Heya team,

We should add an investigation into this change to our backlog.

If you want to get involved with the project and you know anything
about website hosting, now is a great opportunity to participate.

Thanks,
Nick

---------- Forwarded message ---------
From: Daniel Gruno <humbed...@apache.org>
Date: Sat, Jan 11, 2025 at 11:18 PM
Subject: [NOTICE] New Content Security Policy for all ASF project websites
To: <annou...@infra.apache.org>


Hello, wonderful ASF projects (via annou...@infra.apache.org),

In keeping with the times, evermore focused on respecting the privacy
and security of our users, we will be enforcing a Content Security
Policy (CSP) for all project websites as of March 1st, 2025.

On February 1st, we will begin a brownout, during which we will turn on
the new CSP briefly, then turn it off again, giving people a chance to
detect and report any elements on websites that have stopped working as
a result.

On March 1st, the new CSP will become permanent.

In its condensed form, what this means for your project website is:

- External trackers from 3rd party providers are NO LONGER allowed[1].
- External resources from providers with which we do not have a
   Data Processing Agreement (DPA) are NO LONGER allowed[2].

This change will bring project websites into alignment with the security
and privacy  parameters[3] as defined by the VP, Data Privacy and
requested by the ASF Security Committee.

We ask that projects do not circumvent them without express permission
from our VP, Data Privacy.

We understand that this may cause disruption to some sites and are as
always willing  to help projects adjust their sites to meet the new
mandates. We also wish to note  that the most commonly asked questions
can be answered by the three footnotes at the bottom of this email.

if you have questions surrounding the technical implementation of the
CSP, send them to us at us...@infra.apache.org. For the implementation
itself, and the new limitations imposed on websites, please refer to the
following pull request for details:
https://github.com/apache/infrastructure-p6/pull/2025/files

If you have any questions about existing privacy agreements or privacy
policies, get in touch with priv...@apache.org. Any additions to our
existing website privacy policy should also be suggested here.

We also welcome you to read up on our current privacy policies at:
https://privacy.apache.org/


With regards,
Daniel on behalf of ASF Infra.


[1] The ASF offers Matomo analytics for all project websites through
     https://analytics.apache.org/
[2] If you have a DPA request or inquiry, contact priv...@apache.org
     They can also tell you if a provider already signed a DPA
[3] https://privacy.apache.org/policies/website-policy.html

Reply via email to