[eclipse-ide-wg] Mitigating Risk...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[eclipse-ide-wg] Mitigating Risk...

From: Ed Merks <ed.merks@xxxxxxxxx>
Date: Tue, 18 Jan 2022 12:25:44 +0100
Delivered-to: eclipse-ide-wg@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse-ide-wg/>
List-help: <mailto:eclipse-ide-wg-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse-ide-wg>, <mailto:eclipse-ide-wg-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse-ide-wg>, <mailto:eclipse-ide-wg-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0

Hi,

I wanted to share the following content and insights that Scott Lewisposted on the cross-projects mailing list recently that are directlyrelevant to the activities and focus of the working group.

Scott is the key driver behind the Eclipse Communications Framework(ECF) project which is used even by the Platform project:


https://projects.eclipse.org/projects/rt.ecf/who

Below is what he shared. Thanks Scott for sharing and for keeping ECFcurrent and relevant!


Regards,
Ed

Hi Simrel folks,
As the lead of long-time participant project (ECF), I've personallyexperienced (as well as watched in horror) the problem of diminishingmaintenance resources that now seems endemic to simrel projects and tothe simrel itself.
I heard that yesterday there was a meeting at the White House aboutfears of the 'next log4j' [1].
Today I read this story [2] about Google and IBM suggesting a'critical projects list' as a step toward (reportedly) a better model(read $) for ongoing maintenance of 'critical projects'.
My first thought: Where is Eclipse, EF, simrel and supportingprojects wrt this/these efforts? Of course everyone thinks of theirown project as 'essential' , but more broadly I would be much morecomfortable if the choices wrt 'criticality' and what is/is not'infrastructure' were made based upon a clear representation ofconsumer needs. It seems from the zdnet reporting (which may not beaccurate of course) that mostly corporate and commercial concerns wrtopen source maintenance are currently being identified.
I just wanted to raise this among the projects participating in thesimrel. I'm not sure how any of this is going to be approached, butam hoping that the simrel project leads and teams can find a way toparticipate in these efforts, as I think there is a huge amount ofknowledge and experience here about open source maintenance viatransparency, successful, scalable, community collaboration.
Scott
[1]https://www.zdnet.com/article/after-log4j-white-house-worries-about-the-next-big-open-source-flaw/
[2]https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/


And this follow up thought:

Another thought
https://www.zdnet.com/article/for-security-alone-we-could-try-paying-open-source-projects-properly/

Prev by Date: [eclipse-ide-wg] Status of the PGP Signing Support
Next by Date: [eclipse-ide-wg] Eclipse IDE Working Group Minutes - 11th January 2022
Previous by thread: [eclipse-ide-wg] Status of the PGP Signing Support
Next by thread: [eclipse-ide-wg] Eclipse IDE Working Group Minutes - 11th January 2022
Index(es):
- Date
- Thread

Breadcrumbs