Architecture Council/Meetings/September 15 2011

Attendees

All AC Members are invited.

• PMC Reps please confirm attendance or list your delegate below. Every PMC is required to name a primary and backup delegate, and to ensure that one delegate attends the meeting.

RESCHEDULED CALL from Sep 8 to Sep 15 to avoid conflict with Eclipsecon PC meeting.

• Signed-up: John Arthorne, Boris Bokowski, Chuck Bridgham, Christian Campo, Kim Moir, Adrian Mos, Martin O, Brian Payton, Mary Ruddy, Doug Schaefer, David Williams,
• Regrets: Oliver Cole (standing conflict), Wenfeng Li (standing conflict), Andrew Overholt (vacation), Mike Wilson (conflict)
• No-Show: Chris Aniszczyk, Wayne Beaton, Nick Boldt, Cédric Brun, Dave Carver, Linda Chan, Doug Clarke, Neil Hauge, Kenn Hussey, Achim Loerke, Oisin Hurley, Mik Kersten, Markus Knauer, Bernd Kolb, Jeff McAffer, Ed Merks, Mike Milinkovich, Steffen Pingel, Pascal Rapicault, Michael Scharf, Tom Schindl, Darin Swanson, Gunnar Wagenknecht, Tom Watson, Oliver Wolf, Gary Xue

Agenda / Notes

• Feel free to edit, but not during the call!

Review of Last Meeting

• Architecture Council/Meetings/August 11 2011
• Still open items moved to #Action_Items

New Topics

Welcome to Adrian Mos (SOA PMC)

• Adrian is with Xerox Research now; was on the SOA PMC since its inception (at INRIA at the time); interested in SOA and BPM editors and runtimes, and the integration between them.
• SOA is an evolution of the older STP TLP, some companies dropped off or changed their focus during transition...
• was going through some rough times, but getting much revigorated now as new proposals are in from Stardust / BPM2; getting fresh codebase and committers
• Sopera was interested in Runtimes, in particular Swordfish, change of focus now, remains to be seen what happens to Swordfish.

Remove direct Eclipse signing requirement

• bug 354756 Remove direct Eclipse signing requirement
  • Idea is to not require an Eclipse.org certificate but allow any trusted / validated key in order to
  • One reason for signing was that at Install time, Eclipse UI warns about unsigned content or untrusted certificate (to ensure trustworthy source)
  • This reason doesn't come into play with runtime components, since they are not installed via Eclipse UI
  • For example if you download an RT project from eclipse.org and install it from a command line, the signature will only come into play if you have runtime security checking enabled
  • Mary: With everything going a lot more connected / online, signing is getting more important... should not preclude evolving into a more decentralized approach
    • (Higgins is all about how to establish trust in a decentralized, networked way)
  • Martin: "What kind of trust would be good enough" if we allow "any trusted key" instead of the Eclipse.org key
  • Martin: Single additional step in the ladder of trust, eg require a signer's key to be signed with the Eclipse.org key ?
    • Mary: need more infrastructure than mere delegation to ensure a bad actor doesn't get in
    • But allowing Eclipse to delegate seems like a good idea (Eclipse be the definer of a trust framework)
    • Practical example: not just allow somebody else to sign, but also establish rules wrt build framework etc... not too much bureaucracy but also avoid glitches... want to proceed slowly
  • Question: How much of
  • RESOLUTION Follow up on the bug

p2 repository links on project download pages confuse some users

• bug 355418 p2 repository links on project download pages confuse some users
  • John: Can the current 404 page be smarter? An XSLT is available to generate an index.html matching the repo content
  • Martin, John - using XSLT to validate repo content, but that's more of committer workflow
  • End users typically won't need that extra info
  • John: Current 404 page is an improvement over what we had in the past already
  • Martin: Adding project specific information is up to the project
  • Idea: Add a generic link on the 404 page "if you want this page improved and you are a committer, here's what you can do
  • RESOLUTION Follow up on the bug

exsd files in source or binary bundles

• bug 351461 exsd files in source or binary bundles
  • Currently, many projects put exsd into the source bundle only...
  • Recommend putting it into the binary bundle? - Probably depends on consumer community
  • John: Putting into the binary bundle doesn't harm, but often more is needed (ISV Docs, ... and often the source)
  • Platform project ships SDK as source + ISV Docs + exsd together ... so recommendation may depend on how a project packages stuff
    • PDE Editor's link to the exsd may be broken when exsd is not available
  • Doug: In CDT, feel like mixing source and SDK too easily... SDK doesn't necessarily mean you have to have source... term "SDK" is overloaded
  • Martin: Many things can be configured by extension point without writing source...
  • David: exsd in the binary seems like a good idea... AC could recommend this (unless project has a reason not to)
  • Doug: exsd in binary may not be good practice without docs
  • RESOLUTION Follow up on the bug

Shell Access, Security and Hudson

• Kim: Was quite surprised about the urgent revocation of shell access
  • Security is important, but we also need to get our jobs done
• Doug: Can't let the kernel.org problem happen to Eclipse
• Martin: Central build server is a convenience but not an excuse for single point of failure... should be able to build at home
  • Important to have all services that HAVE TO be centralized should be as simple as possible
• Martin: Revoking access was a way of minimizing risk quickly
• What can we learn from this?
  • Decentralize where possible, simplify where possible... more scared of Eclipse.org while kernel.org is still down
  • Minimize entrypoints / risks - be as secure as possible (learn from others; auditing; ...)
  • But paranoia can't be at cost of productivity. Must do "the best we can".
• Christian: Should we enforce stronger password rules for bugzilla?
  • AI Martin filed bug 357837 - Enforce stronger bugzilla passwords
• Doug: Worried about Hudson .. mailinglist had some good suggestions .. who owns Security Policy by the Way ?
• Kim: Talk to Apache Foundation .. Eclipse.org get someone to audit their Servers?
• David: Wasn't a Security Council put in place ?
  • John: Purpose of that council was tracing / addressing security vulnerabilities in Eclipse hosted code ... may apply to Hudson since it's an Eclipse project :)
• Mary: Think about what to know when the next crisis happens (coordination, ...)
• Martin: Trusts Denis, but should bring up the idea of security audits with the Board (would need budget from the Board anyways).

Action Items

• Cleaned up old action items, see Architecture Council/Meetings/February 10 2011 for old stuff
• (old) Martin to add Eclipsecon meeting notes onto the wiki
• (old) Tim write up an initial wiki page with information for people to standardize on the tracing API
• Martin revise the AC Wiki to make it easier to find the New Member Process. More links on homepage. More usage of categories.
• Martin bug 315210 Make the AC mailing list open / moderated

Next Meeting

• Architecture Council/Meetings/October 13 2011