The Apache Software Foundation Blog

Friday October 13, 2017

The Apache News Round-up: week ending 13 October 2017

We hope you've had a great week. The Apache community has been busy with the following:

Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 October. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield great performance at 99.77% uptime http://status.apache.org/

ASF Operations Factoid –this week, 544 Apache Committers changed 1,026,830 lines of code over 3,469 commits. Top 5 contributors, in order, are: Maxim Solodovnik, Gary Gregory, Claus Ibsen, Iñigo Goiri, and Jonathan Hung.

Apache Commons™ VFS –provides a single API for accessing various different file systems.
 - Apache Commons VFS 2.2 released http://commons.apache.org/vfs/

Apache Jackrabbit™ –a fully conforming implementation of the Content Repository for Java Technology API (JCR).
 - Apache Jackrabbit 2.12.8 and Jackrabbit Oak 1.7.9 released http://jackrabbit.apache.org/

Apache Johnzon™ –a Java library for parsing and creating JSON.
 - Apache Johnzon-1.1.4 released https://johnzon.apache.org/

Apache Lucene™ –a high-performance, full-featured text search engine library written entirely in Java.
 - Apache Lucene 7.0.1 and Apache Solr 7.0.1 released https://lucene.apache.org/
 - CVE-2017-12629: Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3C018601d343b3%2453868c50%24fa93a4f0%24%40apache.org%3E

Apache NiFi™ –an easy to use, powerful, and reliable system to process and distribute data.
 - CVE-2017-12623 http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3C13B90414-1C62-4858-BD74-051F67F1F6D4%40apache.org%3E

Apache Phoenix™ –enables OLTP and SQL-based operational analytics for Apache Hadoop.
 - Apache Phoenix 4.12 released http://phoenix.apache.org/

Apache Qpid™ –client supporting the Advanced Message Queuing Protocol 1.0, based around the Apache Qpid Proton protocol engine and implementing the AMQP JMS Mapping as it evolves at OASIS.
 - Apache Qpid JMS 0.26.0 released http://qpid.apache.org/

Apache Syncope™ –an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology.
 - Apache Syncope 2.0.6 released http://syncope.apache.org/

Apache Zookeeper™ –an Open Source server that enables highly reliable distributed coordination.
 - CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw) http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCANLc_9KJTmetFt6MrsFQm%2Badr-1w2VeGYyMJMVVZ281-3UmJKw%40mail.gmail.com%3E


Did You Know?

 - Did you know that the ASF Incubator has mentored 183 podlings in the Apache Way since its inception in 2002? http://incubator.apache.org/

 - Did you know that Apache Spark won the 2017 JAX Innovation award for "Most innovative contribution to the Java ecosystem"? https://jaxenter.com/winners-jax-innovation-awards-2017-137993.html

 - Did you know that the City of San Diego is using Apache Airflow (incubating) for data automation? http://airflow.apache.org/


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg 10) All My Roads Led to Apache https://s.apache.org/l9OO

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Thursday October 12, 2017

Apache Is Open.

"The Apache Software Foundation is a cornerstone of the modern open source software ecosystem – supporting some of the most widely used and important software solutions powering today's Internet economy."
— Mark Driver, Research Vice President, Gartner

Lauded among the most successful influencers in Open Source, The Apache Software Foundation's commitment to collaborative development has long served as a model for producing consistently high quality software that advances the future of open development. Apache projects power half the Internet, manage exabytes of data, execute teraflops of operations, and store billions of objects in virtually every industry. Apache software projects are an integral part of nearly every end-user computing device, from laptops to tablets to phones.


Open Source.
One of the greatest disruptors to enterprise software, Open Source solutions provide many benefits, including:
  • Lowered costs
  • Higher quality software
  • Freedom from vendor lock-in and proprietary solutions

Open Development.
Organizations of all sizes that embrace open development methodologies benefit from improved speed of development and gain business advantage through:
  • Reduced investment in re-architecting applications
  • Active community support
  • Access to common federation on the leading edge of technology

Enter Apache.

In 1995, eight individuals produced the first public release of a new server software named "Apache", and called themselves the "Apache Group". 22 years after its inception, the Apache HTTP Web Server remains the most popular Web server on the planet.


Incorporation of the ASF.
In 1999, the Apache Group formed The Apache Software Foundation (ASF) with the mission of providing software for the public good. 

  • Membership-based, US 501(c)(3) not-for-profit corporation
  • Ensures Apache projects continue to exist beyond the participation of individual volunteers
  • Establishes role as an Open Source incubator to foster new technologies


Since its inception, the ASF has long been recognized as a leading source for Open Source software that meets the demand for mission-critical, enterprise-grade interoperable, adaptable, and sustainable solutions. 

Open Leadership.

"The Apache Software Foundation has set the standard for modern application and infrastructure software as well as the open source collaborative processes through which it is developed."
— Matt Aslett, Research Director, 451 Research


Today the ASF develops, stewards, and incubates more than 350 Open Source projects and initiatives through its leadership, robust community, and meritocratic process known as the "Apache Way".
  • "Flat" organization: Apache projects and their communities drive development
  • Project development and leadership driven entirely by individual volunteers
  • Provides organizational, legal, and financial support

Open To All.
All Apache software —project downloads, documentation, updates, patches, and more— can be downloaded and used entirely free of any license fees or charge of any kind.
  • Can be used by anyone for any purpose
  • Free of restrictions on installation or deployment
  • Distributed under the flexible, business-friendly Apache License 2.0

Open Participation.
Code for all Apache projects is written by more than 6,000 volunteer individuals and employees of corporations across six continents and contributed to the ASF at no cost. The ASF is governed by the community it most directly serves —the people collaborating within its projects. The ASF's meritocratic processes serve as best practices widely embraced by organizations and individuals alike.
  • Contributions include code, patches, and documentation
  • Select contributors earn "Committer" status, enabling them to commit/write directly to the code repository, vote on community-related decisions, and propose active users for Committership
  • Committers who demonstrate merit in the Foundation's growth, evolution, and progress may be nominated for ASF Membership by existing members

Open Community.
ASF Community Development helps newcomers learn about Apache projects, governance, and activities, and provides guidance on becoming part of the meritocratic, all-volunteer Apache community.
  • "Community Over Code" is the cornerstone of the Foundation's core tenets
  • The ASF has served as a Google Summer of Code mentoring organization each year the since the program's creation in 2005
  • More than 6,300 Apache Committers help grow and maintain the health of the Apache community

Open Project Oversight.
The ASF does not lead the technical direction of Apache projects, but rather provides operational support for projects to self-govern. All Apache projects are overseen by a self-selected team of active contributors.
  • Apache Project Management Committees (PMCs) guide day-to-day operations, including community development and product releases
  • The ASF Board appoints a Vice President to serve as Chair of the PMC
  • Vice President/PMC Chair role is administrative, and carries no additional weight or influence on a project (one vote on project matters just like other PMC members)

Open Innovation.
All code donations, established projects, and communities intending to become fully-fledged Apache projects do so through the Apache Incubator. To graduate as an Apache Top-Level Project, candidate podlings must meet the Apache Maturity Model's rigorous requirements for code integrity, copyright, licenses, releases, consensus building, and independence, among others.
  • 187 Project Management Committees oversee 312 Apache projects
  • 54 new podlings undergoing development in the Apache Incubator
  • Recognized leadership across numerous categories, such as Big Data, libraries, servers and more

Open Communication.
All official communications at the ASF are conducted via mailing lists. Asynchronous communications are required to accommodate geographically-distributed groups across time zones, as is the case for nearly all Apache communities.
  • "If it didn't happen on-list, it didn't happen."
  • Built upon the transparency-oriented culture of the Apache Group, whose collaboration took place on email lists
  • Since the ASF's founding, 340,000+ authors wrote 17.5M+ emails on 7.5M topics, which are archived on 1,247 Apache publicly-accessible mailing lists

Open Opportunity.

"... unlike other open source organizations, the strength of the ASF is its independence from corporate interests … this independence has created a safe haven for a burgeoning open source developer population."
— Matt Asay, InfoWorld

Apache projects must be governed independently of commercial influence. As a vendor-neutral, not-for-profit organization, the ASF and all Apache projects do not take sides, nor endorse or support any particular vendor over other vendors.
  • The ASF does not discourage the development of "competing" products
  • Third parties are free to pursue almost any for-profit or not-for-profit business model based on Apache projects
  • The commercially-friendly and permissive Apache License v2 has become an industry standard within the Open Source world

Continuing Growth.
The ASF has scaled more than 35,000% over 18 years with very limited resources. The ASF is responsible for millions of lines of code by countless contributors across the Open Source landscape: each day millions of people across the globe access the ASF's two dozen servers and 75 distinct hosts.
  • The ASF has grown from an inaugural membership of 21 individuals to 680 individual Members and 6,300 Committers
  • The ASF oversees 150M+ lines of code (valued at US$7B+), developed over 65,000 person-years, with an average of 18,000 Apache code commits each month
  • Nearly 300 new code contributors and 300-400 new people file issues each month

Apache Committers have the responsibility to the collective community to help create a product that will outlive the interest of any particular volunteer, and that the code committed should be clear enough that others not involved in its current development will be able to maintain and extend it.

How You Can Help.

The ASF is funded through tax-deductible contributions from corporations, foundations, and private individuals. You can help the greater Apache community by contributions in the form of:

  • Code and documentation for Apache Projects
  • Funds —become a Sponsor or Individual donor
  • Corporate matching gift program —increase your donation with your employer’s support

Approximately 75% of the ASF's US$1.5MM annual budget is dedicated to running critical infrastructure support services, including bandwidth, connectivity, servers, and hardware: the ASF Infrastructure team keep Apache services running 24x7x365 at near 100% uptime on an annual budget of less than US$5,000 per project. Donations to the ASF also helps offset day-to-day operating expenses such as legal and accounting services, brand management and public relations, general office expenditures, and support staff.

Join the hundreds of donors who have helped support the ASF this year. Every dollar counts! http://apache.org/foundation/contributing.html



# # #

Friday October 06, 2017

The Apache News Round-up: week ending 6 October 2017

Greetings, October. Here's what the Apache community has been working on over the past week:

Foundation Statement –Response From The Apache® Software Foundation To Questions From US House Committee On Energy And Commerce Regarding Equifax Data Breach https://s.apache.org/rjmv

Success at Apache –the monthly blog series that focuses on the processes behind why the ASF "just works".
 - All My Roads Led to Apache by Pal Ferrel https://s.apache.org/l9OO

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 October. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield savvy performance at 99.78% uptime http://status.apache.org/

ASF Operations Factoid –this week, 549 Apache Committers changed 1,204,410 lines of code over 3,893 commits. Top 5 contributors, in order, are: Oliver Lietz, James Taylor, Mark Thomas, Maxim Solodovnik, and Stephen Mallette.

Apache Calcite™ –a dynamic Big Data management framework.
 - Apache Calcite 1.14.0 released http://calcite.apache.org/

Apache Flume™ –a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data.
 - Apache Flume 1.8.0 released http://flume.apache.org/

Apache Geode™ –low latency, high concurrency data management solutions.
 - CVE-2017-9794 Apache Geode gfsh query vulnerability http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAEwge-FqzrT%2BdeCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3E
 - CVE-2017-9797 Apache Geode client/server authentication vulnerability http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAEwge-Hrbb7JS8Nygrh7geyFvW4bMZ3AdCmPOzMfvbniipz0bA%40mail.gmail.com%3E

Apache Groovy™ –a multi-facet programming language for the JVM.
 - Apache Groovy 2.5.0-beta-2 released https://groovy.apache.org/

Apache HTTP Server™ –the world's most popular Web server.
 - Apache HTTP Server 2.4.28 released http://httpd.apache.org/

Apache Impala (incubating) –a high-performance C++ and Java SQL query engine for data stored in Apache Hadoop-based clusters.
 - CVE-2017-9792 Apache Impala (incubating) Information Disclosure http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAFWiQHYvHUG42bC0EVkxciyR_-uswTW2UZCFQ6o0Q2%2BPGWSi6Q%40mail.gmail.com%3E

Apache Jackrabbit™ –a fully conforming implementation of the Content Repository for Java Technology API (JCR).
 - Apache Jackrabbit 2.8.6 and Jackrabbit Oak 1.7.8 released http://jackrabbit.apache.org/

Apache Juneau (incubating) –a toolkit for marshalling POJOs to a wide variety of content types using a common framework, and for creating sophisticated self-documenting REST interfaces and microservices using very little code.
 - Apache Juneau 6.4.0 (incubating) released http://juneau.incubator.apache.org/

Apache Lucene™ Solr™ –the search server built on Apache Lucene.
 - Apache Solr Reference Guide for 7.0 released https://lucene.apache.org/solr/guide/7_0

Apache NiFi™ –an easy to use, powerful, and reliable system to process and distribute data.
 - Apache NiFi 1.4.0 released https://nifi.apache.org/

Apache OpenNLP™ –a machine learning based toolkit for the processing of natural language text..
 - CVE-2017-12620: Apache OpenNLP XXE vulnerability http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCA%2BV%3DWqjnwc7DCAXMGCBPrgfKJHB0bSP03mrSZ0RJxCin5m6L9Q%40mail.gmail.com%3E

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies.
 - Apache Tomcat 7.0.82, 8.0.47, 8.5.23, and 9.0.1 released http://tomcat.apache.org/
 - CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3Cf7229e11-5e8d-aa00-ff22-f0a795669010%40apache.org%3E

Apache Wicket™ –an Open Source Java component oriented Web application framework that powers thousands of web applications and Web sites for governments, stores, universities, cities, banks, email providers, and more.
- Apache Wicket 6.8.0 released http://wicket.apache.org

Did You Know?

 - Did you know that the ASF Incubator has mentored new Apache projects and their communities for the past 15 years? http://incubator.apache.org/

 - Did you know that the following Apache projects have anniversaries this month: Xalan and XML Graphics (13 years); MINA and Velocity (11 years); PDFBox (8 years); Thrift (7 years); JMeter (6 years); Cordova, Isis, and OpenOffice (5 years); Chukwa and jclouds (4 years); and Calcite (2 years)? https://projects.apache.org/committees.html?date

 - Did you know that various Apache projects that are seeking assistance are listed at http://helpwanted.apache.org/ ? Help your favorite Apache community!


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg 10) All My Roads Led to Apache https://s.apache.org/l9OO

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Tuesday October 03, 2017

Response From The Apache® Software Foundation To Questions From US House Committee On Energy And Commerce Regarding Equifax Data Breach

On 19 September 2017 The Apache® Software Foundation ("ASF") http://apache.org/ was contacted by the US House Committee on Energy and Commerce to answer questions in preparation for their hearing on 3 October regarding the Equifax data breach.

The official response from the ASF follows.

= = =

RESPONSES TO QUESTIONS FROM

US HOUSE COMMITTEE ON ENERGY AND COMMERCE

BACKGROUND:

We think that it is important to provide background about The Apache Software Foundation ("ASF") and its projects as the ASF is very different from conventional for-profit software companies.

The ASF:

 - interacts with the users of its software and provides patches in a different manner than such conventional for-profit software companies;
 - is a not-for-profit foundation qualified under Section 501(c)(3) of the IRS regulations;
 - develops, shepherds, and incubates hundreds of Open Source software projects that are run solely by volunteers, with some Foundation-level operations and services (such as infrastructure, administration, and marketing) provided by paid staff;
 - provides all of its Open Source software free of charge to the public at-large;
 - is financially supported by donations from corporations and  individuals; 
 - is vendor neutral: participation is limited to individuals, irrespective of affiliation or employment status.

Code for Apache projects is written by more than 6,000 volunteer individuals and employees of corporations across six continents and contributed to the ASF at no cost. The ASF maintains records of contributors solely through its list of "contributor license agreements". All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. The ASF has confirmed that it has not received a CCLA from Equifax, nor has it received code contributions by Equifax employees (although the ASF cannot determine whether an individual contributor is affiliated with Equifax).

Each Apache software project is managed by a Project Management Committee ("PMC"), a self-selected team of active contributors to the project. A PMC guides the project's day-to-day operations, including community development and product releases. The PMC oversees the software development for the projects, including any patches to those projects, which is available for anyone for download from the apache.org website and numerous global mirror sites. Releases of code for Apache
are managed by the PMC, who distinguish between project software releases and patches published to our issue trackers. New releases that include patches are created, voted on by the PMC, and made available for download. The ASF then alerts the community to the patches. Unlike conventional for-profit software companies, the ASF does not provide the patches directly to the users of its software projects.

The ASF does not provide conventional for-profit maintenance contracts or support the way a conventional for-profit software company would because Apache is a charitable organization composed of volunteers. The ASF provides its projects the facility to maintain numerous mailing lists to share with their developer and user communities project-related news and updates, technical discussions, troubleshooting, recommendations, and assistance in an open forum. Some conventional for-profit software companies package software produced by Apache in order to provide more comprehensive support or provide consulting support services.

RESPONSES TO QUESTIONS FROM US HOUSE COMMITTEE ON ENERGY AND COMMERCE:

1) When did the ASF learn of the vulnerability that became CVE-2017-5638?

On 14 February 2017, the Apache Struts PMC first received report of the vulnerability which became CVE-2017-5638. The ASF does not have direct information about whether the CVE-2017-5638  vulnerability caused the Equifax hack.

2) How did the ASF learn of it?

The Apache Struts PMC received a report via its security mailing list from Nike Zheng about the vulnerability. 

3) When did the ASF make a patch available for CVE-2017-5638?

ASF provided a patch for the CVE-2017-5638 bug on 7 March 2017, the same day on which it was reported on its blog. On 7 March 2017, the Apache Struts PMC officially posted an announcement about the vulnerability, along with two Struts releases that fixed it

http://struts.apache.org/announce.html#a20170307
http://struts.apache.org/announce.html#a20170307-2

4) Did the Foundation provide guidance on how the patch/update should be installed (my understanding is that it was a bit more complicated than a traditional patch)?

The patch was released as part of a full release of the Apache Struts project, which means users had to upgrade to the latest version, which is the simplest way of implementing the patch.  The Apache Struts PMC also provided other options, including information about using different implementation of the Multipart parser or filtering out suspicious requests, and other options to implement the patch http://struts.apache.org/docs/s2-045.html . In addition, on 20 March 2017 the Apache Struts PMC released two custom plug-ins to resolve the vulnerability without upgrading to the latest version 
http://struts.apache.org/announce.html#a20170320

5) The ASF's software is all open-source, as we understand it:

Yes: all ASF software projects are provided under the Apache Software License, version 2, an  Open Source Software (OSS) license.

For large organizations like Equifax that rely on Apache’s OSS, do they:

i.      Provide financial assistance, such as donations, to help pay for maintenance of the codebase?

While financial assistance is not required for using ASF software projects, some corporations choose to provide financial assistance through donations.  However the number of companies that provide donations is a very small percentage of the total corporate users of ASF projects.

Donations to ASF go to a general fund and are not targeted for the development, maintenance, or influence of particular projects.

ii.     Provide "volunteers" who help craft/review/patch code?

Some corporations ask that employees contribute to certain projects, but, as noted above, the number of companies that have their employees contribute to ASF projects is a very small percentage of   the users of ASF projects.

iii.    Provide other assistance to help maintain the availability and/or quality of the OSS?

Some corporations provide products, sales, and support services for Apache projects. These organizations have no direct relationship with the ASF. As noted above, the number of companies that have their employees contribute to ASF projects is a very small percentage of the corporate users of ASF projects.

# # #

Monday October 02, 2017

Success at Apache: All My Roads Led to Apache

by Pat Ferrel

I became involved with Apache in 2011. After several years in startups where, as CTO, I felt too removed from building things. Looking for a change, I was keenly aware that the most interesting thing about the startups was our early use of Machine Learning techniques and I wanted to see if building ML solutions, for companies new to the field might not be more satisfying. I started by spending nearly a year in researching the type of applications we had needed in the startups: Natural Language Processing (NLP), text analysis, clustering, and classification. In those days Apache Mahout http://mahout.apache.org/ had several good solutions that were designed for Big Data and approachable by an individual. These ideas seem fairly commonplace now but were in early days only 6 years ago.

Given a great platform to experiment with, I built a web site to advertise expertise in ML but also to showcase many examples from my experiments, including a topic-oriented content site based on clustered and classified text that used NLP to add entities to text. I blogged about things I had learned and techniques that produce results.

Then I got the first contact about a project and it was from a completely unexpected direction: recommenders. Fortunately Apache Mahout then had the state-of-the-art OSS suite of recommenders so I took the consulting job. The company had rolled their own recommender and was selling it as a service but it was old and they wanted to investigate replacing it. 

Welcome to Big Data

The nature of recommenders means you deal with huge amounts of data because you have to track several million people’s actions over years. We had data from a large online retailer and were tasked with using this data to beat the in-house recommender. Specifically they wanted to see if they could improve performance (better results and faster compute times) and get something easier to maintain. 

The first job of a good consultant is to define the problem and outline a path to resolution that fits with the company’s competencies. To me this meant looking at the current system and the expertise of the people working on it. We had Data Scientists and Java Software Developers who knew what it was like to deal with Big Data. They had a highly performant method for gathering data and were quite good at running Apache Hadoop-based analytics. This was seldom the case back then but happily allowed me to look at less turnkey applications and assume the use of important Apache tools.

We agreed on a plan and the basic building blocks including a method for comparing results. I did the research and proposed several candidates for the tests including the Apache Mahout recommenders. It was pretty easy to rank the recommender engines we had and do some exploration of parameter tuning and choices to get our best "challenger" results. The nice thing is that we beat the old threadbare in-house recommender by a significant amount (12%). The winner was the Apache Mahout Cooccurrence Recommender using the Log-Likelihood Ratio as the core cooccurrence metric. This even though we had tested against several Matrix Factorization recommenders, including Mahout's. 

We need something new 

Up till this time I was only a user of Apache projects (discounting a few minor code contributions) but what I found in all recommenders we studied is a fundamental problem that is still mostly unsolved today. We had data from a retailer that included user "buys" but also 100 times more user "views". None of the recommenders could deal with this multimodal data. I consulted the authors and maintainers of the Mahout recommenders and several others we had targeted. We got some suggestions added them to our own ideas and set out to test them. For various reasons, that are beyond the scope of this post, none of the easy solutions helped and actually produced worse results so I had fulfilled the contract and left with a feeling of unfinished business.

One of the mentors of Apache Mahout, Ted Dunning, had suggested a new idea during this time. There was something about it that seemed very intriguing. He had proposed a way to use one type of user behavior to predict another. This was an aha moment for me because it codified intuition. I remember the first time he wrote in email on the Mahout user mailing list the equation that crystallized it all. I began to imagine the implications; all sorts of new data that could be useful, not just "views" but contextual data like location, and enrichment data like tag or category preferences. These all seem to obviously have a bearing on recommendations but now we had a beautiful simple equation to test the intuition.

Becoming a Committer

I set out to hack the Mahout Cooccurrence Recommender to become a Correlated Cross-Occurrence (CCO) recommender. But without some way of testing the algorithm and code we couldn’t be sure it was worth including in Mahout. The datasets publicly available at the time did not have the kind of data we needed (there had been no direct use for it until then) so I scraped the film review site rottentomatoes.com to collect "fresh" and "rotten" reviews of movies. This gave us two different behaviors with very different meanings. Naively you might think, weight one positive and the other negative and so did I but that produced worse results than ignoring the "dislikes". However when I ran cross-validation tests comparing the Mahout Cooccurrence Recommender using likes only, to CCO using both user actions, we got some quite interesting results. The question was: do "dislikes" predict "likes" and when I got 20% lift in predictive precision we could conclude that they do. Not only was intuition right but the new algorithm could tease out the data to make use of it.

The hack was accepted into Mahout Examples and I was invited to become a committer. Then the world changed.

Apache Spark and Mahout-Samsara

When I became a committer Mahout was written on Apache Hadoop MapReduce in Java (as was my hack). But it had also become obvious to most Mahout committers that the future was with much more performant engines like Apache Spark. Committers Dmitriy Lyubimov and Sebastian Schelter had been working on a Spark version of Mahout. In an instant of project time virtually all committers saw this as the future of Mahout, if also a major pivot. 

In retrospect I'm not sure I've ever seen an Apache project change so much in so little time. Today Mahout is deprecating lots of old Hadoop MapReduce code as it falls from use and the new Mahout is truly new. The Mahout subtitle Samsara, references the cycle of life, death, and rebirth in the Hindu tradition. Mahout started as algorithms written specifically for MapReduce, now Mahout-Samsara is a linear algebra DSL in Scala used to roll-your-own algorithms but with most interesting algorithms in very simple DSL-based implementations. Mahout eventually took this transformation even further to include other compute engines like Apache Flink and is now running on GPUs. But I get ahead of things...

Those were exciting times and though I helped with the DSL I remained fixed on implementing CCO, which was first included in Mahout 0.10.0 in October 2014.

PredictionIO

Now we have the CCO algorithm implemented on modern compute engines but several other problems remained in order to actually deploy a recommender. This is because CCO creates a model that needs to be deployed on a special type of server that computes similarity in real time. In Machine Learning terms this is a K-Nearest Neighbors engine, known in concrete terms as Lucene, or it's scalable server derivatives like Solr and Elasticsearch. A turnkey recommender also requires a highly performant massively scalable DB, like HBase. Putting these together we could get a nearly turnkey recommendation server that made use of multimodal real time user behavior. But I didn't see a candidate for all these in Apache and so looked elsewhere. This required an integration project, not Mahout, which integrated with other services but provided none of its own.

I found a project that included everything I needed and was Apache licensed but was run by a small startup called PredictionIO. They had a Machine Learning Server that was a framework for Templates that could implement a wide range of Algorithms. The Server also included nice high-level integrations with Elasticsearch (Lucene server), Spark, and HBase. In May of 2015 I had the first running CCO Server build on Mahout and a whole list of other Apache projects.

Back to Apache

PredictionIO was at the right place to get swept up in a major move to embrace ML/AI by Salesforce Inc. who bought them as part of the Einstein initiative. Since PIO was Apache licensed OSS it was still available and so was the Template I was calling the Universal Recommender. But there was a question now about the future of PIO; what would Salesforce do with it? The old team, that I had worked closely with, wanted to see the project move forward in OSS and Salesforce seemed to agree, but large corporations often have a mixed record in promoting their own OSS projects. In this case Salesforce decided to remove the question by submitting PredictionIO to the Apache Incubator.

The old team was joined by people like me from outside Salesforce to create a project that follows the Apache Way and is free of corporate dominance. I am a committer to PredictionIO, which has three releases under Apache Incubator vigilance and the Universal Recommender is now at v0.6.0, the most popular of PredictionIO Template Algorithms.

With the 3rd release of PIO from Apache we are now in the process of graduation to an Apache Top-Level Project, hatched by the Apache Incubator. I fully expect that we'll be celebrating soon.

Postscript

My journey began with a specific problem to solve. Each step to produce the solution has led back to Apache in one way or another, through mentors, collaboration, use of, and commitment to several projects. But I now have my mature scalable, performant, state-of-the-art nearly turnkey Universal Recommender.  Now we can ingest and get improvements from many types of behavior, enrichment data, and context--using it in real time to serve recommendations subject to robust business rules. My small consulting company ActionML actionml.com now has a powerful tool to solve real problems and we make a living (at least partly) by helping people deploy and tune it for their data.

This is a story of someone single mindedly following a goal over several years. There are many ways to do this in the Software Development world, but not all OSS projects are open to bringing people in. The Apache Software Foundation most certainly is and openly recruits as diverse a group of committers and members as possible. If you want to make a difference and influence the course of an OSS project Apache is a good place to look. Start by getting involved with a project of interest, make contributions, get involved in discussions. If the match is good you'll be invited in as a committer and move on from there. I think of Apache as a do-ocracy, if you do something of value it goes a long way towards being invited in.  

References

Slides describing the CCO Algorithm: https://www.slideshare.net/pferrel/unified-recommender-39986309

IBM DevWorks Post on "Making one thing Predict Another": https://developer.ibm.com/dwblog/2017/mahout-spark-correlated-cross-occurences/

Apache Mahout CCO Implementation: http://mahout.apache.org/users/algorithms/intro-cooccurrence-spark.html

Apache PredictionIO: http://predictionio.incubator.apache.org/

The Universal Recommender Template: http://predictionio.incubator.apache.org/gallery/template-gallery/

Professional Support for the Universal Recommender: http://actionml.com/universal-recommender

# # #

"Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk 4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg

Friday September 29, 2017

The Apache News Round-up: week ending 29 September 2017

So long, September. The Apache community is closing out the week with the following activities:

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 October. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield fresh performance at 99.14% uptime http://status.apache.org/

ASF Operations Factoid –this week, 555 Committers changed 1,291,551 lines of code over 3,617 commits. Top 5 contributors, in order, are: Claus Ibsen; Jian He; Mark Thomas; Joel Bernstein; and Michael Jumper.

Apache CarbonData™ –BigData file format for faster interactive query using advanced columnar storage, index, compression, and encoding techniques to improve computing efficiency.
 - Apache CarbonData 1.2.0 released http://carbondata.apache.org/

Apache Commons™ Jelly –a tool for turning XML into executable code.
 - Apache Commons Jelly 1.0.1 released http://commons.apache.org/proper/commons-jelly/
 - CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3C38CA08B7-2456-4D56-AF60-BE1168ECE522%40apache.org%3E

Apache Jackrabbit™ –a fully conforming implementation of the Content Repository for Java Technology API (JCR).
 - Apache Jackrabbit 2.8.6 and Jackrabbit Oak 1.7.8 released http://jackrabbit.apache.org/

Apache JMeter™ –a 100% pure Java application designed to test server applications.
 - Apache JMeter 3.3 released http://jmeter.apache.org/

Apache Parquet™ –a general-purpose columnar file format supporting nested data.
 - Apache Parquet C++ 1.3.0 released http://parquet.apache.org/

Apache PredictionIO –an Open Source Machine Learning Server built on top of state-of-the-art open source stack, that enables developers to manage and deploy production-ready predictive services for various kinds of machine learning tasks.
 - Apache PredictionIO 0.12.0-incubating released http://predictionio.incubator.apache.org/

Apache Qpid™ JMS –client supporting the Advanced Message Queuing Protocol 1.0, based around the Apache Qpid Proton protocol engine and implementing the AMQP JMS Mapping as it evolves at OASIS.
 - Apache Qpid JMS 0.25.0 released http://qpid.apache.org/

Apache RocketMQ™ –Open Source distributed messaging and streaming Big Data platform.
 - The Apache Software Foundation Announces Apache® RocketMQ™ as a Top-Level Project https://s.apache.org/MLfe

Did You Know?

 - Did you know that Apache Arrow, Kudu, MXNet, Lucene Solr, Spark, Tinkerpop, and Zeppelin have won InfoWorld Bossie Awards this yar? https://www.infoworld.com/article/3227918/application-development/bossies-2017-the-best-of-open-source-software-awards.html

 - Did you know that Apache Airflow (incubating) is a Big Data workflow engine that maximizes value extraction from data? http://airflow.apache.org/

 - Did you know that work is underway to release Apache NetBeans 9? Here's how you can help https://cwiki.apache.org/confluence/display/NETBEANS/List+of+Modules+to+Review


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Monday September 25, 2017

The Apache Software Foundation Announces Apache® RocketMQ™ as a Top-Level Project

Open Source distributed messaging and streaming Big Data platform in use at Alibaba Group, Didi Chuxing, S.F. Express, WeBank, Peking University, and Chinese Academy of Sciences, among others.

Forest Hill, MD –25 September 2017– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® RocketMQ™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.

Apache RocketMQ is an Open Source distributed messaging and streaming Big Data platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability.

"I am very excited to see Apache RocketMQ as a Top-Level Project and I would like to thank our mentors for all their help, the Apache Incubator Project Management Committee for its advice and guidance, everyone in the RocketMQ community, and Alibaba for publishing the research upon which RocketMQ is based," said Xiaorui Wang, Vice President of Apache RocketMQ. "During the incubation process, the RocketMQ community worked very hard to develop high-quality distributed software for messaging and streaming, in an open and inclusive manner in accordance with the Apache Way."

RocketMQ originated at Alibaba in 2012, and, after handling 1.2 trillion concurrent online message transmissions in the Alibaba Nov. 11th Global Shopping Festival, was donated to the Apache Incubator in November 2016. Apache RocketMQ v4.0.0 was released in February 2017.

As a distributed messaging engine, RocketMQ features include:
  • Low latency; more than 99.6% response latency within 1 millisecond under high pressure;
  • Finance-oriented, high availability with tracking and auditing features;
  • Industry-sustainable, trillion-level message capacity guaranteed;
  • Vendor-neutral, support multiple messaging protocols like JMS and OpenMessaging;
  • Big Data friendly, batch transferring with versatile integration for flooding throughput; and
  • Massive accumulation, given sufficient disk space, accumulate messages without performance loss.

"RocketMQ was conceived from the outset as an open-source distributed messaging and streaming platform with low latency, high performance and reliability, trillion-level capacity and flexible scalability," said Von Gosling, original co-creator of RocketMQ and Chief Architect of Aliware MQ at Alibaba Group. "It has been great to witness the growth of the RocketMQ community and codebase as an ASF incubating project, and I look forward to this continuing as a Top-Level Project. Today, more than 100 companies are using Apache RocketMQ, with more feedback coming from the community. According to our data, more than 80% of the project's contributions are from outside the donator Alibaba Group."

In addition to Alibaba Group, Apache RocketMQ is in use at hundreds of companies and research/educational institutions that include Didi Chuxing, S.F. Express, WeBank, Peking University, and Chinese Academy of Sciences, among others.

"Graduation from the Incubator marks an important milestone for the RocketMQ project," said Bruce Snyder, Apache RocketMQ Incubator Mentor and Director of Software Development at SAP Hybris. "This is recognition of the focus and hard work of the project members to learn The Apache Way and drive community around RocketMQ. I am honored to have helped guide the project to a successful graduation."

"At Didi, we have used Apache RocketMQ as storage engine to build MessageQueue service. Based on high availability and high performance of RocketMQ we provide high-quality service," said Neil Qi, Architect at Didi Chuxing. "I believe RocketMQ will become the best MessageQueue project in future."

"New participants are more than welcome to join the project, To serve the community better, we created and maintained two repositories, one as our kernel version and the other one is for community contributions. The community contributed some integrated projects with some other Apache TLPs like Apache Storm, Apache Ignite, Apache Spark and Apache Flume," said Xinyu "yukon" Zhou, member of the Apache RocketMQ Project Management Committee. "We enthusiastically look forward to working together with all contributors to Apache RocketMQ in order to advance the state-of-the-art distributed messaging engine."

Availability and Oversight
Apache RocketMQ software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache RocketMQ, visit http://rocketmq.apache.org/ and https://twitter.com/ApacheRocketMQ

About the Apache Incubator
The Apache Incubator is the entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects wishing to join the ASF enter through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 650 individual Members and 6,200 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb, Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "RocketMQ", "Apache RocketMQ", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Friday September 22, 2017

The Apache News Round-up: week ending 22 September 2017

Hello, Friday! The Apache community has been busy this week working on:

Support Apache –if your employer has a matching gifts program, you can increase your contribution and help sustain the ASF's mission of providing software for the public good. Every dollar counts. http://apache.org/foundation/contributing.html

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 October. Board calendar and minutes http://apache.org/foundation/board/calendar.html
 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield clever performance at 99.63% uptime http://status.apache.org/

ASF Operations Factoid –this week, 562 Committers changed 1,427,529 lines of code over 3,425 commits. Top 5 contributors, in order, are: Jian He; Carlo Curino; Dominik Stadler; Semen Boikov; and Claus Ibsen.

Apache Arrow™ –a columnar in-memory analytics layer designed to accelerate Big Data.
 - Apache Arrow 0.7.0 released http://arrow.apache.org/

Apache BookKeeper™ DistributedLog –core library for interacting Apache BookKeeper in log streams and a proxy service for serving large number of logs, fan-in writes and fan-out reads.
 - Apache DistributedLog 0.5.0 released http://bookkeeper.apache.org/

Apache Commons™ BCEL –Byte Code Engineering Library (BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
 - Apache Commons BCEL 6.1 released http://commons.apache.org/ 

Apache Geode™ –Big Data management platform.
 - Apache Geode 1.2.1 released http://geode.apache.org/

Apache Geronimo™ Config –adds support for basic configuration nomenclatures based on the MicroProfile Config specification.
 - Apache Geronimo Config 1.0 released http://geronimo.apache.org/

Apache Gora™ –Open Source framework provides an in-memory data model and persistence for Big Data.
 - Apache Gora 0.8 released http://gora.apache.org/

Apache HBase™ –an Open Source, distributed, versioned, non-relational database.
 - Apache HBase 2.0.0-alpha-3 released http://hbase.apache.org/

Apache Ignite™ –in-memory computing platform that is durable, strongly consistent and highly available with powerful SQL, key-value and processing APIs.
 - Apache Ignite 2.2.0 released https://ignite.apache.org/

Apache Log4j™ –a well-known framework for logging application behavior.
 -Apache Log4j 2.9.1 released https://logging.apache.org/

Apache Lucene™ Solr –the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project.
 - Apache Lucene and Solr 7.0.0 released http://lucene.apache.org/
 - CVE-2017-9803: Security vulnerability in Kerberos delegation token functionality http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3CCAOOKt53AOScg04zUh0%2BR_fcXD0C9s5mQ-OzdgYdnHz49u1KmXw%40mail.gmail.com%3E

Apache OpenMeetings™ –provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming.
 - Apache OpenMeetings 3.3.2 released http://openmeetings.apache.org

Apache OpenNLP™ –a machine learning based toolkit for the processing of natural language text.
 - Apache OpenNLP 1.8.2 released http://opennlp.apache.org/

Apache POI™ –well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook.
 - Apache POI 3.17 released https://poi.apache.org/

Apache Qpid™ Proton –a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org).
 - Apache Qpid Proton-J 0.22.0 released http://qpid.apache.org/

Apache Storm™ –a distributed, fault-tolerant, and high-performance realtime computation system that
provides strong guarantees on the processing of data.
 - Apache Storm 1.0.5 released http://storm.apache.org

Apache Tephra (incubating)™ –a transaction engine for distributed data stores like Apache HBase.
 - Apache Tephra-0.13.0-incubating released http://tephra.apache.org/

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies.
 - CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3C81e3acd3-f335-ff0d-ae89-bf44bb66fca0%40apache.org%3E
 - CVE-2017-12616 Apache Tomcat Information Disclosure http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3C0b45dcb1-28e2-6e12-6320-5bc6d021063c%40apache.org%3E
 - CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3C81e3acd3-f335-ff0d-ae89-bf44bb66fca0%40apache.org%3E
 - Apache Tomcat Possible additional RCE via JSP upload http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3Caa9ea974-9acf-e0af-c3d7-46830b45d9fe%40apache.org%3E
 - End of life for Apache Tomcat Native 1.1.x http://mail-archives.apache.org/mod_mbox/www-announce/201709.mbox/%3Cdd2da94b-668b-4a8f-fbc3-845fe12e5907%40apache.org%3E

Apache Wicket™ –an Open Source Java component oriented Web application framework.
 - Apache Wicket 7.9.0 released http://wicket.apache.org

Apache Zeppelin™ –a collaborative data analytics and visualization tool for distributed, general-purpose data processing system such as Apache Spark, Apache Flink, etc.
 - Apache Zeppelin 0.7.3 released http://zeppelin.apache.org/

Did You Know?

 - Did you know that Reddit uses Apache Lucene Solr for its new search functionality for 300M users across 1.1M communities? http://lucene.apache.org/

 - Did you know that 29,334 files in Apache NetBeans (incubating) were re-licensed to the ASF? http://netbeans.apache.org/

 - Did you know that algorithmic IT operations platform StackState uses Apache Tinkerpop Gremlin for analytical queries? http://tinkerpop.apache.org/


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - TomcatCon will be held 25 September in London https://www.eventbrite.com/e/tomcatcon-london-2017-tickets-36683639754

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday September 15, 2017

The Apache News Round-up: week ending 15 September 2017

It's finally Friday. We've had quite a busy week, so let's get down to reviewing our work:

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 September. Board calendar and minutes http://apache.org/foundation/board/calendar.html
 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield smashing performance at 99.87% uptime http://status.apache.org/

ASF Operations Factoid –this week, 567 Committers changed 1,517,515 lines of code over 3,632 commits. Top 5 contributors, in order, are: Jian Hel; Claus Ibsen; Mingmin Xu; Paul J. Davis; and Daniel Sun.

Apache CloudStack™ –an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private Cloud environments.
 - Apache CloudStack 4.9.3.0 (LTS) released http://cloudstack.apache.org/

Apache CXF™ –an Open Source framework for building and developing services using frontend programming APIs like JAX-WS and JAX-RS.
 - Apache CXF 3.2.0 released http://cxf.apache.org/

Apache Directory™ Studio –a complete directory tooling platform intended to be used with any LDAP server however it is particularly designed for use with ApacheDS.
 - Apache Directory Studio 2.0-0-M13 released http://directory.apache.org/studio/

Apache HttpComponents™ Core –a set of low level HTTP transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 - Apache HttpComponents Core 4.4.7 released http://hc.apache.org/

Apache Impala (incubating) –a high-performance C++ and Java SQL query engine for data stored in Apache Hadoop-based clusters.
 - Apache Impala (incubating) 2.10.0 released https://impala.incubator.apache.org/

Apache Jackrabbit™ Oak –a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class Web sites and other demanding content applications.
 - Apache Jackrabbit Oak 1.6.5 and 1.7.7, and Jackrabbit 2.1, 2.14.3 and 2.15.16 released http://jackrabbit.apache.org/

Apache Kafka™ –a distributed streaming platform.
 - Apache Kafka 0.11.0.1 released http://kafka.apache.org/

Apache Kudu™ –an Open Source storage engine for structured data which supports low-latency random access together with efficient analytical access patterns.
 - Apache Kudu 1.5.0 released http://kudu.apache.org/

Apache MXNet (incubating) –a flexible and efficient library for deep learning.
 - Apache MXNet (incubating) 0.11.0 released http://mxnet.incubator.apache.org/

Apache Mynewt a community-driven module OS for constrained, embedded applications.
 - Apache Mynewt 1.2.0 released http://mynewt.apache.org/

Apache Struts™ –Open Source framework for creating Java Web applications.
 - Apache Struts Statement on Equifax Security Breach https://s.apache.org/8thB
 - MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit https://s.apache.org/7bip

Apache Syncope™ –an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology.
 - Apache Syncope 2.0.5 released http://syncope.apache.org/

Did You Know?

 - Did you know that new features in Apache Mynewt include Bluetooth Mesh and LORA support? http://mynewt.apache.org/

 - Did you know that the world's largest mobile network, China Mobile, orchestrates containers and runs long-running services and various jobs at their on-premises data center using Apache Mesos? http://mesos.apache.org/

 - Did you know that Twitter uses Apache Kafka, Storm, Hadoop, and Cassandra to handle 5 billion sessions a day in real time? http://kafka.apache.org/ http://storm.apache.org/ http://hadoop.apache.org/ http://cassandra.apache.org/

Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - TomcatCon will be held 25 September in London https://www.eventbrite.com/e/tomcatcon-london-2017-tickets-36683639754

 - Meet members of the Apache Big Data communities at DataWorks/Hadoop Summit 20-21 September in Sydney https://dataworkssummit.com/

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Thursday September 14, 2017

MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit

Who: Apache® Struts™ is a popular Open Source framework for creating enterprise-grade Java Web applications. Apache Struts powers front- and back-end applications and Internet of Things (IoT) devices for many of the world's most visible financial institutions, government organizations, technology service providers, telecommunications agencies, and Fortune 100 companies.

Apache Struts is an Apache Software Foundation Top-Level Project (since 2004) and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.

What: On 7 September 2017, credit reporting agency Equifax announced a data breach affecting 143 million consumers. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628

Following this announcement, additional claims stated that the breach was caused by CVE-2017-9805, an exploit in Apache Struts that was disclosed on 4 September 2017. https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/

On 9 September 2017, the Apache Struts PMC issued a statement on the Equifax data breach that included details on its response process to reported vulnerabilities and also provided recommended security guidelines. https://s.apache.org/8thB

On 13 September 2017, Equifax issued a statement confirming that "The vulnerability was Apache Struts CVE-2017-5638". https://www.equifaxsecurity2017.com/

This vulnerability was patched on 7 March 2017, the same day it was announced. https://cwiki.apache.org/confluence/display/WW/S2-045

In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.

When: Apache Struts CVE-2017-5638 was originally reported on 7 March 2017.

Where: For downloads, documentation (including security guide and bulletins), and how to become involved with Apache Struts, visit http://struts.apache.org/ and https://twitter.com/TheApacheStruts

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 650 individual Members and 6,200 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, Inspur, iSigma, LeaseWeb, Microsoft, ODPi, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF

Media contact:
Sally Khudairi
Vice President
The Apache Software Foundation
Tel/WhatsApp +1 617 921 8656
press(at)apache(dot)org

# # #

© The Apache Software Foundation. "Apache", "Struts", "Apache Struts", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

Saturday September 09, 2017

Apache Struts Statement on Equifax Security Breach

UPDATE: MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit

The Apache Struts Project Management Committee (PMC) would like to comment on the Equifax security breach, its relation to the Apache Struts Web Framework and associated media coverage.

We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any. In an online article published on Quartz.com [1], the assumption was made that the breach could be related to CVE-2017-9805, which was publicly announced on 2017-09-04 [2] along with new Struts Framework software releases to patch this and other vulnerabilities [3][4]. However, the security breach was already detected in July [5], which means that the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time --a so-called Zero-Day-Exploit. If the breach was caused by exploiting CVE-2017-9805, it would have been a Zero-Day-Exploit by that time. The article also states that the CVE-2017-9805 vulnerability exists for nine years now.

We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. In alignment with the Apache security policies, once we get notified of a possible security issue, we privately work with the reporting entity to reproduce and fix the problem and roll out a new release hardened against the found vulnerability. We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.

Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here --we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business --people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It's probably fair to say that we met this goal pretty well in case of CVE-2017-9805.

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.

For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 

[1] https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/
[2] https://cwiki.apache.org/confluence/display/WW/S2-052
[3] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13
[4] https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34
[5] https://baird.bluematrix.com/docs/pdf/dbf801ef-f20e-4d6f-91c1-88e55503ecb0.pdf

Friday September 08, 2017

The Apache News Round-up: week ending 8 September 2017

Happy Friday! Let's review what the Apache community has been working on over the past week:

Success at Apache –the monthly blog series that focuses on the processes behind why the ASF "just works".
 - Lowering Barriers to Open Innovation by Luke Han https://s.apache.org/dAlg

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 September. Board calendar and minutes http://apache.org/foundation/board/calendar.html
 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

ASF Infrastructure –our mighty distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield shazam performance at 99.85% uptime http://status.apache.org/

ASF Operations Factoid –this week, 460 Committers changed 1,011,972 lines of code over 2,764 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Jian He, Samarth Jain, Francesco Chicchiriccò, and Claus Ibsen.

Apache Bahir™ –extensions to distributed analytic platforms such as Apache Spark.
 - Apache Bahir 2.2.0 released http://bahir.apache.org

Apache Chemistry™ cmislib –provides Open Source implementations of the Content Management Interoperability Services (CMIS) specification.
 - Apache Chemistry cmislib 0.6.0 released http://chemistry.apache.org/

Apache Commons™ –Commons CSV reads and writes files in variations of the Comma Separated Value (CSV) format.
 - Apache Commons CSV 1.5 released http://commons.apache.org/proper/commons-csv/

Apache Groovy™ –a multi-facet programming language for the JVM.
 - Apache Groovy 2.6.0-alpha-1 released https://groovy.apache.org/

Apache HttpComponents™ Core –HTTP transport library including support for asynchronous execution based on Java NIO.
 - Apache HttpComponents Core 5.0 alpha4 released http://hc.apache.org/httpcomponents-core/

Apache Jackrabbit™ Oak –a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class Web sites and other demanding content applications.
 - Apache Jackrabbit Oak 1.4.18 and Jackrabbit 2.6.9 released and Jackrabbit 2.4 retired http://jackrabbit.apache.org/

Apache Lucene™ –a high-performance, full-featured text search engine library written entirely in Java.
 - Apache Lucene 6.6.1 and Solr 6.6.1 released https://lucene.apache.org/

Apache MXNet (incubating) –a flexible and efficient library for deep learning.
 - Apache MXNet (incubating) 0.11.0 released http://mxnet.incubator.apache.org/

Apache Olingo™ –a Java library which enables developers to implement OData service providers (server) and consumers (clients).
 - Apache Olingo 4.4.0 released http://olingo.apache.org/

Apache OpenMeetings™ –provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming.
 - Apache OpenMeetings 3.3.1 released http://openmeetings.apache.org

Apache Qpid™ – a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org).
 - Apache Qpid Proton-J 0.21.0 released http://qpid.apache.org/

Apache Struts™ –Open Source framework for creating Java Web applications.
 - Apache Struts 2.3.34 and 2.5.13 General Availability with Security Fixes released http://struts.apache.org/

Apache Tomcat™ Native Library –provides portable API for features not found in contemporary JDKs.
 - Apache Tomcat Native 1.2.14 released http://tomcat.apache.org/

Apache Traffic Server™ –a high performance, scalable HTTP Intermediary and proxy cache.
 - Apache Traffic Server v7.1.1 released https://trafficserver.apache.org/

Apache VCL™ –a self-service system used to dynamically provision and broker remote access to a dedicated compute environment for an end-user.
 - Apache VCL 2.5 released http://vcl.apache.org/

Apache Wicket™ –an Open Source Java component oriented Web application framework.
 - Apache Wicket 6.27.1 released http://wicket.apache.org


Did You Know?

 - Did you know that Netflix uses Apache Tinkerpop for storing and querying highly-interconnected data at scale? http://tinkerpop.apache.org/

 - Did you know that The New York Times uses Apache Kafka to store and process every article ever published? http://kafka.apache.org/

 - Did you know that Emirates Reit Real Estate Investment Trust uses Apache Wicket? http://wicket.apache.org/


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Check out the latest Apache Community Development newsletter https://blogs.apache.org/comdev/entry/community-development-news-july-2017

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - TomcatCon will be held 25 September in London https://www.eventbrite.com/e/tomcatcon-london-2017-tickets-36683639754

 - Meet members of the Apache Big Data communities at DataWorks/Hadoop Summit 20-21 September in Sydney https://dataworkssummit.com/

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Tuesday September 05, 2017

Success at Apache: Lowering Barriers to Open Innovation

By Luke Han

Over the past decade, I was a Java developer using many Apache projects such as Tomcat, Jakarta, Struts, and Velocity. In 2010 I stepped into the Big Data field and started to actively participate in Apache projects, and became an ASF Member 3 years ago. In addition to being the VP of Apache Kylin, I helped projects such as Apache Eagle and CarbonData move to the ASF, and have been a mentor for Apache Superset, Weex, and RocketMQ. Today, I'm co-founder/CEO of Kyligence (prior to that, I was Big Data Product Lead of eBay, and Chief Consultant of Actuate China).

Apache Kylin, as its name may suggest, originated from China ("Kylin": A powerful yet gentle fire-breathing creature in eastern mythology. Also written as Qilin. "Apache Kylin": OLAP on Hadoop, capable of analyzing petabytes of data within seconds http://kylin.apache.org/ ). I started this project with a few members in early 2015. 

As a pioneer of the first highly-recognized Apache project from the Eastern world, I was proud to see that, within 2 years, Kylin has helped over 500 organizations across the globe to solve their Big Data challenges. 

Before Kylin graduated from the Apache Incubator, the Kylin team faced a lot of cultural challenges. Since a great number of projects from China had failed in the past, we too received many questions and doubts from both eastern and western worlds. As our native language is not English, communication with mentors did become difficult during the coaching process. Fortunately, by fully embracing The Apache Way, Kylin is able to succeed with strong support from the Apache community members. Much more beyond the Kylin software, our team has also worked with those talented people in a way to spread our Chinese voice to the world. 

While developing high-quality software, we are engaging more Westerners to understand the Eastern culture. I had many chances to travel and meet people across the globe since I initiated Kylin. Some of them are Apache directors and mentors, some of them are developers and contributors. Some are from US, Australia, Canada and Chile; some are from Japan and Taiwan. Some are impressed with Kylin, some are curious about Easterners’ attitude toward Open Source software. I asked them a lot of questions about The Apache Way, and they all generously coached me and my team with lovely and detailed answers. We too could reach consensuses after intensive and open arguments. Kylin received much more encouragement and recognition than I expected.

As a VP of a Top-Level Project, my responsibility grew after Kylin graduated from the Apache Incubator. Kylin faced more opportunities as it has been bug-fixed quickly and tested frequently, with the nature of an Open Source software. In the China’s well-knowingly-big market, Apache Kylin has received many users’ feedback and evolved fast. We received many suggestions from both developers’ perspective and products’ perspective. Beyond my expectation, many community members are passionately writing tools for Kylin and helping users better understand and use Kylin. Assembling members’ ideas, we are also sharing our knowledge as a way to give back to the community. 

Thanks to ASF and everyone involved in the Open Source community, I have the opportunity to work with people that I’ve always admired and make a difference in the world all together. I feel I and my team are deeply connected with such warm, global, open community.

= = =

"Success at Apache" is a monthly blog series that focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk 4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo

# # # 

Friday September 01, 2017

The Apache News Round-up: week ending 1 September 2017

Well hello, September ... here's what the Apache community has been working on over the past week:

Support Apache –a great way to help the ASF meet its financial goals is through a corporate matching program. Companies that offer matching gifts receive tax benefits, and their employees' contributions to the ASF can be generously increased. Every dollar counts. http://apache.org/foundation/contributing.html

ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 September. Board calendar and minutes http://apache.org/foundation/board/calendar.html
 - ASF Quarterly Report: Operations Summary Q1 FY2018 https://s.apache.org/cEUm

ASF Operations Factoid –this week, 440 Committers changed 763,682 lines of code over 2,642 commits. Top 5 contributors, in order, are: Tellier Benoit, Andrea Cosentino, Daniel Gruno, Karl Wright, and Daniel Sun.

Apache Atlas™ –Big Data governance and metadata framework/services.
 - Apache Atlas 0.8.1 released http://atlas.apache.org/

Apache CloudStack™ –an easy-to-deploy IaaS Cloud orchestration platform that "just works".
 - Apache CloudStack 4.10.0.0 released http://cloudstack.apache.org/

Apache CXF™ Fediz –helps secure Web applications and delegates security enforcement to the underlying application server.
 - Apache CXF Fediz 1.4.1 released http://cxf.apache.org/fediz.html

Apache Log4j™ –a well known framework for logging application behavior.
 - Apache Log4j 2.9.0 released https://logging.apache.org/log4j/

Apache MADlib™ –an Open Source library for scalable in-database analytics.
 - Apache MADlib v1.12 released http://madlib.apache.org/

Apache OODT™ –a software framework as well as an architectural style for the rapid construction of scientific data systems.
 - Apache OODT 1.2 released http://oodt.apache.org/

Apache S2Graph (incubating) –graph database designed to handle transactional graph processing at scale.
 - Apache S2Graph 0.2.0-incubating released http://s2graph.incubator.apache.org/

Apache Santuario™ –aimed at providing implementation of the primary security standards for XML, namely XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.
 - Apache Santuario XML Security for Java 2.0.9 and 2.1.0 released http://santuario.apache.org/

Apache UIMA™ –a component framework supporting development, discovery, composition, and deployment of multi-modal analytics tasked with the analysis of unstructured information.
 - Apache UIMA Java SDK 2.10.1 and UIMA DUCC 2.2.1 released https://uima.apache.org/

Apache VCL™ –a self-service system used to dynamically provision and broker remote access to a dedicated compute environment for an end-user.
 - Apache VCL 2.5 released http://vcl.apache.org/


Did You Know?

 - Did you know that the following Apache projects have anniversaries this month? Many happy returns to ServiceMix (10 years); Hive, Pign and Shiro (7 years); Airavata, Bigtop, SIS, and Stanbol (5 years); Curator (4 years); Storm (3 years); and Yetus (2 yrs) https://projects.apache.org/committees.html?date

 - Did you know that Apache NiFi is a great data flow system for fast prototyping of Big Data? http://nifi.apache.org/

 - Did you know that Apache Pulsar (incubating) provides multi-tenancy, geo-replication, and durability guarantees out of the box? http://pulsar.apache.org/


Apache Community Notices:

 - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk 4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo

 - Follow the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation (re-tweets/shares/likes most appreciated!)

 - Presentations from ApacheCon https://s.apache.org/Hli7 and Apache: Big Data https://s.apache.org/tefE are available; as well as videos https://s.apache.org/AE3m and audio recordings https://feathercast.apache.org/

 - Check out the latest Apache Community Development newsletter https://blogs.apache.org/comdev/entry/community-development-news-july-2017

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - TomcatCon will be held 25 September in London https://www.eventbrite.com/e/tomcatcon-london-2017-tickets-36683639754

 - Meet members of the Apache Big Data communities at DataWorks/Hadoop Summit 20-21 September in Sydney https://dataworkssummit.com/

 - The Apache community will be at All Things Open --stop by the ASF booth and say hello! 23-24 October in Raleigh https://allthingsopen.org/

 - Learn about Apache Atlas, AriaTosca (incubating), Hadoop YARN, Kafka, ManifoldCF, Ranger, Spot (incubating), Thrift, and more at Open Source Summit Europe + ELC Europe 2017 23-26 October in Prague https://osseu17.sched.com/

 - Catch the Apache Ignite and Spark communities at the In-Memory Computing Summit 24-25 October in San Francisco https://imcsummit.org/

 - ASF Annual Report is available at https://s.apache.org/FY2017AnnualReport

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Polygene, Syncope, Tika, Trafodion, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Tuesday August 29, 2017

The Apache Software Foundation Operations Summary: May - July 2017

FOUNDATION OPERATIONS SUMMARY

First Quarter, Fiscal Year 2018 (May - July 2017)

"We love The Apache Way and what Apache has done for us..."
--ASF Platinum Sponsor


> President's Statement:
 Financially, we are on track to meet this year's budget, even after accounting for accounts receivables that didn't manage to close out on time in the last fiscal year. We are still projected to have a manageable deficit, and this will require us to have a multi-year focus on fundraising to resolve. We have redirected resources at both Virtual, Inc. and HALO Worldwide to help out with this effort.

Other highlights: 

  • Conferences is once again at a time of transition as we explore new ways to reach more people;
  • Travel assistance was provided to 10 individuals, bringing the total number of people helped to 131;
  • Brand Management had a relatively quiet quarter, focusing on matters such as registration renewals;
  • Infrastructure is focusing on more user friendly "self serve" tools, and expanding support for projects hosted on GitHub;
  • Marketing and Publicity provided media training, and produced an annual report.

While we remain in a very healthy financial position, it never hurts to take the opportunity to ask for your support. As an individual you can donate to the Foundation http://www.apache.org/foundation/contributing.html , as a corporation you can become a Sponsor http://www.apache.org/foundation/sponsorship.html .


> Conferences and 
Events: ApacheCon North America was held 16-18 May in Miami, Florida, and had about 500 Apache enthusiasts in attendance. Rather than being one monolithic event, it was a convention of smaller events, including:

  • Apache Traffic Server and Traffic Control Summit
  • BarCampApache
  • Apache: Big Data
  • Apache: IoT
  • CloudStack Collaboration Conference
  • FlexJS Summit
  • TomcatCon

Additionally, there were numerous smaller project hackathons and developer summits.

ApacheCon North America 2017 marks the end of our contract with the Linux Foundation, who have been producing our events since ApacheCon Denver, in April of 2014. We will not be holding an ApacheCon in Europe this year, as we investigate various options for how we will resume ApacheCon in 2018.

Meanwhile, we are pursuing closer relationships with the many events that feature Apache Software Foundation content, whether these are events dedicated to a particular Apache project, or events about a particular topic that happens to include Apache content.


> Community Development
: During April and May our main focus was helping prepare for and support ApacheCon NA in Miami. Prior to the event, we began recording interviews with various speakers and key note speakers for our news / podcast channel FeatherCast.

Throughout ApacheCon itself recordings of on-site interviews with attendees and sponsors were also broadcast and published. The audio from many of the ApacheCon conference tracks were also recorded and are available online. We are continually increasing the amount of content available and are finding that FeatherCast is a very valuable and useful resource for helping share and promote Apache and technology related content.

One key discussion raised this quarter was about trying to improve the tools and applications that the Community Development team has at its disposal. This topic was very positively received and resulted in a "Tools Hackathon" session being organized and held at ApacheCon focused on how to use the tools and make them more effective.

In June we were present at the OpenExpo conference in Madrid. The conference was mainly focused at Spanish-speaking audiences and with the help of two local volunteers we continued to promote Apache and its projects. Over 3,000 visitors attended the conference and 300 of them (approx 10%) were actively interested in speaking to us to find out more about Apache.

Community Development has also started to increase its social media presence and we are now active on both Twitter and Facebook. Our monthly Community Development Blog is still being well received and we have published 3 further updates. These regular news summaries give people a brief overview of what is happening or planned. Our mailing list traffic has remained constant during the quarter showing that there are still a lot of active discussions going on.


> Committers and Contributions:
 Over the past quarter, 1,616 contributors committed 49,112 changes that amount to 13,837,582 lines of code across Apache projects. The top 5 contributors during this timeframe are: Jean-Baptiste Onofré (778 commits), Claus Ibsen (749), Colm Ó hÉigeartaigh (703 commits), Mark Thomas (540 commits), and Stephen Mallette (536 commits) during this period.

The ASF Secretary processes new Apache Committers' paperwork so that they can continue contributing to our projects. All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. 

During this timeframe, the Secretary processed 203 ICLAs, 13 CCLAs, and 4 Software Grants. Apache committer activity can be seen at http://status.apache.org/#commits


> Brand Management: 
The summer quarter continues to be traditionally quiet in terms of trademark questions and requests, although we continue to get new kinds of questions coming in with some regularity. Some Apache project PMCs now have experience implementing our trademark policies and have been doing a great job answering basic questions themselves directly with third parties, which is great to see. However as our number of projects grow, so do the number of questions or issues overall which continues to tax our small pool of Brand Management volunteers with broad experience.

All of the ASF's education and policies around trademark law for Open Source as well as brand management is published online, and we urge project participants and software vendors alike to review and ask us questions about them - please review our complete site map: http://www.apache.org/foundation/marks/resources

On the registration front, we have come upon our first large set of trademark registration renewals and maintenance paperwork. Although our legal counsel handles all the actual paperwork with various national trademark registries, this is still an ongoing effort for our volunteer Brand Management team to validate continuing use of these marks - as well as the financial costs for registry fees. In almost all cases we will continue to maintain existing registrations for projects. We continue to have some projects request new registrations as well, and are successfully negotiating some coexistence agreements with potentially similar software brands in the marketplace as well.

As more Apache brands and projects power more business every year, we continue to look to the companies that profit from Apache software products to help respect Apache brands. We very much appreciate the companies that pass on their trademark registrations with incoming donations of podlings joining the Incubator. Having existing registrations makes the trademark management process simpler for the ASF.

While many companies continue to properly give credit to our volunteer communities, sadly some companies continue to --or have started to-- take advantage of our non-profit work by unfairly co-opting Apache project brands or by interfering with Apache project governance.

Reviewing and correcting these mis-uses is an ongoing effort for the ASF Board, the Brand Management Committee, and all Apache projects.

Please contact the Apache Brand Management team https://www.apache.org/foundation/marks/contact with your questions or suggestions!


> Legal Affairs:
 The ASF Legal Affairs team works diligently with our pro-bono legal counsel and answers legal questions, and addresses policy issues regarding license compatibility for The Apache Software Foundation.

We had a busy quarter answering questions related to the use of data to train models in Apache projects.  In addition, regular ASF legal inquiries such as those related to system dependencies are routinely being answered promptly. The ASF registered a Digital Millennium Copyright Act (DCMA) agent for the Foundation so that the ASF can implement a safe harbor policy. VP, Legal Affairs, Chris Mattmann, was registered in this role. Finally, the committee provided clarity on an oft-asked question related to release of binary artifacts, and ASF policy in this area.


> Infrastructure:
 The Infrastructure team and its volunteers provide the machines and services needed by the hundreds of Foundation projects, and the thousands of volunteers working on them. One of our high priority, long-term activities has been to migrate services off our hardware onto third-party infrastructure ("the cloud"; IaaS). Our work in this area has improved stability, repeatability, and lowered our costs.

For the first time, our team was able to meet as an entire group at the ApacheCon held in Miami during May. This was a great time for us to talk at length, and to bond as a team. We will continue the yearly meetups to get work done, and to strengthen that team spirit.

Our uptime over the quarter has met our stated Service Level Agreement, even with our hours of downtime to upgrade our Jira installation and our Jenkins build system. The short answer is that outside of planned maintenance, the Infrastructure team gets by with very little downtime. We have further planned upgrades for primary services (such as Confluence and Jira) to stay current with the continued improvements in these products. 

Two service areas saw significant expansion during the quarter: our use of LDAP as a canonical organizational reference, and our provisioning of GitHub-based tooling to the Foundation's communities.

The LDAP changes have been performed, and made possible, by some great work from the Apache Whimsy community. Older generation, command-line tools have been replaced by friendlier web interfaces. The amount of "self serve" tools has, in turn, reduced the manual workload requested from the Infrastructure team.

Our GitHub tooling is still in a "beta" stage, but has been made available to many more Top Level Projects and to many podlings arriving at the Foundation. These podlings tend to already use GitHub for their development workflow, and our new tooling allows them to continue the workflows their communities have defined. As we continue to sand off the rougher edges of the integration between and the Foundation and the GitHub service, we'll continue to add projects to the program.


> Financial Statement:


> Fundraising:
 The ASF Fundraising team welcomes Kevin A. McGrail to the role of VP Fundraising.  In addition, we'd also like to welcome HostPapa Web Hosting and Inspur to the Apache Family.

Thank you to all our Sponsors http://apache.org/foundation/thanks . As a 501(c)(3), our operations depend on our Sponsors' support!

# # #

Report prepared by Sally Khudairi, Vice President Marketing & Publicity, with contributions by Sam Ruby, ASF President; Rich Bowen, Vice President Conferences; Sharan Foga, ASF Member; Chris Mattmann, Vice President Legal Affairs; Shane Curcuru, Vice President Brand Management; Greg Stein, ASF Infrastructure Administrator; Tom Pappas, ASF Member and Vice President, Finance & Accounting at Virtual, Inc.; and Kevin McGrail, Vice President Fundraising.

For more information, subscribe to the announce@apache.org mailing list and visit http://www.apache.org/, the ASF Blog at http://blogs.apache.org/, the @TheASF on Twitter, and https://www.linkedin.com/company/the-apache-software-foundation.

(c) The Apache Software Foundation 2017.

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation