The Apache Software Foundation Blog

Friday January 31, 2020

Apache Software Foundation Security Report: 2019

Synopsis: This report explores the state of security across all Apache Software Foundation projects for the calendar year 2019. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

Released: 31 January 2020

Author: Mark Cox, Vice President Security, The Apache Software Foundation

Background
The security committee of The Apache Software Foundation (ASF) oversee and co-ordinate the handling of vulnerabilities across all of the 300+ Apache projects.  Established in 2002 and comprising of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.

Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or project management committees (PMC) to handle.  The security committee see all the issues reported across all the addresses and keep track of the issues throughout the vulnerability lifecycle.  

The security committee is responsible for ensuring that issues are dealt with properly and will actively remind projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache Software License, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.  

The oversight into all security reports, along with tools we have developed, gives us the ability to easily create statistics on the issues. 

Statistics for 2019
In 2019 our security addresses received in total over 18,000 emails. After spam filtering and thread grouping this comes to 620 non-spam threads.  Unfortunately many security reports do look like spam and so the security team are careful to review all messages to ensure real reports are not missed for long.



Diagram 1: Breakdown of ASF security email threads for calendar year 2019*

Diagram 1 gives the breakdown of those 620 threads.  138 threads (22%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, users can get confused when they see the Apache License and they don't understand what it is.  This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.

The next 162 of the 620 (26%) are email threads that are not spam but are also not reports of new vulnerabilities.  These are generally people asking support-type questions or how old vulnerabilities were dealt with.

That left 320 reports of new vulnerabilities in 2019, which spanned across 84 of the top level projects.  These 320 reports are a mix of both external reporters and internal; for example where a project has found an issue themselves and followed the ASF process to assign it a CVE name and address it.  Note that we don’t track the reporter affiliation, and ASF reporters often use non-ASF email addresses for reporting, so we can’t give a break down of internal vs external reports .

The next step is that the appropriate project triages the report to see if it's really an issue or not.  At this stage invalid reports, or things that are not actually vulnerabilities at all, get rejected back to the reporter.  Of the remaining issues that are accepted they are are assigned appropriate CVE names and eventually fixes are released.

As of January 1st 2020, 19 of those 320 reports were still under triage (i.e. the project had not yet determined if the report is accepted or rejected).  The process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The timeline for the fixing of issues depends on the schedules of the projects themselves and issues of lower severity are most often held to future pre-planned releases.  

The remaining closed 301 reports led to us assigning 122 CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handle CVE name allocation and are a Mitre Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts Mitre directly or goes public with an issue before contacting us. 

Noteworthy events
During 2019 there were a few events worth discussion; either because they were severe and high risk, they had readily available exploits, or otherwise due to media attention.   These included:

  • January 2019: Securonix published a report outlining an increase of attacks of Apache Hadoop instances that have not been configured with authentication.  Public exploits and a Metasploit module exist to perform remote code execution on unprotected Hadoop YARN systems.

  • April 2019: A flaw in Apache HTTP Server 2.4 (CVE-2019-0211).  A user who has access to write scripts on a web server could elevate those privileges to root.  A public exploit is available for this issue.

  • April 2019: A flaw in older versions of Apache Axis that parsed a file retrieved insecurely from an expired domain, allowing remote code execution (CVE-2019-0227).

  • June 2019: Jonathan Leitschuh contacted us after finding a number of Java build dependencies were being downloaded over insecure paths (i.e. HTTP rather than HTTPS).  We did not classify these as security vulnerabilities in themselves as exploiting them would require MITM attacks at build time.  We worked with ASF projects including those identified by the reporter to ensure that we use secure URLs.  Now, in 2020, a number of repositories are requiring secure URLs.

  • August 2019: The Black Duck Synopsys team reviewed older Struts releases and advisories and found some discrepancies in the reported affected versions.   The Struts team worked through their findings and issued corrections where needed.  This can be important if users are running older versions that they don't think are affected by an issue based on the advisories, but they actually are.  However, those same users are likely vulnerable to the other issues that have since been fixed and so we'd always recommend users upgrade to the latest version of Struts to ensure they have a version that contains fixes for all the published security issues.

  • August 2019: Netflix found a number of denial of service vulnerabilities affecting various HTTP/2 implementations. ASF projects containing HTTP/2 implementations were investigated and analysed the issues reported. Both Apache HTTP Server and Apache TrafficServer released updates to address denial of service issues that affected them.  Apache Tomcat also made performance improvements to HTTP/2 handling but the issues were not classed as denial of service.

  • September 2019: A RiskSense report highlighted vulnerabilities known to be used by Ransomware which included four in ASF projects.  The four vulnerabilities were all fixed in earlier years and all had updates and mitigations available before any ransomware took advantage of them.  Users should always ensure they pay attention to security updates in any ASF projects they use and prioritise updating for any remote or critical vulnerabilities. The four vulnerabilities were:

     -- CVE-2016-3088 in Apache ActiveMQ.  Targeted by XBash, this issue was trivial to exploit.  It was fixed in Active MQ 5.14.0 and mitigation was also available.

     -- CVE-2017-12615 in Apache Tomcat.  It is surprising to see this issue on the list as it affects a non-default and quite unlikely flaw.  However, it's an issue that is probed by Lucky (a variant of "Satan"), so if there is a server configured in this way it will get exposed. This issue only affected Windows platforms on non-default config, it was fixed in Tomcat 7.0.81, and mitigation is also available.  Note that Lucky will also do brute force attacks targeting weak passwords on  accessible Tomcat Web Admin consoles.

     -- CVE-2017-5638 in Apache Struts.  This issue is known to be exploited in the wild, however the first exploitation was discovered after the advisory and fix was published.  Used by Lucky (a variant of Satan).  It was fixed in Struts 2.3.32 and 2.5.10.1, and a mitigation is also available.

     -- CVE-2018-11776 in Apache Struts.  This issue is also used by Lucky.  It was fixed in Struts 2.3.35, 2.5.17, a possible mitigation is available but upgrading is advised.

  • Dec 2019: A flaw in Apache Olingo allowing XML External Entity (XXE) attacks (CVE-2019-17554).  This issue could be used, for example, to retrieve arbitrary files from a server.  A public exploit example exists for this issue.

  • A number of flaws in Apache Solr through the year that could allow remote code execution.  Public exploits exist for some of the issues as well as a Metasploit module.

  • The European Commission EU-FOSSA 2 project sponsored bug bounty programs for users finding security issues in both Apache Kafka and Apache Tomcat.  No issues were fixed in Apache Kafka.  Two issues were fixed in Apache Tomcat: CVE-2019-0232 (Important severity, affecting Windows platforms, public exploits including a Metasploit module are available) and CVE-2019-0221 (Low severity).   As well as running the bug bounties, EU-FOSSA 2 also sponsored a successful hackathon in June 2019.
Conclusion

Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled.

The ASF Security Committee work closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.

This report gave metrics for calendar year 2019 showing from the 18,000 emails received we triaged over 300 vulnerability reports leading to fixing just over 100 (CVE) issues.  If you have vulnerability information you would like to share with or comments on this report please contact us.

# # #

graphic created by http://sankeymatic.com/build/ using code :

Threads [138] License Confusion

Threads [162] Support Questions

Threads [320] Vulnerability Reports

Vulnerability Reports [19] Under Triage

Vulnerability Reports [301] Closed

Closed [122] CVE

1000x600

colour B source

The Apache News Round-up: week ending 31 January 2020

Farewell, January --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 February 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFPs OPEN: Apache Roadshow/DC and ApacheCon North America https://www.apachecon.com/

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 746 Apache contributors changed 1,854,769 lines of code over 3,280 commits. Top 5 contributors, in order, are: Dan Haywood, Andrea Cosentino, Claus Ibsen, Jean-Baptiste Onofré and Jarek Potiuk.     

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Druid 0.17.0 released http://druid.apache.org/
 - Apache Beam 2.18.0 released http://beam.apache.org/
 - Apache NiFi 1.11.0 released http://nifi.apache.org/

Cloud Computing --
 - Apache Libcloud 3.0.0-rc1 released https://libcloud.apache.org/

Content --
 - Apache Jackrabbit Oak 1.10.8 and 1.24.0 released http://jackrabbit.apache.org/

Libraries --
 - Apache OpenWebBeans-2.0.14 released http://openwebbeans.apache.org/

Mail --
 - Apache SpamAssassin 3.4.4 released http://spamassassin.apache.org/

Servers --
 - Apache HttpComponents Client 5.0 beta7 (GA candidate) released https://hc.apache.org/

Did You Know?

 - Did you know that Apache Flink supports schema migration on its state so that application changes can be made without having to start from square one? https://flink.apache.org/

 - Did you know that tracks for ApacheCon North America include Big Data integration/Gobblin (incubating), Apache Camel/Integration, Cassandra, CloudStack, Community, Content Delivery, Fineract, Flagon (incubating), Geospatial, Graph, Groovy, HTTP Server/Web, Ignite, Internet of Things, Karaf, Observability, Solr/Lucene/Search, and Tomcat? https://s.apache.org/cfp2020

 - Did you know that Amazon, DataStax, IBM, Microsoft, Neo4j, and many others use Apache Tinkerpop? http://tinkerpop.apache.org/providers.html

Apache Community Notices:

 - "Trillions and Trillions Served", the documentary on the ASF, is in post-production. Catch the teaser at https://s.apache.org/ASF-Trillions

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n

 - Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary

 - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon

 - ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport

 - The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

 - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Friday January 24, 2020

The Apache News Round-up: week ending 24 January 2020

Happy Friday! We're wrapping up another great week with the following activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 February 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998
 - CFPs OPEN: Apache Roadshow/DC and ApacheCon North America https://www.apachecon.com/

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.96%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 860 Apache contributors changed 3,062,286 lines of code over 3,401 commits. Top 5 contributors, in order, are: Dan Haywood, Andi Huber, Jarek Potiuk, Andrea Cosentino, and Kaxil Naik.

Apache Incubator – the primary entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation.
 - Welcome APISIX, NuttX, StreamPipes, and TubeMQ as new podlings undergoing development http://incubator.apache.org/

Apache Project Announcements – the latest updates by category.

Content --
 - Apache Jackrabbit Oak 1.4.25 and 1.8.19 released http://jackrabbit.apache.org/

Libraries --
 - Apache Juneau 8.1.3 released http://juneau.apache.org/

Messaging --
 - Apache Pulsar 2.5.0 released http://pulsar.apache.org/

Servers --
 - Apache HttpComponents Client 4.5.11 GA released https://hc.apache.org/

Did You Know?

 - Did you know that ASF Conferences has 6 events planned this year: Apache Roadshows in Washington DC, Chicago, and Seattle, plus Europe and China, as well as ApacheCon in New Orleans? https://www.apachecon.com/

 - Did you know that in 2019 the Top 5 Apache Project repositories by commits, in order, were: Camel, HBase, Flink, Beam, and Hadoop? https://s.apache.org/Apache2019Digits

 - Did you know that the German virtual coaching app Dranbleiben is powered by Apache Wicket? https://wicket.apache.org/

Apache Community Notices:

 - "Trillions and Trillions Served", the documentary on the ASF, is in post-production. Catch the teaser at https://s.apache.org/ASF-Trillions

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n

 - Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary

 - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon

 - ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport

 - The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

 - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Friday January 17, 2020

The Apache News Round-up: week ending 17 January 2020

Greetings everyone --it's time to review the Apache community's activities from the past week:

Watch the first teaser for "Trillions and Trillions Served", the documentary on The Apache Software Foundation, which resumed filming during ApacheCon 2019 https://s.apache.org/ASF-Trillions

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 February 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998
 - CFP OPEN: Apache Roadshow/DC https://www.apachecon.com/usroadshowdc20/index.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.83%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 903 Apache contributors changed 2,766,467 lines of code over 3,961 commits. Top 5 contributors, in order, are: Dan Haywood, Andrea Cosentino, Mark Thomas, Andi Huber, and Daniel Sun.   

Apache Project Announcements – the latest updates by category.

Attic --
 - Apache ODE retired https://attic.apache.org/

Big Data --
 - Apache Parquet Format 2.8.0 released https://parquet.apache.org/

Content --
 - Apache Jackrabbit Jackrabbit Oak 1.22.0 released http://jackrabbit.apache.org/

IoT --
 - Apache IoTDB (Incubating) 0.9.1 released http://iotdb.apache.org/

Libraries --
 - Apache Daffodil (Incubating) 2.5.0 https://daffodil.apache.org/
 - Apache Crail (Incubating) 1.2 released https://crail.apache.org/

Messaging --
 - Apache Qpid Broker-J 7.1.7 released https://qpid.apache.org/

Programming Languages --
 - Apache Groovy 3.0.0-rc-3 released https://groovy.apache.org/

Search --
 - Apache Lucene 8.4.1 released http://lucene.apache.org/

Servers --
 - Apache HttpComponents Core 4.4.13 released https://hc.apache.org/

Web Framework --
 - Apache Wicket 9.0.0-M4 released https://wicket.apache.org/

Did You Know?

 - Did you know that new podlings undergoing development in the Apache Incubator include projects in microservices, embedded operating systems, IoT data streams, messaging queues, transactional frameworks, and batch implementations? http://incubator.apache.org/

 - Did you know that, in 2019, more than 75% of contributors were new to Apache? https://s.apache.org/Apache2019Digits

 - Did you know that 2019's Top 5 Apache Project repositories by size (Lines of Code) were: NetBeans (8,354,466); OpenOffice (7,828,646); Flex (whiteboard: 5,233,277); Mynewt (core: 4,108.323); Flex (SDK: 3,933,522)? https://s.apache.org/Apache2019Digits

Apache Community Notices:

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n

 - Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary

 - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon

 - ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport

 - The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

 - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Friday January 10, 2020

The Apache News Round-up: week ending 10 January 2020

Happy Friday, everyone --let's review what the Apache community has been up to over the past week:

Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 January 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998
 - CFP OPEN: Apache Roadshow/DC https://www.apachecon.com/usroadshowdc20/index.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.98%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 886 Apache contributors changed 1,134,112 lines of code over 3,651 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Michał Narajowski, Dan Haywood, Andrea Cosentino, and Andi Huber.           

Apache Project Announcements – the latest updates by category.

Content --
 - Apache Jackrabbit 2.20.0 released https://jackrabbit.apache.org/

Libraries --
 - Apache Commons Codec 1.14 released https://commons.apache.org/proper/commons-codec/

Machine Learning --
 - Apache OpenNLP 1.9.2 released https://opennlp.apache.org/

Servers --
 - Apache HttpComponents Core 5.0 beta11 (GA candidate) released https://hc.apache.org

Web Frameworks --
 - Apache Wicket 7.16.0 and 8.7.0 released https://wicket.apache.org/


Did You Know?

 - Did you know that 200M+ lines of Apache code are stewarded by the ASF's all-volunteer community, comprising 765 individual Members, 206 Apache Project Management Committees (PMCs), and more than 7,200 Committers? https://s.apache.org/Apache2019Digits

 - Did you know that the following Apache projects are celebrating anniversaries this month? Apache Cocoon, James, and Web Services (17 years); Lucene (15 years); ActiveMQ (13 years); Hadoop (12 years); River (9 years); Empire-db and Gora (7 years); OpenMeetings (7 years); Samza (5 years); Arrow (4 years); Ranger (3 years). Many happy returns! https://projects.apache.org/committees.html?date

 - Did you know that new entries in the Apache Incubator include projects in IIoT data analytics; real-time embedded operating systems; and distributed messaging queues? http://incubator.apache.org/


Apache Community Notices:

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n

 - Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary

 - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon

 - ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport

 - The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

 - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Friday January 03, 2020

The Apache News Round-up: week ending 3 January 2020

Welcome, 2020! We hope that you have had a festive holiday season and are excited to kick off the new year. Here's what happened over the past week:

Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 January 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html

Apache Diversity & Inclusion – newly-formed committee supports initiatives that promote diversity, equity, and inclusion across the greater Apache community.
 - FINAL CALL: respond to the 2020 ASF Community Survey before 4 January https://s.apache.org/pzol5

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998
 - CFP OPEN: Apache Roadshow/DC https://www.apachecon.com/usroadshowdc20/index.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.94%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 506 Apache contributors changed 647,823 lines of code over 2,002 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Gary Gregory, Dan Haywood, Carlos Rovira, and Andrew Wetmore.    

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Geode 1.11.0 released https://geode.apache.org/
 - Apache Drill 1.17.0 released https://drill.apache.org/

Cloud Computing --
 - Apache Libcloud 2.8.0 released https://libcloud.apache.org/

Libraries --
 - Apache Commons VFS 2.5.0 released http://commons.apache.org/proper/commons-vfs/

Search --
 - Apache Lucene 8.4.0 and Solr 8.4.0 released http://lucene.apache.org/


Did You Know?

 - Did you know that the European Commission created its new API Gateway infrastructure using Apache Camel? https://camel.apache.org/

 - Did you know that NBC Universal uses Apache Tinkerpop's Gremlin to write complicated traversals? http://tinkerpop.apache.org/

 - Did you know that blogs.apache.org is powered by Apache Roller? Version 6 just released! http://roller.apache.org/


Apache Community Notices:

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n

 - Celebrating 20 Years Community-led Development "The Apache Way" https://s.apache.org/ASF20thAnniversary

 - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon

 - ASF Annual Report for FY2019 https://s.apache.org/FY2019AnnualReport

 - The Apache Software Foundation 2018 Vision Statement https://s.apache.org/zqC3

 - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA

 - CFP and pre-registration open for the first Pulsar Summit http://pulsar.apache.org/blog/2019/12/18/Pulsar-summit-cfp/

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

 - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity

 - The list of Apache project-related MeetUps can be found at http://events.apache.org/event/meetups.html

 - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Wednesday January 01, 2020

Apache in 2019 - By The Digits

What an accomplished year for The Apache Software Foundation: 2019 heralded 20 years of Open Source leadership "The Apache Way". Our rallying cry of "Community Over Code" informs everything we do, with billions worldwide benefiting from more than $20B worth of community-led software, provided 100% free-of-charge. Highlights include:

Apache Projects —https://projects.apache.org/

  • Total number of projects + sub-projects - 339
  • Top-Level Projects - 206
  • Podlings in the Apache Incubator - 46
  • ASF Committees (non-Projects) - 11
  • Other groups, including operations/support - 60


Community/People —http://home.apache.org/

  • Apache Committers - 7,203 (7,038 active)
  • ASF Members (individuals) - 765
  • New Members elected - 40


Apache Projects/Code —https://projects.apache.org/statistics.html

3,081 Apache Committers changed 59,309,787 lines of code over 171,689 commits, with an all-time high of 12,250 individuals contributing to Apache projects this year.


Profile of Apache Committers in 2019



More than 75% of contributors in 2019 were new to Apache


Top 5 Committers
  1. Andrea Cosentino (3,841 commits; 588,217 lines changed)
  2. Tilman Hausherr (2,791 commits; 64,805 lines changed)
  3. Claus Ibsen (2,562 commits; 628,919 lines changed)
  4. Jean-Baptiste Onofré (2,498 commits; 81,563 lines changed)
  5. Mark Thomas (2,452 commits; 331,234 lines changed)

Top 5 Apache Project Repositories by Commits
  1. Camel
  2. HBase
  3. Flink
  4. Beam
  5. Hadoop

Top 5 Apache Project Repositories by Size (Lines of Code)
  1. NetBeans (8,354,466)
  2. OpenOffice (7,828,646)
  3. Flex (whiteboard: 5,233,277)
  4. Mynewt (core: 4,108.323)
  5. Flex (SDK: 3,933,522)

Mailing Lists —https://lists.apache.org/
  • Total number of mailing lists 1,399
  • 19,385 authors sent 2,116,421 emails on 1,034,478 topics

Top 5 most active Apache user@ mailing lists
  1. Flink
  2. Lucene-Solr
  3. Ignite
  4. Kafka
  5. Tomcat

Top 5 most active Apache dev@ mailing lists
  1. Beam
  2. Flink
  3. Tomcat
  4. Royale
  5. NetBeans

Contributor License Agreements and Software Grants —https://www.apache.org/licenses/

We welcomed an average of 187 new code contributors and 1,670 new people filing issues each month during 2019. Individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. 
  • ICLAs - 759
  • CCLAs - 34
  • Grants - 40

Sponsorship and Individual Support —http://apache.org/foundation/contributing.html

The generous support of hundreds of individual donors and Sponsors helps offset the ASF's day-to-day operating expenses that include Infrastructure, Accounting, Legal, Fundraising, Marketing & Publicity, and other services.

ASF Sponsors provide financial backing for the ASF's operations.

  • Platinum: Amazon Web Services, Cloudera, Comcast, Facebook, Google, Leaseweb, Microsoft, Pineapple Fund, Tencent, and Verizon Media.
  • Gold: Anonymous, ARM, Bloomberg, Handshake, Huawei, IBM, Indeed, Union Investment, and Workday.
  • Silver: Aetna, Alibaba Cloud Computing, Baidu, Budget Direct, Capital One, CarGurus, Cerner, Inspur, ODPi, Private Internet Access, Red Hat, and Target.
  • Bronze: Airport Rentals, Bestecasinobonussen.nl, The Blog Starter, Bookmakers, Cash Store, Casino2k, Cloudsoft, The Economic Secretariat, Emerio, Footprints Recruiting, Gundry MD, HostChecka.com, HostingAdvice.com, Journal Review, LeoVegas Indian Online Casino, Host Advice, Mutuo Kredit AG, Online Holland Casino, ProPrivacy, PureVPN, RX-M, SCAMS.info, Site Builder Report, Start a Blog by Ryan Robinson, Talend, The Best VPN, Top10VPN, Twitter, and Web Hosting Secret Revealed.

ASF Targeted Sponsors provide the Foundation with non-financial contributions for specific activities or programs.

  • Targeted Platinum: CloudBees, DLA Piper, JetBrains, Microsoft, OSU Open Source Labs, Sonatype, and Verizon Media.
  • Targeted Gold: Atlassian, The CrytpoFund, Datadog, PhoenixNAP, and Quenda.
  • Targeted Silver: Amazon Web Services, HotWax Systems, and Rackspace.
  • Targeted Bronze: Bintray, Education Networks of America, Google, Hopsie, No-IP, PagerDuty, Peregrine Computer Consultants Corporation, Sonic.net, SURFnet, and Virtru.


Collectively, our Members, Committers, contributors, users, supporters, and sponsors further our mission of providing Open Source software for the public good. Learn more about The Apache Software Foundation's activities in the FY2019 Annual Report https://s.apache.org/FY2019AnnualReport

Help keep Apache software accessible to everyone: to sponsor or make a contribution* to the ASF, please visit http://apache.org/foundation/contributing.html

Here's to a brilliant 2020!

* The ASF is a US 501(c)(3) not-for-profit charitable organization, whose tax identification number is 47-0825376. The ASF is recognized by Charity Navigator and cited with the Gold Seal of Transparency by GuideStar.

# # #

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation