Followup With Eclipse About .eclipsefdn Repository Being Public

[tsande16]

What?

Reach out to Eclipse to see if there are any security risks with having the .eclipsefdn repository being public.

Why?

There doesn't seem to be much value in having the repository being public, but there could be some security risk. It would be good to understand the reasoning why this repository is public.

Acceptance Criteria

An outcome of either:

• Reason for repository being public.

• Repository switched to private.

[tsande16]

Response from Eclipse: "In the beginning we kept the .eclipsefdn repos private as we had similar concerns. However after some reflection, we decided to make them public as all information in there is publicly available anyways and making them public make that visible for all community members (not only committers) and also has some technical reasons (some features were not available in private repos at the time). The exception are being Webhooks and Secrets, where the secret values is not part of the configuration / repo but is resolved from a credential store. There are some cases, where a Webhook is not protected by a secret and it could be used for malicious purposes, e.g. slack webhooks, in this case we mask the url such that it is not fully visible in the configuration."

[tsande16]

Some more added context from Eclipse: "as a side node: we also switch to public in order to fully use CODEOWNER for pull requests which was not possible beforehand as we were on the free plan of GitHub for all organizations. That has changed since though."