The Apache Software Foundation Blog

Friday January 06, 2017

The Apache News Round-up: week ending 6 January 2017

Happy New Year! The Apache community kicks off 2017 with the following activities:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 January 2017. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield smashing performance at 99.92% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - 2016/Seville's session recordings continue to be processed and posted at Feathercast http://feathercast.org

Apache Incubator –projects and communities intending to become fully-fledged projects under the auspices of The Apache Software Foundation do so through the Apache Incubator.
 - Call for Entries --Apache Incubator Logo https://s.apache.org/rFii

Apache Attic –provides process and solutions to make it clear when an Apache project has reached its end of life.
 - Apache DeviceMap retired http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCALGG8z3wZ3iSii15BdgVx6SnfVwVuNFMQD3mQuVOQCqWi5CG9A%40mail.gmail.com%3E

Apache Ant™ –a Java library and command-line tool that helps building software.
 - Apache Ant 1.9.8 and 1.10.0 released http://ant.apache.org/bindownload.cgi

Apache Commons™ JCS –a distributed, versatile caching system.
 - Apache Commons JCS 2.0 released https://commons.apache.org/proper/commons-jcs/download_jcs.cgi

Apache Guacamole –a clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH.
 - Apache Guacamole 0.9.10-incubating released http://guacamole.incubator.apache.org/releases/0.9.10-incubating/

Apache log4net™ –a tool to help the programmer output log statements to a variety of output targets.
 - Apache log4net 2.0.7 released https://logging.apache.org/log4net/download_log4net.cgi

Apache OpenNLP™ –a machine learning based toolkit for the processing of natural language text.
 - Apache OpenNLP 1.7.0 released http://opennlp.apache.org/cgi-bin/download.cgi

Apache Tomcat™ –a Web server that is an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.
 - CVE-2016-8745 Apache Tomcat Information Disclosure http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3C04ead0cb-c989-1386-0fd1-a51ef80f7b57%40apache.org%3E


Did You Know?

 - Did you know that in 2016 Apache projects comprised 797 Repositories; 205,167 code commits by 3,314 Committers; and 60,327,418 lines changed. https://projects.apache.org/

 - Did you know that over the past year, Apache communities sent 2,003,919 emails by 27,940 authors on 1,127 lists with 789,825 topics. Prolific!

 - Did you know that ASF Infrastructure have upgraded and improved blogs.apache.org? https://blogs.apache.org/infra/entry/blogs-a-o-moved-upgraded


Apache Community Notices:

 - "Success at Apache" is a new monthly blog series that focuses on the processes behind why the ASF "just works". First article: Project Independence https://s.apache.org/CE0V

 - Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA) https://s.apache.org/romf

 - ASF Operations Summary - Q2 FY2017 https://s.apache.org/oTOF

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag from http://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday December 30, 2016

The Apache News Round-up: week ending 30 December 2016

It's a wrap! The Apache community's final activities of 2016 include:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 January 2017. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield "three nines" performance at 99.92% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Session recordings are being processed and posted at Feathercast http://feathercast.org

Apache Commons™ Compress –library that defines a Java API for working with ar, cpio, tar, zip, 7z, arj, dump, gzip, pack200, bzip2, lzma, snappy, Z, xz and deflate files.
 - Apache Commons Compress 1.13 released http://commons.apache.org/proper/commons-compress/download_compress.cgi

Apache HttpComponents™ –a set of HTTP/1.1 and HTTP/2 transport components that can be used to build custom client and server side HTTP services with a minimal footprint.
 - Apache HttpComponents Core 5.0 alpha2 released http://hc.apache.org/downloads.cgi

Apache Knox™ –a REST API Gateway for providing secure access to the data and processing resources of Hadoop clusters.
 - Apache Knox 0.11.0 released http://www.apache.org/dyn/closer.cgi/knox/0.11.0

Apache log4net™ –a tool to help the programmer output log statements to a variety of output targets.
 - Apache log4net 2.0.6 released https://logging.apache.org/log4net/download_log4net.cgi 

Apache NiFi™ –an easy to use, powerful, and reliable system to process and distribute data.
 - Apache NiFi 1.1.1 released https://nifi.apache.org/download.html

Apache Streams (incubating) –unifies a diverse world of digital profiles and online activities into common formats and vocabularies, and makes these datasets accessible across a variety of databases, devices, and platforms for streaming, browsing, search, sharing, and analytics use-cases.
 - Apache Streams 0.4.1-incubating released http://www.apache.org/dyn/closer.cgi/incubator/streams/releases/0.4.1-incubating/


Did You Know?

 - Did you know that 620 individual Members and 5,934 Committers drive 350+ Apache projects and global operations? All volunteer: no days off! http://apache.org/foundation/how-it-works.html

 - Did you know that the top 5 Committers in 2016 were Mark Thomas (3,032 commits), Claus Ibsen (2,890 commits), Gary Gregor (2,004 commits), Colm Ó hÉigeartaigh (1,900 commits), and Jean-Baptiste Onofré (1,825 commits)? http://community.apache.org/committers/

 - Did you know that Apache CloudStack powers large-scale Clouds with tens of thousands of nodes in production? http://cloudstack.apache.org/


Apache Community Notices:

 - "Success at Apache" is a new monthly blog series that focuses on the processes behind why the ASF "just works". First article: Project Independence https://s.apache.org/CE0V

 - Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA) https://s.apache.org/romf

 - ASF Operations Summary - Q2 FY2017 https://s.apache.org/oTOF

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag from http://www.zazzle.com/featherwear and http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday December 23, 2016

The Apache News Round-up: week ending 23 December 2016

Happy holidays! The Apache community has worked hard this week on:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 January 2017. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield steady performance at 99.23% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Session recordings are being processed and posted at Feathercast http://feathercast.org

Apache Allura™ –an Open Source implementation of a software forge, a Web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects.
 - Apache Allura 1.6.0 released https://allura.apache.org/

Apache Apex™ –an enterprise grade Big Data-in-motion platform that unifies stream and batch processing.
 - Apache Apex Core 3.5.0 released http://apex.apache.org/downloads.html

Apache Edgent (incubating) –a stream processing programming model and lightweight micro-kernel style runtime to execute analytics at devices on the edge or at the gateway.
 - Apache Edgent 1.0.0-incubating released https://edgent.apache.org/docs/downloads.html

Apache Fineract (incubating) –an Open Source system for core banking as a platform.
 - Apache Fineract 0.5.0-incubating released https://dist.apache.org/repos/dist/release/incubator/fineract/0.5.0-incubating/

Apache HTTP Server™ –the world's most popular Web server.
 - Apache HTTP Server 2.4.25 released http://httpd.apache.org/download.cgi

Apache Jackrabbit™ –a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283).
 - Apache Jackrabbit 2.13.6 and 2.13.7, and Jackrabbit Oak 1.5.16 released http://jackrabbit.apache.org/downloads.html

Apache Kafka™ –a distributed, fault tolerant, publish-subscribe messaging.
 - Apache Kafka 0.10.1.1 released https://www.apache.org/dyn/closer.cgi?path=/kafka/0.10.1.1/kafka-0.10.1.1-src.tgz

Apache Struts™ –an elegant, extensible framework for creating enterprise-ready Java Web applications.
 - Apache Struts 2.5.8 GA released http://struts.apache.org/download.html#struts-ga


Did You Know?

 - Did you know that the top 5 Committers this week were Stefan Bodewig (83 commits), Claus Ibsen (77 commits), Philippe Mouawad (73 commits), Sterling Hughes (51 commits), and Colm Ó hÉigeartaigh (49 commits)? http://www.apache.org/foundation/how-it-works.html#roles

 - Did you know that Greenplum uses Apache Solr and MADlib (incubating) for scalable text analytics? http://lucene.apache.org/solr/ and http://incubator.apache.org/projects/madlib.html

 - Did you know that Apache NetBeans (incubating) began as a student project and has an active community of more than 1.5M users? http://incubator.apache.org/projects/netbeans.html

Apache Community Notices:

 - Introducing "Success at Apache" –a new monthly blog series that focuses on the processes behind why the ASF "just works". First article: Project Independence https://s.apache.org/CE0V

 - Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA) https://s.apache.org/romf

 - ASF Operations Summary - Q2 FY2017 https://s.apache.org/oTOF

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag from http://www.zazzle.com/featherwear and http://s.apache.org/landsend --all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday December 16, 2016

The Apache News Round-up: week ending 16 December 2016

As we're approaching the holidays, the Apache community has been busy this week on:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - ASF Operations Summary - Q2 FY2017 https://s.apache.org/oTOF
 - Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA) https://s.apache.org/romf
 - Next Board Meeting: 21 December 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield brisk performance at 99.85% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Session slides + photos available at http://bit.ly/2gTgdYK; recordings are being processed and posted at Feathercast http://feathercast.org

Apache Apex™ –an enterprise-grade native YARN big data-in-motion platform that unifies stream and batch processing.
 - Apache Apex Malhar 3.6.0 released http://apex.apache.org/downloads.html

Apache Commons™ RNG –provides Java implementations of pseudo-random numbers generators.
 - Apache Commons RNG v1.0 released https://commons.apache.org/proper/commons-rng/download_rng.cgi

Apache Ignite™ –a high-performance, integrated and distributed in-memory platform for computing and transacting on large-scale data sets in real-time, orders of magnitude faster than possible with traditional disk-based or flash-based technologies.

 - Apache Ignite 1.8.0 released https://ignite.apache.org/download.cgi

Apache Jackrabbit™ Oak –a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class Web sites and other demanding content applications.
 - Apache Jackrabbit Oak 1.5.15 and 1.2.22 released http://jackrabbit.apache.org/downloads.html

Apache Lucy™ –search engine library provides full-text search for a variety of programming languages.
 - Apache Lucy 0.6.1 and Clownfish 0.6.1 released http://lucy.apache.org/download.html

Apache Mynewt (incubating) –a community-driven module OS for constrained, embedded applications.
 - Apache Mynewt 1.0.0-b1-incubating released http://www.apache.org/dyn/closer.lua/incubator/mynewt/apache-mynewt-1.0.0-b1-incubating

Apache Phoenix™ –enables OLTP and operational analytics for Apache Hadoop through SQL support using Apache HBase as its backing store and providing integration with other Apache projects in the ecosystem such as Spark, Hive, Pig, Flume, and MapReduce.
 - Apache Phoenix 4.9 released https://phoenix.apache.org/download.html

Apache Qpid™ Proton –a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org).
 - Apache Qpid Proton 0.16.0 and Qpid C++ 1.36.0 released http://qpid.apache.org/download.html

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies.
 - Apache Tomcat 8.5.9 and 9.0.0.M15 released http://tomcat.apache.org/download-80.cgi and http://tomcat.apache.org/download-90.cgi
 - CVE-2016-8745 Apache Tomcat Information Disclosure http://mail-archives.apache.org/mod_mbox/www-announce/201612.mbox/%3C76fe5f99-cc2c-4e48-b669-738f5dae7266%40apache.org%3E


Did You Know?

 - Did you know that recordings from Apache: BigData and ApacheCon Europe/Seville are available at FeatherCast? http://feathercast.apache.org/

 - Did you know that the German National Library of Science and Technology uses Apache Wicket? http://wicket.apache.org/

 - Did you know that Apache MADlib (incubating) can be used for principal component analysis such as image analysis? http://madlib.incubator.apache.org/

Apache Community Notices:

 - Introducing "Success at Apache" –a new monthly blog series that focuses on the processes behind why the ASF "just works". First article: Project Independence https://s.apache.org/CE0V

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag fromhttp://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Feedback from The Apache Software Foundation on the Free and Open Source Security Audit (FOSSA)

by Dirk-Willem van Gulik <dirkx(at)apache(punto)org>

December 2016, v1.09

Background

The important role of open source software in key infrastructures was brought to collective attention by two major security vulnerabilities in the core of the internet infrastructure. Heartbleed and Shellshock of 2014 caused significant concern. It made a lot of people realise how important the collective efforts around these open source infrastructures are. And how much key internet infrastructure relies on open source communities. Such as the Apache community.

Two of those people were Julia Reda and Max Andersson; Members of the European Parliament. As a result they proposed (and directed Europe to fund) a pilot project:  the "Free and Open Source Software Audit (FOSSA)" within a larger workstream that was about "€1 million to demonstrate security and freedom are not opposites".

One part of the money was about developing a methodology; the other about actually auditing some widely used open source software. After soliciting votes from the public - two projects "won": KeePass and the Apache Web Server.

Audit Process

The European Commission (easiest thought of as executive part of Europe) commissioned Spanish Aerospace and Defence company Everis to carry out the review on the Apache HTTPD server (and associated APR).  Their first draft had a considerable number of false positives and a fair bit of focus on some of the more arcane build tools (e.g. our libtool that is used on OS/2 where there is no gnu-libtool). At  Apache vulnerabilty scans are most valuable if we see analysis and at least a theory as to why something is vulnerable -- so we then worked with Everis to improve the report. Their final report on Apache HTTPD and APR has since gone live along with the other audits reports and results.

As none of the vulnerabilities found were particularly severe, we did not need to go through a responsible disclosure path; but could post the issues publicly to the developer mailing list.

Feedback on FOSSA

As part of this work, we were also asked for feedback - especially important now that Julia Reda and Max Andersson have managed to secure a recent vote in the the European Parliament for additional budget.

So in the remainder of this post I'll try to outline some of the conflicting forces around a security issue report v.s. a report of a vulnerability.

Security Reports

Infrastructure software needs constant maintenance to accommodate the evolving platforms; and to back port or propagate improvements and new learnings throughout the code. It is not a static piece of code with 'security holes' waiting to be found. `Fixing' a hole without `lifting the helicopter' is not net-positive by definition; in fact it can be negative. For example if a 'fix' makes the code more complex, if it reduces the number of people that understand it, or if it has an adverse effect on systems that use a different CPU architecture, build environment or operating system.

So in general terms, the main metric is whether security overall gets better - and indirectly about optimising efficient use of the available (existing and extra), but always limited, capacity and capabilities of the resources. At any given time there is both a known 1) backlog of deficiencies and known loose ends and 2) a reservoir of unknown issues. Tackling the first will generally make things more secure. Whereas searching in the latter space only makes things more secure if one finds issues that are severe enough to warrant the time spent on the unknown versus the time not spent on the known deficiencies.

To illustrate this with examples; a report from a somewhat outdated automated vulnerability tool often reduces overall security. Time that could be spent on fixing real issues and cleanups is instead spent on dealing with the false positives and minor stuff. The opposite is also true: bringing a verified security issue to us with a modest bit of analysis as to how such is exploitable, is virtually always a straight win. This obviously is even more true for a very severe issue (where it is immediately clear how it is exploitable). 

But it is also true for the case where someone bestows time on us on a small deficiency (e.g. initially found by a tool) - provided they spend significant time and engineering on handing us the 'fix' on a well tested silver platter. And it is even more useful if a class of issues is tackled throughout; with things like updated test cases.

Throughout this it is very important to consider the threat model and what or whom the bad actors are that you are protecting against. This includes questions like: Is it when the server runs in production? Or also during build? What is the attack surface?. This is particularly important when using (modern!) automated scanning tools (even after you laboriously winnow down the 1000's of false positives for the 1 nugget).

The reason for this is that it is common for constructs such as:
  ....
  results = (results_t *) mallocOrDie(sizeof(results_t));
  results->sum = 0;
  for(int i = 0; i < ptr->array_len; i++) {
    results->sum += ptr->array[i];
  ....
to be automatically flagged by (old-fashioned) tools. This is because there is seemingly no error trapping on mallocOrDie() and because there is no bound checking on ptr->array[i]. So in those cases you need to carefully analyse how this code is used; and what assumptions there are in the API; how exposed it is and so on (e.g is len public or private to the API). 

The last thing you want (when the situation is more complex) is to add a whole load of sentinels to the above code. That would make the code harder to maintain, harder to test and introduce things like the risk of a dangling else going unnoticed. As then you've just reduced security by tackling a non-existent issue. It would have been better to focus, for example, on making sure that mallocOrDie() always bombs out reliably when it fails to allocate.

People and Community versus tools

So specifically this means people, rather than tools, spending a lot of time analysing issues are the thing that is most valuable to Open Source communities.

By the time open source infrastructure code sees use in the market that is significant enough for the likes of FOSSA to consider it 'infrastructure and important' by some metric, it is likely that it is reasonably robust and secure.  As it is open source, it has some standing and is probably used by sizeable organisations that care about security or are regulated. Therefore, it has probably seen a fair bit of (automated and manual) security testing. 

In fact, once an open source project has become part of the landscape every security vendor worth their salt will probably test their tools on it - and try to use it as a wonderful (because you are public) example they can talk about in their sales pitches (that is, if they find something).

It also means that the issues that remain tend to be hard; and are more likely to require structural improvements (e.g. hardening an API) and large scale, systematic changes. Which result in totally disproportional amounts of time to be spent on updating test cases, testing and manual validation. As otherwise it would probably already have been done before. To some extent this also applies to automated tooling; we see that modern/complex tools that are hard to run; require a lot of manual work to update their rule bases for false positives or require sizeable investments (such as certain types of fuzzing, code coverage tools, automated condition testing/swaps) are used less often (but thus tend to sometimes yield promising new strains of issues).

Secondly there is the process of impact and the cost of dealing with the report and changes.  Often the report will find a lot of 'low' issues and perhaps one or two serious ones. For the latter it is absolutely warranted to 'light up' the security response of an open source project; and have people rush into action to do triage, fix and follow up with responsible disclosure.

Given that the code is already open source, the same cannot be said for the 'low' issues. Generally anyone (bad actors and good actors) can find these too. So in a lot of cases it is better to work with the community to file these as bug reports; or even better - as simple issues usually have simple non controversial fixes, submit the fixes and associated test cases as contributions. (It is often less work for the finder of the bug to submit a technical patch & test case than to fully write up a nicely formatted PDF report)

Bug Bounties - a Panacea ?

One 'solution' which is getting a lot of media attention is that of bug bounties; where the romantic concept of a lone open source volunteer coder code the internet is replaced by a lone bounty hunter - valiantly searching for holes & getting paid if they shoot first. 

If we review that solution against the needs of large, stable, communities that deal with relatively mature and stable infrastructure code (as opposed to commercial project or new code that is still evolving) we have seen a number of counter-indications stack up:
  • Fees are not high enough for the expert volunteers one would need to be enticed by the fee alone `in bulk'.

    Take the recent Azure-Linux update reporting or the Yahoo issue as examples. 5 to 10k is unlikely to come even close to the actual out of cost of a few weeks to a few months of engineering time at that quality level (or compensating the years invested in training) that was required to find, analyse and report that issue.

  • The same applies for the higher `competition' fees - topping out at 30-100k. In those cases only the first to report gets it. So your actual payment-per-issue found is lower on average; with some 4 to 8 top global teams at this level and with 2 to 4 high-value target events per year - that works out at well below 8k/teammember per year on average.
That in itself has a number of ramifications:
  • The very best people will only engage in this as a hobby and (hence) for personal credit and pride; OR when they work for a vulnerability company that wants the PR and marketing.

BUT that means that it is personal credit & marketing that is the real driving value, not the money itself. So what then happens if we introduce money into this (already credit and marketing driven) situation? 

  • Very large numbers of people without sufficient skill may be tempted --- but then one has to worry about the impact on the open source community: is dealing with reports at that level a better time spend for volunteers than having insiders look for things ? Will time spent on these fixes distract from the important things ?

    Should we ask people to pre-filter; or ask people managing bug hunting programmes to pre-vet or otherwise carry an administrative burden ? (Keep in mind that there are third party bug-hunting programmes for Apache code that the Apache Software Foundation has no control over).
Secondly - we know (from various dissertations and experience) that introducing money into a volunteer arrangement has an impact on group dynamics and how volunteers feel rewarded; or what work they seek to get rewarded for. 

With that - it may be so that:
  • It is likely that `grunt' and `boring' work in the security area will suffer --- `let that be done by paid folks';

  • It fundamentally shifts the non-monetary (and monetary - but not relevant as too low) reward from writing secure/good code and caring/maintaining --- to the negative - finding a flaw in (someone else) code. So feel-good, job-well-done and other feedback cycles now bypass primary production processes (that of writing good code), or at the very least, make that feedback loop involve a bug bounty party.
Finally - in complex/mature code - the class of vulnerabilities that we probably want to get fixed tend to be very costly to fix/find - and any avenue you go down has a high risk of not finding a security issue but a design/quality issue. 

Bug bounty finders, unlike the coding volunteers are NOT incentivised to report/fix these.  

On top of this, they are more likely to go for the higher reward/lower risk kind of niggle stuff. Stuff that, without digging deeper, is likely to cause higher layers of the code to get convoluted and messy. As these groups have no incentive to reduce complexity or fix deeper issues (in fact, if one were cynical - they have every reason to stay clear of such - as it means ripe hunting grounds during periods of drought).

So at some level Bug bounties are about the trade-off between rewarding, paying, a single person versus saddling a community of motivated volunteers with the fallout - not so much of genuine reports; but of everything else.

So ultimately - it is about the risks of what Economists call "Externalisation"; making a cost affects a party who did not choose to incur that cost - or denying that party a choice how to spend their resources most effectively.

Summary and suggestions for the next FOSSA Audits

In summary:
  1. Submitting the results of automated validation (even with some human vetting) is generally a negative contribution to security. 

  2. Submitting a specific detailed vulnerability that includes some sort of analysis as how this could be exploitable is generally a win. 

  3. Broad classes of issues which (perhaps rightly!) give you hits all over the code base are generally only worth the time spent on them if there are additional resources willing to work on the structural fixes, write the test cases and test them on the myriad of platforms and settings -- and if a lot of the analysis and planning for this work has been done prior to submitting the issue (to generally a public mailing list).

    From this it also follows that narrow and specific (and hence more "new" and "unique") is generally more likely to increase overall security; while making public the results of something broad and shallow is at best not going to decrease security.

  4. Lighting up the security apparatus of an open source project is not 'free'. People are volunteers. So consider splitting your issues into: ones that need a responsible disclosure path; and ones that can go straight to the public lists. Keep in mind that, as the code is open source, you generally can err towards the open path a bit - other (bad) actors can run the same tools and processes as you.

  5. Consider raising the bar; rather than report a potential vulnerability - analyse it; have the resources to (help) solve it and support the community with expensive things; such as the human manpower for subsequent regression testing, documentation, unit tests or searching the code for similar issues. 

  6. Security is a process; over very long periods of time. So consider if you can consistently spend resources over long periods on things which are hard to do for (isolated) volunteers. And if it is something like comprehensive fuzzing, code-coverage, condition/exchange testing -  then consider the fact that it is only valuable if it is; a) done over long periods of time and b) comes with a large block of human manpower that do things like analyses of the results and updates of test cases.

  7. Anything that increases complexity is a risk; and may have long term negative consequences. As it may lead to code which is harder to read, harder to maintain or where the pool of people that can maintain it becomes disproportionally smaller. A broad sweeping change that increases complexity may need to be backed by a significant (5.10+ years) commitment of maintenance in order to be safe to implement; especially if the security improvement it brings is modest.

  8. Carefully consider threat model and actors when you are classing things a security hole - especially around APIs.

  9. Carefully consider what type of resources you want to mobilise in the wider community; and what incentivises the people and processes that are most likely to improve the overall security and safety. And take the overall, longterm, health and social patterns of the receiving community into account when there such forces for good are "external".  It is all to easy to in essence to in effect cause a "Denial of Service" style effect; no mater how well intentioned.

  10. World-class expertise is rare; and by extension - the experts are often isolated. Bringing them together for long periods of time in relatively neutral settings gives synergy which is hard to get otherwise. Consider using a JRC or ENISA setting as a base for long term committed efforts. An effort that is perhaps more about strengthening and improving large scale (IT) infrastructures and (consumer) safety - rather than security.

  11. Bug bounties are not the only option. Some open source communities have benefited from "grants" or "stipend"; where a specific issue got tackled or addressed. In some cases, such as in for example Google its Summer of Code - it is focused on relatively young people; and helps train them up; in other cases it gives established experts room for a (few) year(s) to really bottom out some long standing issue.
With respect to the final point - security engineering (and its associated areas; such as privacy, trust and so on) is a "hard" thing to hire; the market generally lacks capacity and capability. Also in Europe. 

While open source its access to `lots of eyeball's does help; it does not magically give us access to a lot of the right eyeballs.

Yet increasing both Capacity and Capability in society does help. And that is a long process that starts early.

# # #

Thursday December 15, 2016

The Apache Software Foundation Operations Summary: August - October 2016

FOUNDATION OPERATIONS SUMMARY

Second Quarter, Fiscal Year 2017 (August-October 2016)

"With hundreds of projects and thousands of committers, the Apache Foundation has found stunning success without knuckling under to the software titans."
--Matt Asay, InfoWorld

> President's Statement: As a newly appointed President, my first priority has been to get a budget in place for the board to approve. Costs still slightly exceed revenue, but we have adequate reserve to cover this.

Focus items for both Brand Management and Fundraising include better tracking and prioritization. In the case of Fundraising, this likely means reaching out beyond the traditional technical sponsors.

The appointment of a paid Infrastructure Administrator is already showing results. Open Infrastructure positions have been backfilled and new hires are being onboarded. Priorities include resolving whether or not GitHub can be used as a master and finding ways to reduce the infrastructure costs per project. Meanwhile, uptime continues to be a point of pride for the infrastructure team. While we remain in a very healthy financial position, it never hurts to take the opportunity to ask for your support. As an individual you can donate to the Foundation (http://www.apache.org/foundation/contributing.html), as a corporation you can become a sponsor (http://www.apache.org/foundation/sponsorship.html).

Events and Community: Since our last quarterly report, we have not held any additional ApacheCon events. We do, however, have one coming up very soon, and another in the beginning stages of planning. 

We will hold Apache Big Data Europe 2016, and ApacheCon Europe 2016, in Seville, Spain, November 14-18th, at the Melia Sevilla hotel. The we will be announcing the schedules for these events mid September. Details about these events may be found on the ApacheCon Website, at http://apachecon.com/ . In 2017, we plan to hold ApacheCon North America in Miami, May 15-19, at the Intercontinental Miami. Details will be published to the ApacheCon Website very soon. Sponsorship opportunities are still available for both events.

Meanwhile, we continue, as a larger community, to plan and attend an enormous number of meetups and other small events. You can see the weekly list of meetups at http://apache.org/events/meetups.html or by searching for your favorite Apache project on meetup.com.

> Committers and Contributions: Over the past quarter, 1,721 contributors committed 48,551 changes that amount to 15,102,280 lines of code across Apache projects. The top 5 contributors during this timeframe are: Mark Thomas (729 commits), Gary Gregory (614 commits), Carsten Ziegeler (546 commits), Shad Storhaug (541 commits), and Maxim Solodovnik (491 commits).

The ASF Secretary processes new Apache Committers' paperwork so that they can continue contributing to our projects. All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. 

During this timeframe, the Secretary processed 281 ICLAs, 17 CCLAs, and 7 Software Grants. The activity of Apache committers, and the community of contributors they serve, can be seen at http://status.apache.org/#commits

> Brand Management: The ASF continues to be at the forefront of what's really a new kind of organization, where our independently governed and distributed volunteer communities are in charge of managing not just their technologies and communities, but their trademarks and their whole brand and presence in the larger world.  We continue to build new educational materials to help our highly technical communities understand the larger implications of managing the brand and outward impact of their projects, including proper trademark maintenance.

The ASF is seen as a leader in trademark and brand policies, and our example is helping other FOSS communities as well as companies better understand how we can work together fairly and productively.  Our community-focused education and policy materials are the best available, and we recently expanded to provide a more generic module on Practical Trademark Law for FOSS projects.  We continue to work on improving education and mentoring for projects to ensure they understand how to best maintain their independent brand and image.

All of the ASF's education and policies around trademark law for Open Source as well as brand management is published online, and we urge project participants and software vendors alike to review and ask us questions about them: http://www.apache.org/foundation/marks/resources

On the registration front, we continue to get some projects who request registration of names or beloved logos in the US and internationally. We continue to exercise financial care with our budget by working with the relevant project communities to detail why registration is important for them to attract new project contributors around the world.

With the continued rise of prominent Apache brands and projects that power more business every year, we look to the many companies that profit from Apache software products to help respect Apache brands.

While many companies continue to properly give credit to our volunteer communities, sadly some companies continue to --or have started to-- take advantage of our non-profit work by unfairly co-opting Apache project brands or by interfering with Apache project governance. Reviewing and correcting these mis-uses is an ongoing effort for the ASF Board, the Brand Management Committee, and all Apache projects.

The Apache Brand Management team welcomes your questions on our private email list: trademarks@apache.org

> Infrastructure: The Infrastructure team has been continuing its work with puppet to create better resilience and repeatable deployment, for the set of machines and VMs under our management. Much of this work has been with the build slaves for our Jenkins and Buildbot systems, where we have added and streamlined the configuration of many new nodes. We continue to decommission our hardware, in favor of third-party hardware hosted in multiple cloud providers around the world.

The team has hired Freddy Barboza Oviedo and Chris Thistlethwaite, who will join the team in November. With Freddy, Chris, and (previously-reported) Greg joining the team this quarter, we hope to better serve the vast number of users of the Foundation infrastructure.

Beyond retiring technical debt and bringing puppet to our services, we continue to work on providing GitHub's toolset to our projects in a way that maintains our community and legal needs. This service will be rolled out incrementally for a limited set of test projects, and is expected to be available to all projects some time in 2017.

We saw 477 issues opened during the quarter, with 416 of those alerady closed. Another 38 issues were closed, leaving us with a net increase of a couple dozen issues. We are hopeful that our increased staffing levels will reverse this trend and provide better service to our users.

During the quarter, the services offered by the Infrastructure team maintained an uptime of 99.75%, beating our goal of 99.50% for critical services and easily beating the goals for less critical services. Our work with puppet and multiple cloud providers has greatly improved our ability to maintain a high level of uptime.

> Financial Statement:


> Fundraising:
 The ASF Fundraising team closes another strong quarter. Four more organization joined our family of sponsors. The growth in the number of sponsors is consistent with the overall growth of the fundation. We continue our efforts to engage with existing and potential sponsors and we are looking forward to more sponsors joining in the following quarters.

The ASF enjoys the support of the same 7 Platinum Sponsors: Cloudera, Facebook, Google, LeaseWeb, Microsoft, Pivotal and Yahoo. With Huawei upgrading to Gold we now benefit from the support of 9 Gold Sponsors: ARM, Bloomberg, Comcast, Hortonworks, HP, Huawei, IBM, ODPi, PhoenixNap and 14 Silver Sponsors: Alibaba Cloud Computing, Budget Direct, Capital One, Cerner, Confluent, InMotion Hosting, iSIGMA, Private Internet Access, Produban, Red Hat, Serenata Flowers Wandisco with the addition of Cash Store and Target, the ASF newest silver sponsors. The number of Bronze sponsors has also increased in the second quarter from 19 to 21 Bronze Sponsors. The number of Infrastructure sponsors remained unchanged, the ASF infra@ team continues to rely on the help and support of: The OSE Open Source Labs, SURFnet, Freie Universitat Berlin, Quenda, PagerDuty, Symantec, No-IP, Bintray, Hotwax Systems, Rackspace and Sonatype.

As we always do, we want to use this opportunity too to express our gratitude to our generous sponsors. Our operations continue uninterrupted because of our sponsors support and for that they deserve our most sincere thanks.

# # #

Report prepared by Sally Khudairi, Vice President Marketing & Publicity, with contributions by Sam Ruby, ASF President; Rich Bowen, Vice President Conferences; Shane Curcuru, Vice President Brand Management; Greg Stein, ASF Infrastructure Administrator; Tom Pappas, ASF Member and Vice President, Finance & Accounting at Virtual, Inc.; and Hadrian Zbarcea, Vice President Fundraising.


For more information, subscribe to the announce@apache.org mailing list and visit http://www.apache.org/, the ASF Blog at http://blogs.apache.org/, and the @TheASF on Twitter.

(c) The Apache Software Foundation 2016.

Friday December 09, 2016

The Apache News Round-up: week ending 9 December 2016

Another brilliant week with the following accomplishments from the Apache community:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 21 December 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

Introducing Success at Apache –a new monthly blog series that focuses on the processes behind why the ASF "just works". - Success at Apache: Project Independence  https://s.apache.org/CE0V

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield "three nines" performance at 99.91% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Session slides + photos available at http://bit.ly/2gTgdYK; recordings are being processed and posted at Feathercast http://feathercast.org

Apache Community Development –helps those new to the ASF and Apache Projects take their first steps towards being a part of the Apache community.
 - REMINDER TO ASF COMMITTERS: please complete the Apache Community Development Diversity Survey (check your @apache.org email)

Apache Apex™ –an enterprise-grade native YARN big data-in-motion platform that unifies stream and batch processing.
 - Apache Apex Malhar 3.6.0 released http://apex.apache.org/downloads.html

Apache Hive™ –Big Data warehouse software that facilitates querying and managing large datasets residing in distributed storage.
 - Apache Hive 2.1.1 released https://hive.apache.org/downloads.html

Apache Jackrabbit™ –a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283).
 - Apache Jackrabbit 2.12.6, 2.13.5, and Jackrabbit Oak 1.5.14 released http://jackrabbit.apache.org/downloads.html

Apache NiFi™ MiNiFi –a complementary data collection approach that supplements the core tenets of NiFi in dataflow management, focusing on the collection of data at the source of its creation.
- Apache NiFi MiNiFi 0.1.0 and C++ 0.0.1 released http://nifi.apache.org/minifi/download.html

Apache PDFBox™ –an Open Source Java tool for working with PDF documents.
 - Apache PDFBox 1.8.13 released http://pdfbox.apache.org/download.cgi


Did You Know?

 - Did you know that the following Apache projects are celebrating anniversaries in December? Apache Portable Runtime (16 years); Logging Services (13 years); Cayenne, OFBiz, and Tiles (10 years); Synapse (9 years); Camel (8 years); Aries (6 years); ACE (5 years); Flex and Wink (4 years); Helix (3 years); Falcon and Flink (2 years) --many happy returns! https://projects.apache.org/

 - Did you know that an immersive introduction to the ASF for newcomers is available at the Community Development (ComDev) site? http://community.apache.org/

 - Did you know that PayPal cuts costs tenfold by using continuous integration tools including Apache Aurora and Apache Mesos? http://aurora.apache.org/ and http://mesos.apache.org/


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag fromhttp://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Monday December 05, 2016

Success at Apache: Project Independence

By Mark Thomas

I've been involved in The Apache Software Foundation (ASF) since 2003. I was using Apache Tomcat at work and I hit a problem that needed a new feature to be implemented. There was already an enhancement request in Bugzilla so I submitted a patch. After some re-work by the project committers, the patch was applied and the feature available in the next release. I enjoy problem solving, so I started to take a look at the other open Tomcat bug reports and my involvement grew from there to include Apache Commons, the Infrastructure Team, the Security Team and, most recently, the Board of Directors to which I was elected in March 2016.

Apache Tomcat has always been at the heart of my involvement and is where I spend most of my time. Tomcat started with a donation to the ASF by Sun in 1999 and, some seven major versions later, the project continues to be very successful. A significant part that success is due to the involvement of a wide range of individuals from different companies. The reason those companies are happy co-operating on Tomcat is because of the importance the ASF places on project independence.

There are many aspects to project independence but, for me, the most important is that committers and Project Management Committee (PMC) members contribute to the project as individuals and do so with the intention of doing what is best for the community as a whole. Some committers contribute in their free time – I did for the first five years or so with Tomcat – and some are allowed /directed to spend time contributing to Apache projects by their employer. However, those committers contributing on their employer's time still need to act in the best interests of the community rather than the best interest of their employer.

To give a specific example, my employer has a product that is built around Apache Tomcat. The sales folks at my employer asked if I could add a feature to this product. The problem was that this feature required access to low-level Tomcat internals in order to implement it effectively. For this to be possible, I would have needed to make some ugly API changes to Tomcat to provide the integration points required. Rather than try and push those changes through, I persuaded my employer that it would better to donate the entire feature to the Apache Tomcat project.

This feature also demonstrates other important elements of a successful ASF project: the ability to make decisions in public and always aiming to achieve community consensus with those decisions. As the development of this new feature progressed, the design evolved as the community reviewed the commits and suggested improvements. This isn't always the quickest way of working but the quality of the end result – both technically but more importantly in terms of community health - more than makes up for that.

The perception of project independence is as important as projects actually being independent. It is a key factor in many projects choosing the ASF as their home so projects need to ensure that the perception agrees with reality.

Things can and do go wrong. With 350 projects it is pretty much a given that there will be a handful of ongoing issues at any given time. For example, there might be an attempt to push a project in a particular direction or to suggest that some external entity controls / leads / manages the project. Typically these are self-corrected by the PMC. Sometimes the PMC needs help to resolve the issue e.g. from V.P. Brand Management or possibly the ASF Board.

Being a board member is often viewed as more significant than it is. I have no more status in Apache Tomcat, Apache Commons or any other project as a board member than I did before my election to the board. I can still have bad ideas and my fellow community members still point it out when it happens. I don't get to always have my way just because I am board member. It is the board as a whole, rather than the individual board members, whose voice carries significant weight. It is fairly rare for any board member to speak on behalf of the board. To give that some context, I've probably done it no more than once a month since joining the board. It is sufficiently rare that board members always include an explicit "on behalf of the board" when speaking for the board rather than as an individual. Sometimes this point isn't appreciated and the views of an individual board member are incorrectly taken to be the views of the board.

The ASF board is also very different to a corporate board. The board manages the Foundation but it is the PMC that manages the project and sets the direction. The board has no role in the technical direction of a project. The board has responsibility for corporate governance, finance, legal etc., but its primary role is monitoring, mentoring and coaching our project communities to help keep them healthy. As part of this, the board reviews all projects on a regular basis. Newly graduated projects are reviewed monthly for typically 3 months before moving to quarterly reviews. The project V.P. (PMC Chair) is an important part of this. They are the eyes and ears of the board. While the board will look for warning signs as part of its regular review, the V.P. has much more in depth knowledge of the project and can flag specific issues early. Where issues are identified, the aim is to get the PMC to self-correct. The board will provide mentoring / coaching / guidance as necessary but it will be the PMC members who do the work to correct the issue.

As an example of the board working with a PMC, earlier this year the V.P. for a particular project became unavailable. The board became concerned because the regular reports were not being produced for the project. In this instance, no-else on the PMC had experience of being a project V.P so the board worked with the PMC to identify a new V.P. and to then mentor the new V.P. as they found their way in their new role.

For the last 17 years, the ASF has provided a home for a large and diverse set of open source projects. Key to this success has been the importance the ASF places on project independence as part of the Apache Way. By continuing to adhere to the principles of the Apache Way, I am confident that the ASF will continue to be successful for another 17 years and a long way beyond.

Friday December 02, 2016

The Apache News Round-up: week ending 2 December 2016

Welcome, December! We've wrapped up another great week with the following activities:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 21 December 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield performance once again at the "three nines" at 99.90% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Session slides + photos available at http://bit.ly/2gTgdYK; recordings are being processed and posted at Feathercast http://feathercast.org

Apache Community Development –helps those new to the ASF and Apache Projects take their first steps towards being a part of the Apache community.
 - REMINDER TO ASF COMMITTERS: please complete the Apache Community Development Diversity Survey (check your @apache.org email)

Apache Drill™ –a distributed MPP query layer that supports SQL and alternative query languages against NoSQL and Hadoop data storage systems. It was inspired in part by Google's Dremel.
 - Apache Drill 1.9.0 released https://drill.apache.org/download/

Apache Kylin™ –an Open Source Distributed Analytics Engine designed to provide SQL interface and multi-dimensional analysis (OLAP) on Apache Hadoop, supporting extremely large datasets.
 - Apache Kylin 1.6.0 released https://www.apache.org/dyn/closer.cgi?path=/kylin/apache-kylin-1.6.0/

Apache OFBiz™ –an Open Source product for the automation of enterprise processes that includes framework components and business applications.
 - Apache OFBiz 16.11.01 released http://ofbiz.apache.org/download.html
 - CVE-2016-4462 OFBiz template remote code vulnerability and CVE-2016-6800 Apache OFBiz blog stored XSS vulnerability http://ofbiz.apache.org/download.html#vulnerabilities

Apache Subversion™ –exists to be universally recognized and adopted as an Open Source, centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage; and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations.
 - Apache Subversion 1.8.17 released http://subversion.apache.org/download/#supported-releases
 - Apache Subversion 1.9.5 released http://subversion.apache.org/download/#recommended-release


Did You Know?

 - Did you know we recommend those running an event based on an Apache project to review the Event Branding Overview? http://www.apache.org/foundation/marks/events

 - Did you know that the Japan National Police Agency uses Apache Wicket for its opinion box? http://wicket.apache.org/

 - Did you know that the Apache Project Maturity Model defines a structure for evaluating ASF projects (communities + technology), and has served as an example for other communities as well? http://community.apache.org/apache-way/apache-project-maturity-model.html


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag fromhttp://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday November 25, 2016

The Apache News Round-up: week ending 25 November 2016

We're closing out quite a productive month with the following activities:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 21 December 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield perky performance at 99.83% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - CFP OPEN: Apache: Big Data and ApacheCon North America 16-18 May 2017/Miami http://apachecon.com/
 - Recordings of sessions are being processed and posted at Feathercast http://feathercast.org

Apache Community Development –helps those new to the ASF and Apache Projects take their first steps towards being a part of the Apache community.
 - The Apache Community Development Team Prepares to Send Out its First Diversity Survey http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3Cpony-31e1cbf2b23a01ea035ee3323fe2ab95950c8284-dc1f345f30800e5cbef086a8801c55be77bc49c3%40announce.apache.org%3E

Apache CloudStack™ CloudMonkey –can be used both as an interactive shell and as a command line tool that enables cloud administrators and users to easily manage configuration and management of Apache CloudStack clouds.
 - Apache CloudStack CloudMonkey 5.3.3 released http://cloudstack.apache.org/downloads.html

Apache Geode™ –Big Data in-memory data grid used by hundreds of enterprises to power mission-critical low latency, high concurrency transactional applications at extreme scale.
 - The Apache Software Foundation Announces Apache® Geode™ as a Top-Level Project https://s.apache.org/vS44

Apache Jackrabbit™ Oak –a fully conforming implementation of the Content Repository for Java Technology API (JCR)
- Apache Jackrabbit Oak 1.2.21 released http://jackrabbit.apache.org/downloads.html

Apache jclouds™ –an Open Source multi-cloud toolkit for the Java platform that gives you the freedom to create applications that are portable across clouds while giving you full control to use cloud-specific features.
 - Apache jclouds 1.9.3 released http://www.apache.org/dyn/closer.lua/jclouds

Apache JMeter™ –a 100% pure Java application designed to test server applications.
 - Apache JMeter 3.1 released http://jmeter.apache.org/download_jmeter.cgi

Apache POI™ –a Java library for reading and writing Microsoft Office files.
 - Apache POI 3.16 released https://www.apache.org/dyn/closer.lua/poi/release/RELEASE-NOTES.txt

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies.
 - CVE-2016-6816 Apache Tomcat Information Disclosure http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3C60944c86-3492-4e03-4d2b-fd4d9736f0d9%40apache.org%3E
 - CVE-2016-8735 Apache Tomcat Remote Code Execution http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3Cac0f27e5-121b-ceac-eb1e-954ee54d65ac%40apache.org%3E
 - CVE-2016-6817 Apache Tomcat Denial of Service http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3Ca9a2bf36-012a-2d10-28eb-4d2c33db3ddf%40apache.org%3E


Did You Know?

 - Did you know that Apache Groovy is one of the most widely used alternative languages for the JVM (Java virtual machine) with ~12M annual downloads per year? http://groovy.apache.org/

 - Did you know that Airbnb uses Apache Kafka in their billing system? http://kafka.apache.org/

 - Did you know that Apache SenSoft (incubating) is a Software-as-a-Sensor™ usability testing platform? http://incubator.apache.org/projects/senssoft.html


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America and Apache:BigData will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag fromhttp://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Monday November 21, 2016

The Apache Software Foundation Announces Apache® Geode™ as a Top-Level Project

Open Source Big Data in-memory data grid used by hundreds of enterprises to power mission-critical low latency, high concurrency transactional applications at extreme scale.

Forest Hill, MD —21 November 2016— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® Geode™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.

Apache Geode is an Open Source in-memory data grid that provides transactional data management for scale-out applications needing low latency response times during high concurrent processing.

"Graduating as a Top-Level Project marks an important milestone for Apache Geode," said Mark Bretl, Vice President of Apache Geode. "Our community is proud to champion a diverse group of developers and users whose support has helped Geode reach a sustainable level of maturity."

The Geode codebase was originally developed by Gemstone Systems in 2002. GemFire, the original commercial distribution of Geode, was first widely adopted by the financial sector as the transactional, low-latency data engine used in Wall Street trading platforms. Pivotal®, which owns the GemFire technology, submitted the Geode code to the Apache Incubator in April 2015.

"We are excited to see Geode graduate from the Apache Incubator to a Top-Level Project. It's quite a feat to transform a mature commercial product into a widely adopted open source project," said Elisabeth Hendrickson, VP of Big Data R&D at Pivotal. "The committers in Geode have worked hard at building community and making the project accessible to newcomers, paving the way for developers everywhere to benefit from a proven in memory data grid technology."

Since entering the Apache Incubator, the project has had significant increases in the number of independent developers contributing to the code, as well as organizations incorporating Apache Geode in their deployments and solutions. Today, over 600 enterprises use the technology behind Apache Geode for high-scale business applications that must meet low latency and 24x7 availability requirements, such as financial risk analysis systems, high volume eCommerce Websites, and transportation & logistics management.

"zData has been deploying big solutions with the technology of Apache Geode well before it became open source software. We look forward to helping more of our customers enjoy the speed, reliability, and scale that Apache Geode brings to any application architecture."
-- Dillon Woods, CTO, zData Inc.

"Apache Geode is an important component of Capgemini's Business Data Lake and fast reacting business scale out analytics solutions. Capgemini congratulates the Apache Geode community on becoming a top level project in The Apache Software Foundation." 
-- Steve Jones, Global Vice President, Big Data, Capgemini

"Apache Apex provides direct support for Apache Geode. Geode helps Apex deployments by providing fast, fault-tolerant storage and query support for stream processing data. Data Torrent welcomes Apache Geode as a peer project of Apache Apex".
--Amol Kekre, CTO at Data Torrent

"Apache Geode is an important component of Ampool Active Data Store. It provides scale-out in-memory processing with transactional consistency. We've been enthusiastic users of Apache Geode since its beginning, and look forward to this next phase".
-- Milind Bhandarkar, CEO at Ampool

"Through the incubation process we have worked to create an open and collaborative community for developers and users to work together, and look forward to seeing new contributions, feedback, bug reports, and subscribers to the Geode email lists," added Bretl.

The Apache Geode project welcomes contributions and community participation through mailing lists, face-to-face MeetUps, Geode Clubhouse online, and other events such as the Apache: Big Data conference series.

Availability and Oversight
Apache Geode software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For project updates, downloads, documentation, and ways to become involved with Apache Geode, visit http://geode.apache.org/ and @ApacheGeode.

About the Apache Incubator
The Apache Incubator is the entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects wishing to join the ASF enter through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 620 individual Members and 5,500 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Cerner, Cloudera, Comcast, Confluent, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, iSigma, LeaseWeb, Microsoft, OPDi, PhoenixNAP, Pivotal, Private Internet Access, Produban, Red Hat, Serenata Flowers, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "Geode", "Apache Geode", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

Friday November 18, 2016

The Apache News Round-up: week ending 18 November 2016

As we wrap up a wonderful conference week in Seville brimming with All Things Apache, our community has also been working on:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 21 December 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield perky performance at 99.83% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - Save the date: ApacheCon North America will be held 16-18 May 2017 in Miami http://apachecon.com/

Apache Commons™ JCS –a distributed, versatile caching system.
 - Apache Commons JCS 2.0-beta-2 released https://commons.apache.org/proper/commons-jcs/download_jcs.cgi

Apache Commons RDF (incubating) –aims to provide a common Java API for RDF 1.1 graphs and datasets.
 - Apache Commons RDF 0.3.0-incubating released https://commonsrdf.incubator.apache.org/download

Apache Jena™ –an Open Source Java-based framework for building Semantic Web and Linked Data applications.
 - Apache Jena 3.1.1 released http://jena.apache.org/download/maven.html

Apache Jackrabbit™ Oak –a fully conforming implementation of the Content Repository for Java Technology API (JCR)
- Apache Jackrabbit Oak 1.4.10 and 1.5.13 released http://jackrabbit.apache.org/downloads.html

Apache jclouds™ –Open Source multi-Cloud toolkit in use and supported by Adobe, Amazon Web Services, Apache CloudStack, Docker, Google Cloud Platform, Mesosphere, Microsoft Azure, OpenStack, Rackspace, RedHat, and many others.
 - Apache jclouds 2.0.0 released http://www.apache.org/dyn/closer.lua/jclouds
 - The Apache Software Foundation Announces Apache® jclouds™ v2.0 https://s.apache.org/LkRY

Apache Solr™ –the blazing fast search server built on Apache Lucene.
 - Apache Solr Reference Guide for 6.3 released https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.3.pdf

Apache Streams (incubating) –unifies a diverse world of digital profiles and online activities into common formats and vocabularies, and makes these datasets accessible across a variety of databases, devices, and platforms for streaming, browsing, search, sharing, and analytics use-cases.
 - Apache Streams 0.4-incubating released http://www.apache.org/dyn/closer.cgi/incubator/streams/releases/0.4-incubating/

Apache SystemML (incubating) –provides declarative large-scale machine learning (ML) that aims at a flexible specification of ML algorithms and automatic generation of hybrid runtime plans ranging from single-node, in-memory computations, to distributed computations on Apache Hadoop MapReduce and Apache Spark.
 - Apache SystemML 0.11.0-incubating released http://systemml.apache.org/

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies.
 - Apache Tomcat 7.0.73 released http://tomcat.apache.org/download-70.cgi
 - Apache Tomcat 8.0.39 released http://tomcat.apache.org/download-80.cgi

Did You Know?

 - Did you know that The ASF now has 620 Members and 5,511 Committers? https://twitter.com/davsclaus/status/798887129141182465

 - Did you know that at The ASF all projects operate on-list? https://community.apache.org/lists.html

 - Did you know that algorithms in Apache MADlib (incubating) are implemented to provide highly parallel processing? http://incubator.apache.org/projects/madlib.html


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon North America will be held 16-18 May 2017 in Miami  http://apachecon.com/

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag fromhttp://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Tuesday November 15, 2016

The Apache Software Foundation Announces Apache® jclouds™ v2.0


[Read More]

Friday November 11, 2016

The Apache News Round-up: week ending 11 November 2016

Whether you're observing Remembrance Day, Veteran's Day, Single's Day, or simply making a wish on 11/11, the Apache community is convening for next week's conferences in Seville. And, per usual, the Apache machine continues to turn:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 November 2016. Board calendar and minutes available athttp://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield perky performance at 99.86% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - Starting Monday! Apache: Big Data followed by ApacheCon Europe/Seville http://apachecon.com/

Apache Directory™ –an ongoing effort to provide an enhancedLDAP API, as a replacement for JNDI and the existing LDAP API (jLdap and Mozilla LDAP API).
 - Apache Directory LDAP API 1.0.0-RC2 released http://directory.apache.org/api/downloads.html
 - Apache Directory Studio 2.0-0-M12 released http://directory.apache.org/studio/downloads.html

Apache Fortress™ –provides a Role-Based Access Control system that is fully ANSI INCITS 359 compliant and production ready.
 - Apache Fortress 2.0.0-RC1 released http://directory.apache.org/fortress/downloads.html

Apache Knox™ –a REST API Gateway for providing secure access to the data and processing resources of Hadoop clusters.
 - Apache Knox 0.10.0 released http://www.apache.org/dyn/closer.cgi/knox/0.10.0

Apache Jackrabbit™ –a fully conforming implementation of the Content Repository for Java Technology API (JCR).
 - Apache Jackrabbit 2.12.5 released http://jackrabbit.apache.org/downloads.html

Apache Lucene™ –a high-performance, full-featured text search engine library written entirely in Java.
 - Apache Lucene 6.3.0 released http://lucene.apache.org/core/mirrors-core-latest-redir.html
 - Apache Solr 6.3.0 released http://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Apache OpenMeetings™ –provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming.
 - CVE-2016-8736: Apache Openmeetings RMI Registry Java Deserialization RCE http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3CCAJmbs8i2AFb9ddx2HDSea-XLkR7rRFeM05epxtQzDzSa6ZST3A%40mail.gmail.com%3E

Apache Tika™ –a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.
 - Apache Tika 1.14 released http://www.apache.org/dyn/closer.cgi/tika/apache-tika-1.14-src.zip

Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies.
 - Apache Tomcat 9.0.0.M13 released http://tomcat.apache.org/download-90.cgi
 - Apache Tomcat 8.5.8 released http://tomcat.apache.org/download-80.cgi

Apache Traffic Server™ –a fast, scalable and extensible HTTP/1.1 compliant caching proxy server. 
 - Apache Traffic Server v7.0.0 released http://trafficserver.apache.org/downloads

Apache Wicket™ –an Open Source Java component oriented Web application framework.
 - CVE-2016-6806: Apache Wicket CSRF detection vulnerability http://mail-archives.apache.org/mod_mbox/www-announce/201611.mbox/%3CCAB63Y-cZ+ZydQB=zPKNJDFyb-AgSV2ba=FA9wqz7rDQw_hemNQ@mail.gmail.com%3E


Did You Know?

 - Did you know that each BarCamp Apache is different, based on the individuals, ideas, and communitites participating? http://feathercast.apache.org/apachecon-europe-2016-barcamp-apache/

 - Did you know that Apache CouchDB was instrumental in providing offline-first applications in the 2014-2015 Ebola outbreak in West Africa? http://couchdb.apache.org/

 - Did you know that Apache Project anniversaries in November include: Labs (10 yrs); HTTP Components (9 yrs); Abdera, Attic, Buildr, CouchDB, and Qpid (8 yrs); Community Development (7 yrs); OODT and ZooKeeper (6 yrs); Kafka and Syncope (4 yrs); Ambari and Marmotta (3 yrs); BookKeeper, DeviceMap, Drill, and MetaModel (2 yrs); and Brooklyn, Groovy, Kylin, and REEF (1 yr)? Many happy returns to all!


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon Europe will take place 14-18 November 2016 in Seville, Spain http://apachecon.com/

 - ApacheCon North America will be held 16-18 May 2017 in Miami. Details coming.

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag from http://www.zazzle.com/featherwearand http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Friday November 04, 2016

The Apache News Round-up: week ending 4 November 2016

Welcome November! As we're busily preparing for our upcoming conferences in Seville, the Apache community has also been working on the following:

ASF Board –management and oversight of the business and affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 November 2016. Board calendar and minutes available at http://apache.org/foundation/board/calendar.html

ASF Infrastructure –our distributed team on four continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield perky performance at 99.87% uptime http://status.apache.org/

ApacheCon™ –the official conference series of The Apache Software Foundation.
 - Join us at Apache: Big Data and ApacheCon Europe/Seville http://apachecon.com/

Apache BVal™ –an implementation of the Java Bean Validation specification.
 - Apache BVal 1.1.2 released http://www.apache.org/dyn/closer.cgi/bval/1.1.2/

Apache Calcite™ –a framework for writing data management systems.
 - Apache Calcite Avatica 1.9.0 released https://www.apache.org/dyn/closer.cgi/calcite/apache-calcite-avatica-1.9.0/

Apache CloudStack™ –deploys and manages large networks of virtual machines as a highly available, highly scalable Infrastructure as a Service (IaaS) Cloud computing platform.
 - CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability http://mail-archives.apache.org/mod_mbox/www-announce/201610.mbox/%3CCAJtfqCupOYQoNY2BNx86_zauses_MpmpiX8WciO_DEaWp6uNig%40mail.gmail.com%3E

Apache Derby™ –a pure Java relational database engine that conforms to the ISO/ANSI SQL and JDBC standards.
 - Apache Derby 10.13.1.1 released http://db.apache.org/derby/derby_downloads.html

Apache Fluo (incubating) –a distributed system for incrementally processing large data sets stored in Apache Accumulo.
 - Apache Fluo Recipes 1.0.0-incubating released https://fluo.apache.org/release/fluo-recipes-1.0.0-incubating/

Apache Geode (incubating) –a data management platform that provides a database-like consistency model, reliable transaction processing and a shared-nothing architecture to maintain very low latency performance with high concurrency processing.
 - Apache Geode 1.0.0-incubating released http://geode.incubator.apache.org/releases/

Apache MINA™ –a network application framework which helps users develop high performance and high scalability network applications easily by providing an abstract, event-driven, asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.
 - Apache MINA 2.0.16 released http://mina.apache.org/downloads.html
 - Apache FtpServer 1.1.0 released http://mina.apache.org/ftpserver/downloads.html

Apache S2Graph (incubating) –a graph database designed to handle transactional graph processing at scale.
 - Apache S2Graph 0.1.0-incubating released http://mirror.navercorp.com/apache/incubator/s2graph/0.1.0-incubating/


Did You Know?

 - Did you know that you can share what you're planning to work on at ApacheCon? https://blogs.apache.org/conferences/entry/what_are_you_working_on

 - Did you know that Astronomer uses Apache Airflow (incubating) to create a modern platform for building data pipelines? http://incubator.apache.org/projects/airflow.html

 - Did you know that over the past month 2,488 people created 7,524 new issues, and 811 people closed 6,212 issues? Top 3 topics: HBase, YARN, and CommonsRDF! 


Apache Community Notices:

 - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache HTTP Server, Avro, ComDev (community development), Directory, Incubator, OODT, POI, Syncope, Tika, Trafodion, Zest, and more! https://helpwanted.apache.org/

 - ApacheCon Europe will take place 14-18 November 2016 in Seville, Spain http://apachecon.com/

 - ApacheCon North America will be held 16-18 May 2017 in Miami. Details coming.

 - The ASF Q1 FY2017 Report is available at https://s.apache.org/1BsV

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

 - Show your support for Apache with ASF-approved swag from http://www.zazzle.com/featherwear and http://s.apache.org/landsend--all proceeds benefit the ASF! 

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

# # #

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation