Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: for the plan.

Jump to: navigation, search

IT Infrastructure Doc

Revision as of 09:46, 21 March 2022 by (Talk | contribs) (macOS signing: update link to migrated archive)

< Development Resources


How do I setup my project website?

Project websites are hosted in a git repository separate from the actual project code. You can browse project website repositories using cGit. Once the webmaster adds a space for your project, files you commit to the website repository are automatically published to, where xyz is your project's short name. You are free to use HTML and PHP on your website.
Hosting a project website is normally done when the project proposal has been approved. If you suspect your files are not being checked out to the website, simply commit a small change to one file. This is usually enough to trigger a website refresh.

How do I use the Solstice theme?

Please see this document for information on using Solstice.

Use a database for my website?

We currently do not offer projects with database support.

I need to put a large file on my website. How should I do this?

Large (1 MB+) ZIP and JAR files must be put in the downloads area, using the Find A Mirror script to link to them. However, small files (less than 1 MB) can be put on the website directly without causing too much harm.

Remember to allow our mirrors at least 24 hours to sync up before using a transparent mirror redirect.

Use PHP on my website?

PHP support is available on only. Simply commit files with the .php file extension to your website's repository. Although some projects host PHP files on, we do not encourage or recommend it. is a high-traffic website. Please make sure your PHP code is optimized to run in this type of environment. See the next item.

Optimize my PHP code for large-scale use? is a high-traffic website. To improve PHP's functionality, we have set very liberal limits on how many resources PHP can consume. However. if if your project is very popular, bad PHP code can slow the entire site down.

Of course, we could harden PHP to protect our website, but that would cut some functionality. Some tips for you:

  • Never call the web service to include/open files - include("") and fopen("http://localhost/somefile.xml") are very costly to run, because they call the web service, and can lead to Denial-Of-Servicing itself under heavy load.
  • Never include/open remote files - include("") is forbidden, as someone could launch a Denial-Of-Service attack against a remote site. We don't allow you to establish remote connections from servers other than the build server.
  • Sanitize your incoming parameters - include($parameter) is particularly dangerous if $parameter is not sanitized. Someone could freely surf the web anonymously, hiding behind servers, or they could use your page to access local files, or launch Denial-Of-Service attacks against remote servers.
  • Cache aggregated, processor-intensive data - SQL aggregations, file system scans, Bugzilla lists can (and should) be cached to avoid redundant processor- and disk-intensive operations. For instance, scanning through directories to display the size of a build could be useful, but doesn't need to happen for each website visitor. Cache the results of this operation to a file, and update the file if the file is older than 12 hours.

There are many, many other security and PHP best-practices. These are just the basics.




Create a new Component/Version/Milestone/Target?

For the forge, you can use the Bugzilla Manager tool. More info is documented here.

For other forges, Bugzilla changes can be requested via a Bugzilla bug against the corresponding Working Group.


Upload files to the download server?

Downloadable files must be placed in the downloads area (~/downloads, or /home/data/httpd/ so they can be mirrored to our mirror sites worldwide. Please ensure only pertinent, current files are in the downloads area, as we cannot store an eternity of nightly, integration and stable builds. Production releases can be kept forever; however, we ask that you move archived releases to (see below).

To upload your files:

  • Use Jenkins to upload your files, see How do I deploy artifacts to (Formerly, SFTP or SCP client (in SFTP mode) was used to connect to using your committer account, however this is no longer supported).
  • Please ensure that the file permissions include world-readable (664; rw-rw-r--) and directory permissions allow for world-executable (775, rwxrwxr-x).
  • Although you can link directly to, you can also use the Find a Mirror script (info below). Using this script allows you to view download statistics and allows users to pick a nearby mirror site for their download.

Once your files are on the server, they are immediately available to the general public. However, for release builds, we ask that you wait at least four hours for our mirror sites to fetch the new files before linking to them. It typically takes a day or two for all the mirror sites to synchronize with us and get new files.

Please note that although we tolerate PHP, HTML and JPG/GIF files on, we encourage you to put such files on Those files are not mirrored to public mirror servers.

SYMLINKS are not supported. We cannot ensure that all our mirror servers support and honour symlinks. For that reason, please avoid the usage of symlinks.

Move files to

Because our mirror sites don't have as much disk space for Eclipse files as we do, we have created an site for you to store older release builds.

The structure is similar to that of To move your files, we recommend using a job on your project's Jenkins instance. Alternatively, you can navigate to From, authenticated committers can Archive files and folders (the archive process maintains the directory structure). From files and folders can be permanently deleted.

Some folders contain an index file - such as index.html, which will be shown instead of the directory contents. Append /listing to the URL and the contents will be shown.

Note: if you preserve the exact path and filename from to, you don't need to change your links (although it is recommended). This works for p2 repos, direct links to and if your links use the Find a Mirror script.

This link will work if /path/to/a/ is on, or if it gets moved to the same place on

P2 repositories: P2 repositories are not normally accessed via the mirror selection script. Therefore, extra treatment is required when the move should be made transparently without affecting users who may still have the original URL.

Equinox/p2/ has a discussion how to achieve this (work in progress).

Use mirror sites/see which mirrors are mirroring my files?

Link to your download files like this:


Parameters for above script:

  • file (Required): specify the filename, relative to the downloads home, starting with a "/". This file must exist in the downloads area. Although you can specify a directory name, your mirror list will be more accurate if you specify a file.
  • format (Optional): specify html (default) or xml. Useful for building the mirrors.xml for Update sites.
  • protocol (Optional): ftp or http: list only ftp or http mirrors only (both are the default)
  • r (DEPRECATED): specify 1 to automatically redirect to the best mirror (the one that would normally be at the top) without asking the user to choose.
  • nf (DERECATED): specify 1 to get an actual 404 Not Found error if the file doesn't exist (instead of a lovely page saying so).

The script will examine the Last Modified timestamp of the given file and return only those mirrors that have synchronized with after that time.


   All mirrors of the Lepido project, in XML format:
   Get a file from a random mirror, without prompting

PLEASE NOTE: We have a list of excluded file patterns -- files that are *not* sent to our mirrors. Nightly and Integration builds are typically very large and don't get many downloads, therefore it's typically more costly (in terms of bandwidth) to mirror them than to support the few client downloads they generate. At time of writing, our exclusion list is:

  • .nfs*
  • apitools/
  • apidocs/
  • archive/
  • archives/
  • /athena
  • builds/N*
  • drops/I*
  • drops/N*
  • drops/M*
  • *.jpg
  • *.gif
  • callisto/*
  • compilelogs/
  • eclipse/testUpdates*
  • eclipse/updates/3.2milestones
  • /eclipse/updates/3.6-I-builds/
  • *eclipse/updates/*-X*
  • *eclipse/updates/*-Y*
  • dev/TPTP*
  • /tools/cdt/builds
  • modeling/gmf/downloads/drops/B*
  • *drops/*/N*
  • *drops/*/I*
  • *javadoc/
  • *javadocs/
  • linuxtools/N*
  • *nightly*
  • *Nightly*
  • *staging*
  • /webtools/downloads/drops/*/M*
  • performance/
  • /releases/staging
  • /releases/europa
  • testresults/
  • /rt/eclipselink/nightly*
  • /technology/babel/update-site*
  • /technology/cosmos
  • /technology/ohf
  • /technology/tigerstripe
  • testcompilelogs/
  • testResults/
  • /tools/downloads
  • /tools/orbit/committers
  • */N202*
  • */I202*
  • */I.I202*
  • */I-*
  • */N-*
  • *integration*/
  • xref/
  • */M20*
  • /rt/eclipselink/maven.repo*

Use the Find a Mirror script?

See the section above.

Enable mirrors / use mirrorsURL for my p2 repo?

Your artifacts.xml (jar) should have a p2.mirrorsURL property. Here is a an example from

   <repository name='"Eclipse Project Test Site"' type='org.eclipse.equinox.p2.artifact.repository.simpleRepository' version='1'>
     <properties size='4'>
       <property name='p2.compressed' value='true'/>
       <property name='p2.timestamp' value='1297373227427'/>
       <property name='publishPackFilesAsSiblings' value='true'/>
       <property name='p2.mirrorsURL' value=''/>

A more detailed description can be found at Equinox/p2/p2.mirrorsURL.

Ideally, everyone, for all p2 repositories, should use this property, since even if not mirrored currently, it does not hurt anything in that case, and you never know when your repository might become mirrored. In fact, failure to use this property can result in too many requests for jar files coming directly to '' and greatly slow down the network and use too much bandwidth. If this happens for your project (or repository) measures may be taken to automatically redirect all such requests somewhere else, which often does not work well; for examples, see bug 368826.

Include a p2.index file at p2 repository site?

A little documented aide to p2 is to include a special file named "p2.index" at your p2 repository URL site. Every well-behaved, well-optimized p2 repository should have one. This is especially important for composite repository sites as it can save several unsuccessful round trips to download server looking for files that do not exist. For "how to" instructions, see the p2 wiki. For history and deeper technical discussion, see bug 347448.

See download statistics?

The Find a Mirror script tracks download requests once the user has picked a mirror site (or the main Eclipse download site). You can also view download stats for files downloaded via p2 if you enable your p2 repository for download statistics. To view these statistics, use the Live Download Statistics tool (Portal > Project Committer > Tools for all Committers). Download statistics are not available for direct downloads.

For more information, please see the Project Download Stats page.

Sign my Jar/plugins/Windows exe/macOS App files?

The Eclipse Foundation allows committers to sign JAR and some executable files on its behalf. Signing is done from any of the Jenkins servers. There are three ways to sign:

CBI Maven signing plugin

Using the CBI Maven Plugins the signing process can be directly performed at the end of a Maven Tycho build.

Maven Profiles
As signing an Eclipse project is only available from an Eclipse Jenkins server, a common practice is to place the CBI Maven signing plugins in a dedicated profile and enable that profile only in the Jenkins job. This way you can still run your Maven Tycho builds locally without signing. See Maven - Introduction to Build Profiles
The profile can then be activated in the Jenkins build via the -P argument.

JAR signing

Ensure that all created JAR files are correctly signed by using the eclipse-jarsigner-plugin


Windows signing

To sign the Windows executables use the eclipse-winsigner-plugin


macOS signing

To sign the macOS executables use the eclipse-macsigner-plugin

The security guidelines for macOS application development requires the definition of Entitlements to grant an executable permission to use a service or technology. The entitlements used by the Eclipse Platform are defined here

macOS DMG file creation

macOS applications are typically published as .dmg files, which are containers that serve as installers with additional security information to avoid that the application gets tampered. To create a DMG file the eclipse-dmg-packager can be used.


macOS Notarization

Since macOS Catalina macOS software that is published outside the AppStore needs to be notarized, so the Gatekeeper gets information about trusting the software or not.

As of now the notarization is not available as Tycho plugin. Therefore the macos-notarization-service webservice needs to be used in the Jenkins job similar to the following snippet:

   pushd $BUILD_DIR
   RESPONSE=$(curl -s -X POST -F file=@${DMG} -F 'options={"primaryBundleId": "'${PRIMARY_BUNDLE_ID}'", "staple": true};type=application/json'
   UUID=$(echo $RESPONSE | grep -Po '"uuid"\s*:\s*"\K[^"]+')
   STATUS=$(echo $RESPONSE | grep -Po '"status"\s*:\s*"\K[^"]+')
   while [[ ${STATUS} == 'IN_PROGRESS' ]]; do
     sleep 1m
     RESPONSE=$(curl -s${UUID}/status)
     STATUS=$(echo $RESPONSE | grep -Po '"status"\s*:\s*"\K[^"]+')
   if [[ ${STATUS} != 'COMPLETE' ]]; then
     echo "Notarization failed: ${RESPONSE}"
     exit 1
   rm "${DMG}"
   curl -JO${UUID}/download

A more detailed script is the Oomph script.

CBI Maven Plugins Version
For correct signing needed for notarization (including for example hardened runtime) at least the CBI Plugins version 1.1.8-SNAPSHOT needs to be used. Ensure to configure the correct pluginRepository to be able to consume that version
Once 1.1.8 is released, the SNAPSHOTS repository is not needed anymore.

Eclipse Platform Version
The macOS notarization will only succeed if the dmg file signing is matching certain criteria (e.g. hardened runtime). The first Eclipse Platform version that includes the Eclipse Launcher and native libraries that match those criterias are included in 2019-09. For any previous versions the notarization will fail.

For further information on the CBI Maven Plugins have a look at:

Note that these plugins use the web services in the background.

Web service

Using a web POST method, individual JAR files can be signed from any of the internal Jenkins servers with this service:

The output of that service will be the signed file. Please note that the web service does not pack or process jar files. You must condition/pack them yourself prior to signing if you wish to do so.

Resigning Jarsigner
The web service always resigns already signed jars. The maven jar signer plugin lets you specify a strategy to avoid submitting already signed jar to the webservice. If you use the webservice directly, you need to do deal with it by yourself. You can see how the re-signing strategies are defined by looking at the code of the JarResigner

   # JAR FILES: Submit unsigned-jar.jar and save signed output to signedfile.jar
   curl -o signedfile.jar -F file=@unsigned-jar.jar
   # WINDOWS EXE: Submit Windows unsigned.exe and save signed output to signed.exe
   curl -o signed.exe -F file=@unsigned.exe
   # WINDOWS MSI: Submit Windows unsigned.msi and save signed output to signed.msi
   curl -o signed.msi -F file=@unsigned.msi
   # MAC: Submit unsigned and save signed output to
   # Note: You must zip your entire *.app directory for example: zip -r
   curl -o -F
   # If you need to set entitlements on your app / binary (see for details), 
   # add an `entitlements` part to the request like below
   curl -o -F -F entitlements=@file.entitlements

Using the webservice is equally easy from Ant. Note that ${filename} cannot be a path. Input and output file name can be the same.

   <exec dir="${dirname}" executable="curl">
     <arg value="--output"/>
     <arg value="${filename}"/>
     <arg value="--form"/>
     <arg value="file=@${filename}"/>
     <arg value="--silent"/>
     <arg value="--show-error"/>
     <arg value="--fail"/>
     <arg value=""/>
Version of Jarsigner
The web service only signs with Java 8 version of jarsigner.

Using the web service to sign Mac and Windows applications is also easy from Tycho, see

What about GPG signing?

JAR signing of the bundles and GPG-signing of the Maven artifacts are two different steps. Once a jar has been "jar-signed", you may or may not GPG sign the corresponding Maven artifact (.jar + .pom file) so as it can be deployed on Central. As you hinted, JAR signing has to be done before the GPG signing, since doing it the other way around would break the GPG signature.

So you first have to sign your JAR file with the Eclipse Fdn certificate, either using the Maven plugin from CBI, the command line utility, or the signing web service – see above. Once you have your signed JAR, you can GPG sign it and stage it on Central like this:

   mvn gpg:sign-and-deploy-file   \
       -DpomFile=target/myapp-1.0.pom  \
       -Dfile=target/myapp-1.0.jar  \
       -Durl=  \

Publish to Maven Central

To deploy to Maven Central from your JIPP, you'll need webmaster's assistance to

  • Create a project specific account at Sonatype OSSRH
  • Generate a GPG keypair for your JIPP user
  • Configure your JIPP to GPG sign and upload artifacts

It takes a bit of time but afterwards, you will only be required to use a dedicated Maven settings on your JIPP.

To get started, please file a bug against asking for your JIPP to be configured to let you publish to Maven central (don't forget the name of your Eclipse project).

If you want to publish jars from already released p2 repositories, consider using the strategy adopted by the Eclipse Platform. More info: Platform-releng/Publish To Maven Central


Access/request Jenkins services

Please see the Jenkins document.

Code Quality Analysis

Mailing Lists

Setup a new mailing list?

Because Mailing Lists are subject to SPAM and can adversely affect performance (imaging sending 200 e-mails to a list that contains 3000 members), proper care is taken in configuring each list. New mailing lists are set up by the WebMaster for this reason. Also, the webmaster creates an HTML view (called mailing list archives) of mailing list postings for archive and search purposes.

View list members?

Because mailing lists contain private information, such as a member's e-mail address, name and surname, we cannot publicly display this information. However, the PMC or Project Lead can become the list administrator, which would allow you to view the membership information for your lists. The PMC/Project lead can inquire about list administration to the WebMaster, stating which lists they would like to manage.

Eclipse Wiki

Create a new page in the Eclipse Wiki

To create a new page, simply type the page name at the end of "/" in the URL. The name can contain spaces. For instance, will allow you to create and edit this new page.

Eclipse Servers

Eclipse Foundation IT SLA

This page is moderated by the EMO

Back to the top