Skip to content

[Bug 549358] Move project resources to eclipseprojects.io

Bugzilla Link 549358
Status NEW
Importance P3 normal
Reported Jul 17, 2019 16:04 EDT
Modified Dec 22, 2021 09:07 EDT
Depends on 549360, 549359

Description

Projects can host two types of application-like resources on the eclipse.org domain, in which the project committers are the content owners:

  • websites, at eclipse.org/projectname\
  • virtual servers, at projectname.eclipse.org

This practice of using the eclipse.org domain is outdated by virtue of being insecure. It facilitates cross-site scripting, cross-site forgery requests and, above all, it enables these applications to access domain-wide cookies, such as those used for certain types of authentication.

While we trust our committers, we feel this outdated practice creates unnecessary exposure and is a security auditing nightmare for the Foundation.

In bug 543323 we acquired the domain "eclipseprojects.io" and we'll tackle migration over an extended period of time.

** Our primary objective is to improve security. Secondary objective is to
** create as little burden on committers as possible. Third objective is to
** minimize breakage.

Here is the proposed timeline:

Now: Phase I : existing project vservers, and new ones, get a mapping on
eclipseprojects.io, in the form of
(servicename).(projectname).eclipseprojects.io

Q2 2020: Phase II : Sandbox all eclipse.org project pages onto
(projectname).eclipseprojects.io

                Projects can opt out of a website if they wish, and can use\
                the PMI as their default web presence:\
                (https://projects.eclipse.org/projects/technology.babel)

Q2+ '20: Phase III: Work with projects to fix broken elements in the above
sandbox

Q1 2021: Phase IV : Migration
Redirect (301 Moved) eclipse.org/projectname/* to
projectname.eclipseprojects.io/*
This should avoid broken links

                All new projects would get an eclipse.org/projectname\
                redirect to their eclipseprojects.io presence.