*** empty log message ***
diff --git a/_projectCommon.php b/_projectCommon.php
new file mode 100755
index 0000000..f1efa28
--- /dev/null
+++ b/_projectCommon.php
@@ -0,0 +1,24 @@
+<?php
+/*******************************************************************************
+ * Copyright (c) 2011 Eclipse Foundation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Wayne Beaton (Eclipse Foundation)- initial API and implementation
+ *******************************************************************************/
+$theme = "Nova";
+$App->Promotion = TRUE;
+
+$App->AddExtraHtmlHeader("<style>#midcolumn {background-image:url(/images/draft.gif);background-size:100%}</style>");
+
+$Nav->addNavSeparator("Security", 'index.php');
+$Nav->addCustomNav("Email the Security Team", "mailto:security@eclipse.org", "_self", 2);
+$Nav->addCustomNav("Policy", "policy.php", "_self", 2);
+$Nav->addCustomNav("Known Vulnerabilities", "known.php", "_self", 2);
+$Nav->addNavSeparator("Projects", "/projects");
+$Nav->addCustomNav("List of Projects", "/projects/listofprojects.php", "_self", 2);
+$Nav->addCustomNav("Project Tools", "/projects/tools", "_self", 2);
+?>
\ No newline at end of file
diff --git a/index.php b/index.php
index f58eb39..b16434b 100755
--- a/index.php
+++ b/index.php
@@ -1,77 +1,88 @@
<?php
/*******************************************************************************
* Copyright (c) 2011 Eclipse Foundation and others.
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
- *
- * Contributors:
- * Wayne Beaton (Eclipse Foundation)- initial API and implementation
- *******************************************************************************/
+* All rights reserved. This program and the accompanying materials
+* are made available under the terms of the Eclipse Public License v1.0
+* which accompanies this distribution, and is available at
+* http://www.eclipse.org/legal/epl-v10.html
+*
+* Contributors:
+* Wayne Beaton (Eclipse Foundation)- initial API and implementation
+*******************************************************************************/
require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
$App = new App();
$Nav = new Nav();
$Menu = new Menu();
-include($App->getProjectCommon());
+include($App->getProjectCommon());
$pageTitle = "Eclipse Security";
$pageAuthor = "";
$pageKeywords = "Eclipse, projects, security";
-require_once dirname(__FILE__) . '/../projects/classes/images.inc';
-
-//include( '_commonLeftNav.php' );
-
-function button($title, $text, $url, $image) {
- echo "<a href=\"$url\"><div class=\"cell\" style=\"background-image:url($image);\"><h3>$title</h3><p>$text</p></div></a>";
-}
-
-$App->AddExtraHtmlHeader("<link type=\"text/css\" rel=\"stylesheet\" href=\"/projects/buttons.css\">");
-
ob_start();
?>
-<div style="display:block;background-image:url(/default/images/backgroundMainEmpty.png);background-repeat:no-repeat">
- <div style="position:relative;height:193px">
- <div style="position:absolute;top:0;right:0;width:50%">
- <?php
- button("What's New?", "Find out what's new in the Eclipse Projects.", "whatsnew.php", $images->whats_new_huge);
- button("All Projects", "See a list of all the projects hosted at Eclipse.", "listofprojects.php", $images->projects_huge);
- button("Start a new Project", "Words of advice; getting started.", "http://wiki.eclipse.org/Development_Resources/HOWTO/Starting_A_New_Project", $images->new_project_huge);
- button("Emeritus", "The Committer Hall of Fame.", "committers-emeritus.php", $images->emeritus_huge);
- ?>
- </div>
- <div style="position:absolute;top:0;left:1%;right:50%;width:45%">
- <h3>Eclipse Projects</h3>
- <p>Eclipse projects now cover runtimes; static and dynamic languages; thick-client, thin-client, and server-side
- frameworks; modeling and business reporting; embedded and mobile; and, yes, we still have the best Java IDE.</p>
- <p>This page is designed to be a gateway into the projects for users, adopters, team members, and the
- merely curious.</p>
- </div>
+<div id="maincontent">
+ <div id="midcolumn">
+ <h1><?php echo $pageTitle; ?></h1>
+ <p>
+ <i>ISO 27005 defines vulnerability as: "A weakness of an asset
+ or group of assets that can be exploited by one or more
+ threats."</i>
+ </p>
+
+ <h2>The Ecipse Security Team</h2>
+ <p>The Eclipse Security Team provides help and advice to Eclipse
+ projects on security issues and is the first point of contact for
+ handling security vulnerabilities. Members of the Security Team are
+ committers on Eclipse projects and members of the Eclipse
+ Architecture Council.</p>
+ <p>
+ Contact the <a href="mailto:security@eclipse.org">Eclipse Security
+ Team</a>.
+ </p>
+
+ <h2>Reporting a Security Vulnerability</h2>
+ <p>Vulnerabilities can be reported either via email to the Eclipse
+ Security Team or directly with a project via Bugzilla.</p>
+ <p>
+ The general security mailing list address is <a
+ href="mailto:security@eclipse.org">security@eclipse.org</a>. Members
+ of the Eclipse Security Team will receive messages sent to this
+ address. This address should be used only for reporting undisclosed
+ Vulnerabilities; regular bug reports and questions unrelated to
+ Vulnerabilities in Eclipse software will be ignored. Note that this
+ email address is not encrypted.
+ </p>
+ <p>
+ The community is also encouraged to report Vulnerabilities using the
+ standard <a href="https://bugs.eclipse.org/bugs">Eclipse Bugzilla</a>
+ instance. Bug reports related to Vulnerabilities must be marked as
+ "committers-only", either by the reporter, or by a
+ committer during the triage process. Note that bugs marked
+ "committers-only" are visible to all Eclipse committers. By
+ default, a "committers-only" bug is also accessible to the
+ reporter and individuals explicitly indicated in the "cc" list.
+ </p>
+
+ <h2>Disclosure</h2>
+ <p>
+ Disclosure is initially limited to the reporter and all Eclipse
+ Committers, but is expanded to include other individuals, and the
+ general public. The timing and manner of disclosure is governed by
+ the <a href="policy.php">Eclipse Security Policy</a>.
+ </p>
+ <p>
+ Publicly disclosed bugs are listed on the <a href="known.php">Disclosed
+ Vulnerabilities Page</a>.
+ </p>
</div>
</div>
-<div style="clear:both"></div>
-
-
-
-<div>
- <?php
- button("Portal", "Manage your Eclipse Project's information.", "http://portal.eclipse.org", $images->portal_huge);
- button("Process", "The Eclipse Development Process.", "dev_process/development_process.php", $images->edp_huge);
- button("Development Resources", "Information and help for committers.", "http://wiki.eclipse.org/Development_Resources", $images->committers_huge);
- button("Project Tools", "Some handy and helpful tools for projects.", "/projects/tools", $images->tools_huge);
- ?>
-</div>
<?php
- # Paste your HTML content between the EOHTML markers!
- $html = ob_get_contents();
- ob_end_clean();
-// $App->AddExtraHtmlHeader('<link rel="stylesheet" type="text/css" href="/default/style.css"/>');
- # Generate the web page
- $App->PageRSS = "/projects/reviews-rss.php";
- $App->generatePage('Nova', $Menu, NULL, $pageAuthor, $pageKeywords, $pageTitle, $html);
+$html = ob_get_contents();
+ob_end_clean();
+$App->generatePage('Nova', $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
?>
\ No newline at end of file
diff --git a/known.php b/known.php
new file mode 100755
index 0000000..fd56f75
--- /dev/null
+++ b/known.php
@@ -0,0 +1,38 @@
+<?php
+/*******************************************************************************
+ * Copyright (c) 2011 Eclipse Foundation and others.
+* All rights reserved. This program and the accompanying materials
+* are made available under the terms of the Eclipse Public License v1.0
+* which accompanies this distribution, and is available at
+* http://www.eclipse.org/legal/epl-v10.html
+*
+* Contributors:
+* Wayne Beaton (Eclipse Foundation)- initial API and implementation
+*******************************************************************************/
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
+$App = new App();
+$Nav = new Nav();
+$Menu = new Menu();
+include($App->getProjectCommon());
+
+$pageTitle = "Known Eclipse Security Vulnerabilities";
+$pageAuthor = "";
+$pageKeywords = "Eclipse, projects, security";
+
+ob_start();
+?>
+<div id="maincontent">
+ <div id="midcolumn">
+ <h1><?php echo $pageTitle; ?></h1>
+
+ <p>Known vulnerabilities will be reported here.</p>
+ </div>
+</div>
+<?php
+$html = ob_get_contents();
+ob_end_clean();
+
+$App->generatePage('Nova', $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
+?>
\ No newline at end of file
diff --git a/policy.php b/policy.php
new file mode 100755
index 0000000..c1af62b
--- /dev/null
+++ b/policy.php
@@ -0,0 +1,13 @@
+<?php
+/*******************************************************************************
+ * Copyright (c) 2011 Eclipse Foundation and others.
+* All rights reserved. This program and the accompanying materials
+* are made available under the terms of the Eclipse Public License v1.0
+* which accompanies this distribution, and is available at
+* http://www.eclipse.org/legal/epl-v10.html
+*
+* Contributors:
+* Wayne Beaton (Eclipse Foundation)- initial API and implementation
+*******************************************************************************/
+include 'policy_2011.php';
+?>
\ No newline at end of file
diff --git a/policy_2011.php b/policy_2011.php
new file mode 100755
index 0000000..d651ccc
--- /dev/null
+++ b/policy_2011.php
@@ -0,0 +1,200 @@
+<?php
+/*******************************************************************************
+ * Copyright (c) 2011 Eclipse Foundation and others.
+* All rights reserved. This program and the accompanying materials
+* are made available under the terms of the Eclipse Public License v1.0
+* which accompanies this distribution, and is available at
+* http://www.eclipse.org/legal/epl-v10.html
+*
+* Contributors:
+* Wayne Beaton (Eclipse Foundation)- initial API and implementation
+*******************************************************************************/
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php");
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php");
+require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php");
+$App = new App();
+$Nav = new Nav();
+$Menu = new Menu();
+include($App->getProjectCommon());
+
+$pageTitle = "Eclipse Security Policy";
+$pageAuthor = "";
+$pageKeywords = "Eclipse, projects, security";
+
+require_once dirname(__FILE__) . '/../projects/classes/images.inc';
+
+ob_start();
+?>
+<div id="maincontent">
+ <div id="midcolumn">
+ <h1><?php echo $pageTitle; ?></h1>
+ <a name="Overview"></a>
+ <h2>Overview</h2>
+ <p>The purpose of the Eclipse Security Policy is to set forth the
+ general principles under which the Eclipse Foundation will manage the
+ reporting, management, discussion, and disclosure of Vulnerabilities
+ discovered in Eclipse software. This Security Policy applies to all
+ software distributed by the Eclipse Foundation, including all
+ software authored by Eclipse Committers and third-parties. This IP
+ Policy should at all times be interpreted in a manner that is
+ consistent with the Purposes of the Eclipse Foundation as set forth
+ in the Eclipse Foundation Bylaws.</p>
+ <p>
+ This document uses terms from the <a
+ href="http://www.eclipse.org/projects/dev_process/development_process.php"
+ class="external text"
+ title="http://www.eclipse.org/projects/dev_process/development_process.php"
+ rel="nofollow">Eclipse Development Process</a>.
+ </p>
+ <a name="Eclipse_Security_Team"></a>
+ <h2>Eclipse Security Team</h2>
+ <p>The Security Team is the first line of defense: it is effectively a
+ triage unit with security expertise. Ultimately, Vulnerabilities are
+ resolved by individual projects with assistance from the Security
+ Team.</p>
+ <p>The Security Team is composed of a small number of security
+ experts. At any point in time, there are no more than seven (7)
+ members, including a minimum of one representative each from the
+ Eclipse and RT Top-Level Projects, and a representative of the
+ EMO(ED). All members are appointed by EMO(ED).</p>
+ <p>Mail sent to the security mail address is sent exclusively to all
+ members of the Security Team. Anybody can send mail to this address.
+ </p>
+ <a name="Reporting"></a>
+ <h2>Reporting</h2>
+ <p>Vulnerabilities can be reported either via email or directly with a
+ project via Bugzilla.</p>
+ <p>The general security mailing list address is security@eclipse.org.
+ Members of the Eclipse Security Team will receive messages sent to
+ this address. This address should be used only for reporting
+ undisclosed Vulnerabilities; regular bug reports and questions
+ unrelated to Vulnerabilities in Eclipse software will be ignored.
+ Note that this email address is not encrypted.</p>
+ <p>The community is encouraged to report Vulnerabilities using the
+ standard Eclipse Bugzilla instance. Bug reports related to
+ Vulnerabilities must be marked as "committers-only", either by the
+ reporter, or by a committer during the triage process.</p>
+ <p>Note that bugs marked "committers-only" are visible to all Eclipse
+ committers. By default, a "committers-only" bug is also accessible to
+ the reporter and individuals explicitly indicated in the "cc" list.
+ These defaults can be overridden to further restrict access at the
+ discretion of the committer and project leadership.</p>
+ <dl>
+ <dd>
+ <i>Note that Bugzilla sends out emails as bugs are modified. Email
+ is inherently insecure.</i>
+ </dd>
+ </dl>
+ <a name="Discussion"></a>
+ <h2>Discussion</h2>
+ <p>Initial discussion of an open Vulnerability may occur privately
+ amongst members of the Security Team. Discussion should be moved to a
+ Bugzilla record in a timely manner.</p>
+ <a name="Resolution"></a>
+ <h2>Resolution</h2>
+ <p>A Vulnerability is considered resolved when either a patch or
+ workaround is available, or it is determined that a fix is not
+ possible or desirable.</p>
+ <p>The Eclipse IP Team will give priority to contribution
+ questionnaires (CQs) required to resolve Vulnerabilities.</p>
+ <p>It is left to the discretion of the Security Team and project
+ leadership to determine what subset of the project committers are
+ best suited to resolve Vulnerabilities. The Security Team and project
+ leaders may also—at their discretion—assemble external
+ resources (e.g. subject matter experts) or call on the expertise of
+ the Architecture Council.</p>
+ <a name="Distribution"></a>
+ <h2>Distribution</h2>
+ <p>Once a Vulnerability has been resolved, the updated software must
+ be made available to the community.</p>
+ <p>At a minimum, updated software is made available via normal project
+ distribution channels (e.g. downloads and update sites).</p>
+ <p>The planning council must be made aware of Vulnerabilities in
+ software that is part of the simultaneous release. The Planning
+ Council will determine whether or not a "respin" of the simultaneous
+ release repository and EPP packages is required. The Planning Council
+ will coordinate the timing of the "respin" with the Project
+ Leadership.</p>
+ <a name="Disclosure"></a>
+ <h2>Disclosure</h2>
+ <p>Disclosure is initially limited to the reporter and all Eclipse
+ Committers, but can be expanded to include other individuals.</p>
+ <p>All Vulnerabilities must be disclosed, regardless of the
+ resolution. Users and administrators of Eclipse software must made
+ aware that a vulnerability exists so they can assess risk, and take
+ the appropriate action to protect their users, servers and systems
+ from potential exploit.</p>
+ <a name="Timing"></a>
+ <h3>Timing</h3>
+ <p>The timing of disclosure is left to the discretion of the project
+ leadership, including the Project Lead(s), PMC, and EMO(ED). In the
+ absence of specific guidance from the project leadership, the
+ following guidelines are recommended:</p>
+ <ul>
+ <li>Vulnerabilities for which there is a patch, workaround or fix,
+ should be disclosed to the community immediately.</li>
+ <li>vulnerabilities--regardless of state--must be disclosed to the
+ community after a maximum three months.</li>
+ </ul>
+ <p>Vulnerabilities need not necessarily be resolved at the time of
+ disclosure.</p>
+ <a name="Quiet_Disclosure"></a>
+ <h3>Quiet Disclosure</h3>
+ <p>
+ A Vulnerability can be <i>quietly</i> disclosed by simply removing
+ the 'committers_only' flag. The bug's history will record that the
+ flag has been removed, and the bug will become visible for everyone
+ in searches.
+ </p>
+ <p>In general, quiet disclosure is appropriate only for bugs that are
+ identified by a committer as having been erroneously marked as
+ Vulnerabilities.</p>
+ <a name="Progressive_Disclosure"></a>
+ <h3>Progressive Disclosure</h3>
+ <p>Knowledge of a Vulnerability can be easily extended to individuals
+ by adding them to the "cc" list on the bug. A Vulnerability may--at
+ the discretion of the committer--be disclosed to specific
+ individuals. A committer may, for example, provide access to a
+ subject-matter expert to solicit help or advice. The Vulnerability
+ may also be disclosed to known adopters to allow them an opportunity
+ to mitigate their immediate risk and prepare for a forthcoming
+ resolution.</p>
+ <p>Contacts added to an unresolved Vulnerability must be individuals.
+ Groups (e.g. mailing lists)--with the exception of
+ security@eclipse.org--should never be copied on a Vulnerability bug.
+ </p>
+ <a name="Full_Disclosure"></a>
+ <h3>Full Disclosure</h3>
+ <p>All Vulnerabilities must ultimately be fully disclosed to the
+ community at large.</p>
+ <p>
+ All Vulnerabilities affecting projects that participate in the
+ Simultaneous Release must be reported to the Planning Council prior
+ to full disclosure to the community at large. Disclosure of a
+ Vulnerability must be coordinated with the distribution of the
+ updated software from the Project's own distribution channels, the
+ Simultaneous Release repository, and EPP packages (please see <a
+ href="#Distribution" title="">Distribution</a>.
+ </p>
+ <p>To complete the disclosure of a Vulnerability, the committers-only
+ flag must be removed from the bug and the 'security' keyword added.
+ Bugs in this state are automatically reported on the security page
+ and RSS feed.</p>
+ <a name="Escalation"></a>
+ <h3>Escalation</h3>
+ <p>
+ A security vulnerability may--at the discretion of the project
+ leadership--be escalated to a outside body such as <a
+ href="http://www.cert.org" class="external text"
+ title="http://www.cert.org" rel="nofollow">CERT</a>. The EMO can
+ provide assistance.
+ </p>
+ </div>
+</div>
+
+<?php
+ $html = ob_get_contents();
+ ob_end_clean();
+
+ $App->generatePage('Nova', $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
+?>
\ No newline at end of file
