosed to the
- community after a maximum three months.</li>
- </ul>
- <p>Vulnerabilities need not necessarily be resolved at the time of
- disclosure.</p>
- <a name="Quiet_Disclosure"></a>
- <h3>Quiet Disclosure</h3>
- <p>
- A Vulnerability can be <i>quietly</i> disclosed by simply removing
- the 'committers_only' flag. The issue's history will record that the
- flag has been removed, and the issue will become visible for everyone
- in searches.
- </p>
- <p>In general, quiet disclosure is appropriate only for issues that are
- identified by a committer as having been erroneously marked as
- Vulnerabilities.</p>
- <a name="Progressive_Disclosure"></a>
- <h3>Progressive Disclosure</h3>
- <p>Knowledge of a Vulnerability can be easily extended to individuals
- by adding them to the "cc" list on the issue. A Vulnerability may--at
- the discretion of the committer--be disclosed to specific
- individuals. A committer may, for example, provide access to a
- subject-matter expert to solicit help or advice. The Vulnerability
- may also be disclosed to known adopters to allow them an opportunity
- to mitigate their immediate risk and prepare for a forthcoming
- resolution.</p>
- <p>Contacts added to an unresolved Vulnerability must be individuals.
- Groups (e.g. mailing lists)--with the exception of
- security@eclipse.org--should never be copied on a Vulnerability issue.
- </p>
- <a name="Full_Disclosure"></a>
- <h3>Full Disclosure</h3>
- <p>All Vulnerabilities must ultimately be fully disclosed to the
- community at large.</p>
- <p>
- All Vulnerabilities affecting projects that participate in the
- Simultaneous Release must be reported to the Eclipse Planning Council prior
- to full disclosure to the community at large. Disclosure of a
- Vulnerability must be coordinated with the distribution of the
- updated software from the Project's own distribution channels, the
- Simultaneous Release repository, and EPP packages (please see <a
- href="#Distribution" title="">Distribution</a>).
- </p>
- <p>To complete the disclosure of a Vulnerability, the committers-only
- flag must be removed from the issue and the 'security' keyword added.
- Issues in this state are automatically reported on the security page
- and RSS feed.</p>
- <a name="Escalation"></a>
- <h3>Escalation</h3>
- <p>
- A security vulnerability may--at the discretion of the project
- leadership--be escalated to a outside body such as <a
- href="http://www.cert.org" class="external text"
- title="http://www.cert.org" rel="nofollow">CERT</a>. The EMO can
- provide assistance.
- </p>
- </div>
-</div>
-
-<?php
- $html = ob_get_contents();
- ob_end_clean();
-
- $App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
-?>
\ No newline at end of file
+header('Location: policy.php');
\ No newline at end of file
