The Apache Software Foundation
Blogging in Action.

The Apache Software Foundation Operations Summary: 1 November 2020 - 31 January 2021

FOUNDATION OPERATIONS SUMMARY

Third Quarter, Fiscal Year 2021 (November 2020 - January 2021)

"We’re proud to be a part of the ASF community and look forward to continued support of its mission to provide Open Source software for the public good."
—Joel Marcey, Open Source Developer Advocate and Ecosystem Lead at Facebook (ASF Platinum Sponsor)

> Conferences and Events http://apachecon.com/ 

We held no events during the reporting period.

We have begun discussion of dates and details for ApacheCon 2021, and expect to have an announcement by March 1st. This event will, once again, be an online-only event.

Please watch @apachecon (on Twitter) for that announcement.

> Community Development http://community.apache.org/ 

During December an Apache Roadshow China was held in conjunction with COSCon. The event was a great success and we are looking forward to participation at future events.

A key theme this quarter was communication and ensuring our community was being kept informed of what is happening. As a result, we have been experimenting with a new format for the Apache News Roundup have been trialling it with the community. A range of short videos have been created focussed on different but hopefully useful topics. Feedback from the community has been extremely positive.

We applied for and were accepted for an online booth at FOSDEM. Throughout January most of our efforts were focussed on preparing for our participation at FOSDEM. Even with the very short timeframe,  several of our volunteers worked quickly and efficiently to put together an online presence for us during the event.

A request has been received to try and establish an Apache Local Community (ALC) in Nigeria so we are currently looking for an ASF member or PMC members from any Apache project that live locally that can become the main point of contact. These are part of the minimum requirements for governance when establishing a new ALC group.

We are in the final stages of our Google Summer of Code (GSoC) application so have also been gathering ideas from our projects.

Our mailing list has seen a large increase in traffic this quarter. Some of the increase is related to GSoC proposal requests being received from our projects. Yet even with the break for the holidays, it was good to see our discussion activity grow.  

> Committers and Contributions http://apache.org/licenses/contributor-agreements.html 

Over the past quarter, 1,424 contributors committed 64,101 changes that amount to 35,706,852 lines of code across Apache projects. The top 5 contributors, in order, were: Andrea Cosentino (1,544 commits), Xiang Xiao (1,301 commits), Jean-Baptiste Onofré (971 commits), Kaxil Naik (907 commits), and Gary Gregory (878 commits).

All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF.

During Q3 FY2021, the ASF Secretary processed 198 ICLAs, 4 CCLAs, and 16 Software Grants. History of Apache committer growth can be seen at https://projects.apache.org/timelines.html

> Brand Management http://apache.org/foundation/marks/ 

Operations —the work of the Brand Management team falls broadly into one of four categories:

• providing advice to projects
• granting permission to use our marks
• trademark transfers and registrations
• addressing potential infringements of our marks

As with previous quarters we provided both Apache projects and external parties with advice on the correct use of Apache marks in a range of scenarios including branding of YouTube channels, Docker images Registrations, publishing, translations of project websites, tshirts, and stickers. The COVID-19 pandemic doesn't appear to reduced the number of project related events although all of the ones approves this quarter were, unsurprisingly, on-line events.

This quarter we worked with the KAFKA project and counsel to develop a KAFKA specific branding policy for KAFKA clients and connectors.

Another element of the advice we provide is naming advice for podlings. This quarter we provided advice to a project considering applying to join the Apache incubator and to three podlings.

Other advice provided this quarter included advice on using non-ASF logos on a project website and whether or not a project's mark was registered. We also rejected a mid-directed infringement claim for a non-ASF controlled website that just happened to be hosted on httpd.

Registrations

This quarter we started the process of updating the official ASF address associated with our registrations. There are costs associated with this process but we still anticipate brand expenditure for this year to remain within budget.

The APACHE IGNITE registration for China completed this quarter.

The registrations for APACHE and APACHE FLINK in China, BROOKLYN in the US continued to progress this quarter. 

We worked with counsel and the current registrants to progress the transfer of ownership of the APISIX marks in China and SERVICECOMB marks in the US and EU to the ASF.

Infringements

This quarter we saw an increase in people and organisations using derivations of the Apache License, version 2 without changing the primary branding of the license. While we do not object to the creation of such derivative licenses, we do want to ensure that they do not cause

confusion amongst end-users. Therefore, we monitor for such licenses and work with the authors to ensure that the licenses are clearly branded so that they will not be confused with the Apache License, version 2.

We have made some progress towards addressing infringing products sold in various online stores but have not yet resolved these issues.

It is usually members of our project communities who are first to identify potential infringements. This quarter we provided advice to a number of PMCs as to the best approach to take to address a potential infringement.

And finally…

The Brand Management team welcomes your comments and suggestions as well as any questions you might have. Please see https://www.apache.org/foundation/marks/contact for our contact details.

> Security http://apache.org/security/ 

We continued to work on handling incoming security issues, keeping projects reminded of their outstanding issues, allocation of CVE names, and other general oversight and advice.

For Q3 we tracked 138 new vulnerability reports across 47 projects. Those reports led to 36 published CVE vulnerabilities.  The previous Q3 for comparison was 95 reports leading to 41 CVE.

We published a security report for calendar year 2020: https://s.apache.org/SecurityReport2020

The CVE project released a new automation API and the ASF became the first organisation to get a live CVE name using it. Instead of the security team holding a pool of names requested in advance we now allocate them on demand, with the service taking care of emails to the PMC and other previously manual parts of the process.  We released an internal tool providing projects dealing with security issues a way to edit, validate, and submit their entries to Mitre.  We aim to have the CVE database updated within a day of an issue being published. We expect more automation available during 2021 allowing us to streamline the CVE process for projects even further.

> Privacy http://apache.org/foundation/policies/privacy.html 

A few questions were answered on the privacy list. Most of the requests were around our use of the mailing lists. It was recommended that any person, who has privacy concerns over mailing list data, is redirected to vp-privacy@ or to the privacy@ list directly (if the request is not sensitive itself).

A GIT repository was created for working on policies. Apart from that, privacy did not handle critical issues so far. In the next few weeks we will see working drafts for mailing list archives.

>  Infrastructure http://apache.org/dev/infrastructure.html

The Infrastructure has done well over the past quarter, maintaining cost controls and keeping our team home and healthy.

This past quarter has seen a large change in our back-office, with how we manage our US-based employees. While it took a lot of effort, it did not impact our team's operations. We are up and rolling smoothly, after these changes.

There was a scare in the security around some of our automated CI/CD systems, which we quickly handled. In the end, the initial concern did not pan out to any real problems. Yet we learned and expanded some of our Best Practices, and implemented a scanner to monitor for future security concerns in this area.

The team has started a monthly "Builds" conference call to bring the broader community together to talk "all things builds". This has enabled a sharing of ideas, helped us advance more of our CI/CD infrastructure, and highlighted the pain points that our communities are seeing.

Our background work has continued, as usual, in areas such as testing a CDN deployment, improved integration between the ASF and GitHub, investigating a move from our on-premise Atlassian products to their cloud-based services, and our mail system upgrade.

> Treasury and Financial Statement --map against https://s.apache.org/FY2019AnnualReport 

The Treasurer, Myrle Krantz, and the Assistant Treasurer, Trevor Grant have contributed to keeping The Foundation in excellent fiscal shape with all tax and compliance forms filed on time. Latest public filings can be found at http://www.apache.org/foundation/records/. We have advised that officers minimize expenses until there is more certainty in global economic outlooks. Officers have done an excellent job at cost control throughout the fiscal year, and we hope that in the coming fiscal year that the need for austerity will be reduced. We transitioned, this quarter, from accounting provided by Virtual to accounting provided by IgniteSpot. Benefits we have seen from this transition include:

• better transparency into accounting and smoother budgeting processes by moving from QuickBooks Enterprise to QuickBooks Online,
• better automation of our processes via the integration of QuickBooks Online with Bill.com and our banking solutions, and
• reduced costs.

We are pleased with the enthusiastic support IgniteSpot has provided Fundraising with invoicing and reporting, and we hope to see this continue. The transition has forced us to examine our internal processes, and given us opportunities to improve them.

In the process of transitioning accountants, we have also transitioned PEO providers. We now employ ADP Total Source directly. In addition we have transitioned to a new physical mailing address and a new registered agent. We thank Greg Stein, David Nalley, and Ruth Suehle for the truly excellent collaboration which made a change of this extent possible. We thank Virtual for their many years of service. The Apache Software Foundation would not be where we are today without the tireless efforts of Virtual to modernize our accounting processes and make them sustainable. In all, the transition has been extremely smooth. Our books were imported without difficulties. Thanks to the work Myrle Krantz and Greg Stein performed earlier this year to introduce bill.com, there were no interruptions in our vendor payments. And thanks to heightened attention by Sally Khudairi, and Daniel Ruggeri and IgniteSpot, there were no interruptions to sponsor invoicing. The financial report has a few more details than past quarterly reports. We have adjusted reporting to include mention of restricted funds. ASF Treasury has gone above and beyond to support fundraising this quarter. In particular, to make possible a two year platinum sponsorship before the end of the sponsor’s fiscal year, Myrle Krantz, with support from Greg Stein, and direction from Sally Khudairi interfaced with a sponsor’s PO system and generated and submitted last minute estimates and invoices. This team worked through multiple iterations over the course of several hours on New Year’s Eve and New Year’s Day to get it right. This was possible, in part, because the ASF Treasury now has access to our own books via QuickBooks Online. We have added a bank account at TDBank to our mix of financial instruments. The majority of our cash remains in a CDARS account at Boston Private which provides FDIC insurance for the full amount.

> Diversity and Inclusion http://diversity.apache.org/

Diversity & Inclusion

Q3 of FY2021 focused on wrapping up the first research on the current status of D&I at the ASF, securing funds for one more year of Outreachy internships and planning for FY2022. Below is a breakdown of these accomplishments.

Wrapping the research on the current status of Diversity and Inclusion at the ASF
This project was composed of two initiatives: The ASF Community Survey and a User Experience Research for contributors of underrepresented groups. These two initiatives concluded in Q2 and we have a final draft https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=173087952 to be published in multiple channels, such as research publications and conferences like ApacheCon.

Continuing the internships for underrepresented groups through Outreachy.org
The third period of Outreachy internships is underway and we have six interns for six different Apache projects https://cwiki.apache.org/confluence/display/EDI/2020-11-25+Outreachy+Meeting+notes . We secured $52,000 in sponsorship from Google to continue with this program for one more year. The sponsorship will be processed in March 2021.  

FY2022 planning
The findings and recommendations from the research completed in FY2021 will be the platform  for taking action in FY2022. The D&I committee will have the following goals in FY2022: 

• Act on the findings and recommendations from the research done in FY2021
• Continue the Outreachy Internships
• Re-application of the community survey to measure changes since the survey was last done in 2020. 

The ultimate objective is to scope and define a project that will help us take the current state of D&I at the ASF to better neights. We will partner with Bitergia again, this is the firm that conducted the research and ran the ASF community survey in 2020. One of the alternatives we’re strongly considering is the creation of a program that helps podlings in the incubator develop strong practices for inclusion, enabling the projects to be diverse from the moment they graduate from incubation. This is still one are of consideration, and we’ll have the final selection by the end of the quarter. 

 

> Fundraising http://apache.org/foundation/contributing.html

As was noted in prior quarterly reports, Fundraising continues to move along well operationally. In addition to performing regular renewals, we are further honing our processes by experimenting with automation and tooling to augment our work. In this quarter, we are pleased to note that all ApacheCon sponsorships have completed and closed in the early quarter. Additionally, we managed to continue business-as-usual during a very busy December as the foundation onboarded a new accounting provider and platform.

We continue maintaining cautious optimism as we weather the current pandemic with our Sponsors and are tremendously thankful for the continued sponsorship despite the hard times. While we regret that two Bronze sponsors chose not to renew their sponsorship this quarter, we are thrilled to welcome a new Platinum Sponsor, Gold Sponsor, Silver Sponsor, and Bronze Sponsor! This growth in sponsorships is a heart warming indication that the amazing work done here at The ASF is recognized and appreciated in the global community. To that point, we are pleased to see that this quarter saw a higher than typical number of individual donations to the foundation.

The joy we feel from the continued support of our individual and corporate sponsors simply cannot be overstated. In the tough times leading into and during the initial days of the pandemic, like many others, we just did not know what to expect. After all, the only income our all-volunteer-led foundation receives comes from sponsorships. The ASF is known to house projects that creates industries, evolves the technology landscape, improves the world we live in - and we do it in a way that is fair and equitable to all who participate regardless of background. This is all entirely possible because of the generosity of our sponsors… especially during difficult days.

With a truly humble and grateful heart: THANK YOU for continuing to support us during this storm.

The list of all Sponsors is available at http://apache.org/foundation/thanks . To become an ASF Sponsor, visit http://apache.org/foundation/sponsorship.html . To make a one-time or monthly recurring donation, please visit https://donate.apache.org/ .

= = =

Report prepared by Sally Khudairi, Vice President Marketing & Publicity, with contributions by Rich Bowen, Vice President Conferences; Mark Cox, Vice President Security; Griselda Cuevas, Vice President Diversity & Inclusion; David Nalley, Vice President Infrastructure; Sharan Foga, Vice President Community Development; Christian Grobmeier, Vice President Data Privacy; Myrle Krantz, Treasurer; Daniel Ruggeri, Vice President Fundraising; Greg Stein, Infrastructure Administrator; and Mark Thomas, Vice President Brand Management.

For more information, subscribe to the announce@apache.org mailing list http://apache.org/foundation/mailinglists.html#foundation-announce and visit http://www.apache.org/ , the ASF Blog at http://blogs.apache.org/ , the @TheASF on Twitter https://twitter.com/TheASF , and LinkedIn https://www.linkedin.com/company/the-apache-software-foundation .

(c) The Apache Software Foundation 2021.

# # #

Posted at 03:22PM Mar 15, 2021 by Sally Khudairi in Newsletter  |   | 

Apache Month in Review: January 2021

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January:

New this month --

 - Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
   -- Summary and stats at https://s.apache.org/Apache2020Digits
   -- Video highlights https://s.apache.org/Apache2020Digits-vid

 - ASF Security Report 2020 – the annual state of security across all Apache projects https://s.apache.org/SecurityReport2020

 - The Apache Way to Sustainable Open Source Success  – Apache is for Everyone. Every developer has their personal motivations for building software. We celebrate their right to choose when and how they build their software, including their right to use a non-open license. https://s.apache.org/GhnI

 - ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
   -- Videos of all ApacheCon@Home sessions, including Plenaries and Keynotes, are available https://www.youtube.com/c/TheApacheFoundation/

 - Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

 - "Inside Infra" – the interview series featuring members of the ASF Infrastructure team
   -- Meet Chris Lambertus --Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Apache Month in Review: December 2020 https://s.apache.org/Dec2020

Important Dates --

  - Next Board Meeting: 17 February 2021. Board calendar and minutes http://apache.org/foundation/board/calendar.html

Infrastructure --

In January, 726 Apache Committers changed 11,011,714 lines of code over 14,708 commits. The Committers with the top 5 highest contributions, in order, were: Rohit Yadav, Jean-Baptiste Onofré, Andrea Cosentino, Gary Gregory, and Mark Thomas.

Project Releases and Updates --

New releases from Apache Accumulo (Big Data); Arrow (Big Data); Beam (Big Data); Camel (Integration); CloudStack (Cloud Computing); Commons Daemon (Libraries); Flink (Big Data);  Guacamole (Network Client); Hadoop (Big Data); Ignite (Big Data); IoTDB (IoT); Jackrabbit (Content); JMeter (Testing); Nutch (Web Crawler); OFBiz (Enterprise Processes Automation / ERP); Oak (Content); Rya (Big Data); Qpid Broker (Messaging); ShardingSphere (Big Data); Skywalking (Application Performance Management); Tika (Big Data); Tomcat (Servers); Traffic Server (Servers).

Upcoming Apache Project community events include ESUP Days & Apereo Paris (2 February); Airflow Virtual Meetup (12 February); Joint ASF–OCG–OSGeo Code Sprint (17-19 February); and Big Data Technology Warsaw Summit (23 February).

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. New to the Apache Incubator in January: ECharts (Library) and Superset (Big Data). We invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ .

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 01:17PM Feb 01, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 29 January 2021

Farewell, January --both the week and month have flown by. Let's review what the Apache community has been up to:

The Apache Way to Sustainable Open Source Success  – Apache is for Everyone. Every developer has their personal motivations for building software. We celebrate their right to choose when and how they build their software, including their right to use a non-open license. https://s.apache.org/GhnI

ASF Security Report 2020 – the annual state of security across all Apache projects https://s.apache.org/SecurityReport2020

Inside Infra – the interview series featuring members of the ASF Infrastructure team.
 - Chris Lambertus --Part II https://s.apache.org/InsideInfra-ChrisL2

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - videos from ApacheCon@Home presentations are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.90%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 368 Apache Committers changed 2,919,651 lines of code over 3,273 commits. Top 5 contributors, in order, are: Mark Thomas, Leonid Frolov, Andrea Cosentino, Andi Huber, and Christofer Dutz.  

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Arrow 3.0.0 released https://arrow.apache.org/
 - Apache Hadoop CVE-2020-9492: Potential privilege escalation https://s.apache.org/d9h7j

IoT --
 - Apache IoTDB 0.11.2 released https://iotdb.apache.org/

Messaging --
 - Apache ActiveMQ CVE-2021-26117: LDAP-Authentication does not verify passwords on servers with anonymous bind https://s.apache.org/xvpov , and
   CVE-2021-26118: Flaw in ActiveMQ Artemis OpenWire support https://s.apache.org/bpp38

Libraries --
 - The Apache Software Foundation Announces Apache® ECharts™ as a Top-Level Project https://s.apache.org/txmmr
 - Apache Commons Daemon 1.2.4 released https://commons.apache.org/proper/commons-daemon/

Servers --
 - Apache Traffic Server 9.0.0 released https://trafficserver.apache.org/

Testing --
 - Apache JMeter 5.4.1 released https://jmeter.apache.org/

Web Crawler --
 - Apache Nutch 1.18 released https://nutch.apache.org/
 - Apache Nutch CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser https://s.apache.org/y0pir

Did You Know?

- Did you know that the Apache Kafka PMC has published a trademark disclaimer for naming non-java clients and connectors to help those building the Apache Kafka ecosystem? https://kafka.apache.org/trademark

- Did you know that video presentations from the 2020 Virtual Druid Summit are available online? http://ow.ly/HLQq50Df7rI

- Did you know that the 2021 Joint Apache Software Foundation – Open Geospatial Consortium – Open Source Geospatial Foundation Code Sprint will be taking place online and free-of-charge 17-19 February? All are welcome to participate https://s.apache.org/ilzbf

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 05:22AM Jan 29, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Software Foundation Security Report: 2020

Synopsis: This report explores the state of security across all Apache Software Foundation projects for the calendar year 2020. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

Released: January 2021

Author: Mark Cox, Vice President Security, Apache Software Foundation

Background

The security committee of the Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 340+ Apache projects.  Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.

Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle.  The security committee monitors all the issues reported across all the addresses and keeps track of the issues throughout the vulnerability lifecycle.

The security committee is responsible for ensuring that issues are dealt with properly and will actively remind projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache Software License, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.

The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues.  Our last report covered the metrics for 2019.

Statistics for 2020

In 2020 our security email addresses received in total 18,000 emails. After spam filtering and thread grouping this was 946 (2019: 620) non-spam threads.  Unfortunately many security reports do look like spam and so the security team are careful to review all messages to ensure real reports are not missed for too long.

Diagram 1: Breakdown of ASF security email threads for calendar year 2020

Diagram 1 gives the breakdown of those 946 threads.  257 threads (27%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is.  This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.  We no longer reply to these emails. This is nearly double the number we saw in 2019.

The next 220 of the 946 (23%) are email threads with people asking non-security (usually support-type) questions.

The next 93 of those reports were researchers reporting issues in an Apache web site.  These are almost always false negatives; where a researcher reports us having directory listings enabled, source code visible, or the lack of various domain headers.  These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.

That left 376 (2019: 320) reports of new vulnerabilities in 2020, which spanned across 101 of the top level projects.  These 376 reports are a mix of both external reporters and internal; for example where a project has found an issue themselves and followed the ASF process to assign it a CVE name and address it we’d still count it here.  We don’t keep metrics that would give the breakdown of internal vs external reports.

The next step is that the appropriate project triages the report to see if it's really an issue or not.  Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter.  Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.

As of January 1st 2021, 35 of those 376 reports were still under triage (i.e. the project had not yet determined if the report is accepted or rejected).  

The remaining closed 341 (2019: 301) reports led to us assigning 151 (2019: 122) CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handles CVE name allocation and is a Mitre Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts Mitre directly or goes public with an issue before contacting us.

Noteworthy events

During 2020 there were a few events worth discussion; either because they were severe and high risk, they had readily available exploits, or otherwise due to media attention. These included:

• February: An issue in Tomcat CVE-2020-1938 gained press interest when it was given branding and a name (“Ghostcat”) and was disclosed by a third-party coordination centre before Tomcat released an advisory (although after the issue was fixed in new releases of Tomcat). Although serious if exploited, it only affected Tomcat installations which exposed an unprotected AJP Connector to untrusted networks (which is already not a good thing to do even without this issue). That limits the number of affected installations.  Various proof-of-concept exploits are public for this issue, including a Metasploit exploit.

• May: The Cybersecurity and Infrastructure Security Agency (CISA) released a list of Top 10 Routinely Exploited Vulnerabilities including CVE-2017-5638, the remote command execution (RCE) vulnerability in Apache Struts 2 disclosed and fixed in 2017.  This issue is known to be exploited in the wild, however the first exploitation was discovered after the advisory and fix was published. 

• July: Versions of Apache Guacamole 1.1.0 and earlier were vulnerable to issues in RDP, CVE-2020-9497 and CVE-2020-9498.  If a user connects to a malicious or compromised RDP server it could lead to memory disclosure and possible remote code execution. 

• August: A vulnerability in Apache Struts (CVE-2019-0230) could lead to arbitrary code execution. In order to exploit the vulnerability, an attacker would need to inject malicious Object-Graph Navigation Language (OGNL) expressions into an attribute that is used within an OGNL expression. Although Struts has mitigations to address potential injected expressions, versions before 2.5.22 left an attack vector open which was fixed in updates for this issue.  A metasploit exploit exists for this issue.

• November: Previously each ASF project was responsible for writing up their own CVE entries and submitting them to Mitre. This leads to many delays in the CVE database being updated with Apache issues as entries are often rejected as the legacy format causes issues. We released an internal tool providing projects dealing with security issues a way to edit, validate, and submit their entries to Mitre.  We aim to have the CVE database updated within a day of an issue being published.

• December: The CVE project released a new automation API and the ASF became the first organisation to get a live CVE name using it. Instead of the security team holding a pool of names requested in advance we now allocate them on demand, with the service taking care of emails to the PMC and other previously manual parts of the process. We expect more automation available during 2021 allowing us to streamline the CVE process for projects even further.

• Proof of Concepts or Metasploit exploits were also released for 2020 issues in Apache OFBiz (CSRF, CVE-2019-0235), Apache OpenMeetings (DoS, CVE-2020-13951), Apache Flink (arbitrary read/write RCE CVE-2020-17518, CVE-2020-17519)

Timescales

Our security teams and project management teams are all volunteers and so we do not give any formal SLA on handling of issues.  However we can break down our aims and goals for each part of the process:

Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days.  We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately.  The alias is staffed by a very small number of volunteers taken from the different project PMCs.  After the security team forward a report to a PMC they will reply to the reporter.  Therefore if you have reported an issue to us and not received any response after a week please send us a followup email.  Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us, so please ensure any follow ups are a simple plain text email.

Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As we send reports to this private list it does not reach every project committer, so there is a much smaller limited set of people in each project able to investigate and respond.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The ASF security team chase any untriaged issues over 90 days old.

Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves.  Issues of lower severity are most often held to future pre-planned releases.  

Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability, to let mirrors catch up.  All vulnerabilities are announced via the announce@apache.org list.  We now aim to have them appear in the public Mitre list within a day of the announcement.

Conclusion

Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled. The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.

This report gave metrics for calendar year 2020 showing from the 18,000 emails received we triaged over 370 vulnerability reports relating to ASF projects, leading to fixing 151 (CVE) issues. The number of non-spam threads dealt with was up 53% from 2019 with the number of actual vulnerability reports up 13% and assigned CVE up 24%.

If you have vulnerability information you would like to share with or comments on this report please contact us.

# # #

Posted at 02:00PM Jan 25, 2021 by Sally Khudairi in General  |   | 

The Apache News Round-up: week ending 22 January 2021

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 385 Apache Committers changed 3,309,050 lines of code over 5,192 commits. Top 5 contributors, in order, are: Rohit Yadav, Wei Zhou, Kaxil Naik, Gary Gregory, and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink 1.12.1 released https://flink.apache.org/
 - Apache Qpid Broker J 7.1.11 and J 8.0.3 released https://qpid.apache.org/
 - The Apache Software Foundation Announces Apache® Superset™ as a Top-Level Project https://s.apache.org/scefo

Cloud Computing --
 - The Apache CloudStack Project Releases Apache® CloudStack® v4.15 https://s.apache.org/vi0v8

Content --
 - Apache Jackrabbit Oak 1.22.6 released http://jackrabbit.apache.org/
 - Apache Tika 2.0.0-ALPHA released https://tika.apache.org/

Integration --
 - Apache Camel 3.7.1 released https://camel.apache.org/

Network Client --
 - Apache Guacamole CVE-2020-11997: Inconsistent restriction of connection history visibility https://s.apache.org/i80o1

Servers --
 - Apache Tomcat CVE-2020-17527: Apache Tomcat HTTP/2 Request header mix-up https://s.apache.org/wqss6

Did You Know?

- Did you know that the Apache Maven projects has action cards for their community to promote their activities on social media? https://maven.apache.org/resource/branding/actioncards.html

- Did you know that US Top 10 retailer Target's enterprise-scale analytics (delivered to all levels of the organization) is powered by Apache Druid? http://druid.apache.org/

- Did you know that K&H Bank, one of the largest commercial banks in Hungary, uses Apache Wicket for their consumer banking and insurance site? http://wicket.apache.org/ 

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 08:09AM Jan 22, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 15 January 2021

It's Friday already --the week has zipped by. Let's take a look at what the Apache community has been up to:

Inside Infra – the interview series featuring members of the ASF Infrastructure team. - Chris Lambertus --Part I https://s.apache.org/InsideInfra-ChrisL

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.94%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 395 Apache Committers changed 3,156,343 lines of code over 3,300 commits. Top 5 contributors, in order, are: Krzysztof Kopyściński, Gary Gregory, Andrea Cosentino, Duo Zhang, and Jean-Baptiste Onofré.  

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking Eyes v0.1.0 released https://skywalking.apache.org/

Big Data --
 - Apache Beam 2.27.0 released https://beam.apache.org/

Content --
 - Apache POI, XMLBeans CVE-2021-23926: XML Entity Expansion https://s.apache.org/vbzsd
 - Apache Jackrabbit 2.21.5 released http://jackrabbit.apache.org/

Enterprise Processes Automation / ERP --
 - Apache OFBiz 17.12.05 released https://ofbiz.apache.org/

Servers --
 - Apache Tomcat CVE-2021-24122: Information Disclosure https://s.apache.org/huz9p

Did You Know?

- Did you know that the Apache geospatial community is partnering with the Open Geospatial Consortium (OGC) and Open Source Geospatial Foundation (OSGeo) to hold a joint Virtual Code Sprint the last week of February 2021? Call for participation is open https://s.apache.org/kp6d8

- Did you know that DoorDash's Big Data platform is powered by Apache Beam, Cassandra, Druid, Flink, Pinot, Spark and other projects? https://projects.apache.org/projects.html?category

- Did you know that you can help Apache Pulsar better meet the needs of its user community? Complete the Pulsar user survey today https://s.apache.org/jvaji 

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 11:01AM Jan 15, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 8 January 2021

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
 - Summary and stats at https://s.apache.org/Apache2020Digits
 - Video highlights https://s.apache.org/Apache2020Digits-vid

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 348 Apache Committers changed 1,594,281 lines of code over 2,987 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Gary Gregory, Mark Thomas, Kartik Khare, and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking NodeJS v0.1.0 released https://skywalking.apache.org/

Big Data --
 - Apache ShardingSphere ElasticJob UI 3.0.0-RC1 released http://shardingsphere.apache.org/elasticjob/
 - Apache Rya 4.0.1 released http://rya.apache.org/
 - Apache Flink CVE-2020-17518: Directory traversal attack: remote file writing through the REST API https://s.apache.org/qxl48 , and
   CVE-2020-17519: Directory traversal attack: reading remote files through the REST API https://s.apache.org/gith7

Network Client --
 - Apache Guacamole 1.3.0 released https://guacamole.apache.org/

Servers --
 - Apache Tomcat Native 1.2.26 released https://tomcat.apache.org/

Did You Know?

- Did you know that some of the latest podlings undergoing development in the Apache Incubator include BlueMarlin (advertising), HOP (orchestration), Pegasus (Big Data), Sedona (geospatial data processing), and Wayang (analytics)? http://incubator.apache.org/projects/

- Did you know that Apache Kafka is amongst the most popular streaming platform for disseminating COVID-19 related clinical data, test results, and caseload updates in real-time? http://kafka.apache.org/

- Did you know that the New Zealand Treasury Department, Prime Minister and Cabinet, National Emergency Management Agency, and Climate Change Commission's eRecruitment platform is powered by Apache Wicket? http://wicket.apache.org/

Apache Community Notices

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits

- Video highlights: Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 10:38AM Jan 08, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 1 January 2021

Welcome, 2021! We hope that you have had a festive holiday season and are excited to kick off the new year. Here's what happened over the past week:

Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
 - Summary and stats at https://s.apache.org/Apache2020Digits
 - Video highlights https://s.apache.org/Apache2020Digits-vid

The Apache Month in Review – highlights of what we've accomplished over the past month. 
- December 2020 https://s.apache.org/Dec2020

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.95%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 214 Apache Committers changed 1,634,010 lines of code over 2,290 commits. Top 5 contributors, in order, are: Gary Gregory, Andreas Veithen, Chesnay Schepler, Rene Cordier, and Sylwester Lachiewicz.

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking Python v0.5.0 released https://skywalking.apache.org/

Big Data --
 - Apache ShardingSphere ElasticJob 3.0.0-RC1 released http://shardingsphere.apache.org/elasticjob/
 - Apache Accumulo 1.10.1 and 2.0.1 released http://accumulo.apache.org/
 - Apache Accumulo CVE-2020-17533: Improper Handling of Insufficient Permission https://s.apache.org/ixwwc

Data Management Platform --
 - Apache Ignite 2.9.1 released http://ignite.apache.org/

Did You Know?

- Did you know that the following Apache projects are celebrating anniversaries this month? Many happy returns to Apache Cocoon, James, and Web Services (17 years); Lucene (15 years); ActiveMQ (13 years); Hadoop (12 years); River (9 years); Empire-db and Gora (8 years); OpenMeetings (7 years); Samza (5 years); Arrow (4 years); and Ranger (3 years)! https://projects.apache.org/committees.html?date 

- Did you know that the Top Ten of Fortune's "Future 50" companies --ServiceNow, Veeva Systems, Atlassian, Workday, Splunk, Adyen, MercadoLibre, DexCom, Square, and Spotify-- are all Powered by Apache? Everyone is welcome to use ASF and Apache Project badges to show that your projects are Powered by Apache http://apache.org/foundation/press/kit/#poweredby

- Did you know that ASF Targeted Sponsor Manning Publications is offering special deals on the latest books on Apache Airflow, Pulsar, Spark, and Thrift, among other titles and MEAP (Manning Early Access Program) eBooks? https://deals.manning.com/the-latest-apache-innovations/

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 03:44PM Jan 01, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache in 2020 - By The Digits

Whilst 2020 has been quite a challenging year world-wide, the all-volunteer Apache community has demonstrated commendable strength, resilience, and commitment to our tenet of "Community Over Code" — 

• 238 Apache Projects, sub-projects, incubating podlings, and their communities produced nearly 3,500 releases across dozens of categories. Release Categories: API Gateways, Application Performance Management, Big Data, Blockchain, Build Management Cloud Computing, Content, Cryptography, Customer Profile Platform, Databases, eMail, Enterprise Resource Planning, FinTech, Identity Management, Integrated Development Environments, Integration, IoT, Libraries, Logging, Machine Learning, Messaging, Natural Language Processing, Operating Systems, Programming Languages, Remote Desktop Gateway, Search, Security Frameworks, Servers, Services Framework, Templating, Testing, Version Control, Web Conferencing, Web Crawlers, Web Frameworks, and more.

• We produced the "Trillions and Trillions Served" documentary that showcases how The Apache Way skyrocketed the ASF from overseeing a single project two decades ago to 350+ projects that produce $22B+ worth of software today.

• Apache events moved online, and attracted our most diverse and greatest number of participants. ApacheCon@Home drew nearly 5,750 participants from more than 150 countries, who enjoyed 300+ sessions across 27 tracks. A staggering 1.5M+ viewers tuned in to the Apache Roadshow/China over its 2-day online event.

Additional highlights:

Apache Projects —https://projects.apache.org/

• Total number of projects + sub-projects - 342
• Top-Level Projects - 199
• Podlings undergoing development in the Apache Incubator - 41
• New Top-Level Projects that graduated from the Incubator - 10 

Community/People —http://home.apache.org/

The ASF’s merit-driven "Contributor-Committer-Member" progression is the central governing process across the Apache ecosystem. The core Apache Group of 21 individual Members grew with developers who contributed code, patches, or documentation. Some of these contributors were subsequently granted Committer status by the Membership, and provided access to: 1) commit code directly to Apache repositories; 2) vote on community-related decisions; and 3) propose an active user for Committership. Today, ASF Committers contribute not just code and documentation, but also an array of initiatives that provide value across the greater Apache ecosystem, including Project promotion and community development through mentoring, events, and diversity and inclusion programs. Those Committers who demonstrate merit in the Foundation's growth, evolution, and progress are nominated for ASF Membership by existing members.

The Apache community continues to grow: 

• We welcomed 3,612 contributors in 2020, 51.87% of whom were newcomers to Apache
• 905 individuals earned Committer status, totalling 8,022. 
• 34 individuals were elected as new ASF Members, totalling 813.

Apache Projects/Code —https://projects.apache.org/statistics.html

3,258 Apache Committers changed 117,350,563 lines of code over 247,451 commits.

Top 5 Committers

• Andrea Cosentino (6,357 commits; 2,003,123 lines changed)
• Jean-Baptiste Onofré (3,120 commits; 735,656 lines changed)
• Claus Ibsen (2,838 commits; 1,919,860 lines changed)
• Mark Thomas (2,360 commits; 185,548 lines changed)
• Gary Gregory (2,188 commits; 234,845 lines changed)

Top 5 Apache Project Repositories by Size (Lines of Code)

• Tuweni (incubating; 7,822,771 --Tuweni is Apache's first project in the Blockchain space)
• Flex (7,007,693)
• NetBeans (6,582,707)
• OpenOffice (6,376,683)
• Hadoop (3,521,559)

Top 5 Apache Project Repositories by Commits

• Camel
• Flink
• Airflow
• Lucene/Solr
• Spark

GitHub: Top 5 Most Active Apache Project Sources (clones)

• Thrift
• Beam
• Arrow
• Geode
• Cordova

GitHub: Top 5 Most Active Apache Project Sources (visits)

• Spark
• Flink
• Kafka
• Beam
• Camel

Mailing Lists —https://lists.apache.org/

"If it didn’t happen on-list, it didn’t happen"

The ASF’s day-to-day operations, including Apache project and community development, takes place on ~1,450 public and ~700 private mailing lists. 

In 2020, 18,388 authors sent 2,139,458 emails on 774,364 topics.

Top 5 most active Apache Project user@ mailing lists

• Flink
• Lucene-Solr
• OpenMeetings
• Ignite
• Tomcat

Top 5 most active Apache Project dev@ mailing lists

• Tomcat
• Flink
• Royale
• James
• Beam

Contributor License Agreements and Software Grants —https://www.apache.org/licenses/

Individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. Over the past year, the ASF had received: 

• ICLAs - 708
• CCLAs - 35
• Grants - 35

Sponsorship and Individual Support —http://apache.org/foundation/contributing.html

The ASF benefits from the generosity of hundreds of individual donors and corporate Sponsors, whose support helps offset the ASF's day-to-day expenses for Accounting, Fundraising, Infrastructure, Legal, Marketing & Publicity, and other services.

ASF Sponsors provide financial backing for the ASF's operations. They are:

PLATINUM: Amazon Web Services, Facebook, Comcast, Google, Huawei, Pineapple Fund, Tencent, and Verizon Media.

GOLD: Anonymous, Baidu, Bloomberg, Cloudera, Handshake, IBM, Reprise Software, Union Investment, and Workday.

SILVER: Aetna, Alibaba Cloud Computing, Budget Direct, Capital One, Cerner, Inspur, Red Hat, and Target.

BRONZE: Airport Rentals, The Blog Starter, Bookmakers. Cash Store, Bestecasinobonussen.nl, Casino2k, Curity, The Economic Secretariat, Gundry MD, Host Advice, HostChecka.com, Indian Online Casino, Journal Review, LeoVegas, Miro-Kredit AG, Mutuo Kredit AG, Online Holland Casino, ProPrivacy, PureVPN, RX-M, SCAMS.info, SevenJackpots.com, Software Guru, Start a Blog by Ryan Robinson, Talend, The Best VPN, Top10VPN, Twitter, and Xplenty.

ASF Targeted Sponsors provide the Foundation with non-financial contributions for specific operational activities or programs. They include:

TARGETED PLATINUM: Amazon Web Services, CloudBees, DLA Piper, JetBrains, LeaseWeb, Microsoft, OSU Open Source Labs, Sonatype, and Verizon Media.

TARGETED GOLD: Atlassian, The CrytpoFund, Datadog, PhoenixNAP, and Quenda.

TARGETED SILVER: HotWax Systems, Manning Publications, and Rackspace.

TARGETED BRONZE: Bintray, Education Networks of America, Friend of Apache Cordova, Google, Hopsie, No-IP, PagerDuty, Peregrine Computer Consultants Corporation, Sonic.net, SURFnet, and Virtru.

Apache Members, Committers, contributors, users, supporters, and Sponsors further the ASF’s mission of providing Open Source software for the public good. Help keep Apache software accessible to everyone by making a contribution* to the ASF https://donate.apache.org/ , becoming a Sponsor, or adding us to your Corporate Giving program. Please visit http://apache.org/foundation/contributing.html for more information.

Best wishes for a stellar 2021!

* The ASF is a US 501(c)(3) not-for-profit charitable organization, whose tax identification number is 47-0825376. The ASF is recognized by Charity Navigator and cited with the Gold Seal of Transparency by GuideStar.

# # #

Posted at 01:07PM Jan 01, 2021 by Sally Khudairi in Milestones  |   | 

Apache Month in Review: December 2020

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in December:

Support Apache --

When we founded the ASF 21 years ago, we made a commitment to ensure Apache software is freely available to everyone worldwide at 100% no cost. Today the ASF provides more than $21B worth of software developed by an all-volunteer community. 

 - from Individual and Corporate donations to online shopping, Corporate Charitable Giving, Matching Gifts, and Sponsorship, There are many ways to help the ASF with a tax-deductible contribution https://s.apache.org/2020SupportApache

New this month --

 - ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
   -- Videos of all ApacheCon@Home sessions, including Plenaries and Keynotes, are available https://www.youtube.com/c/TheApacheFoundation/

 - Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

 - "Inside Infra" – the interview series featuring members of the ASF Infrastructure team
   -- Meet Andrew Wetmore --Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2

 - Apache Month in Review: November 2020 https://s.apache.org/Nov2020

Important Dates --

  - Next Board Meeting: 20 January 2021. Board calendar and minutes http://apache.org/foundation/board/calendar.html

Infrastructure --

In December, 837 Apache Committers changed 11,192,118 lines of code over 18,775 commits. The Committers with the top 5 highest contributions, in order, were: Andrea Cosentino, Xiang Xiao, Hugh Miles, Andi Huber, and Gary Gregory.

Project Releases and Updates --

New releases from Apache Accumulo (Big Data); Airflow (Big Data); APISIX (API); Avro (Big Data); Beam (Big Data); Bigtop (Big Data); Camel (Integration); Flink (Big Data); Groovy (Programming Languages); HBase (Big Data); HttpComponents Core (Servers); IoTDB (IoT); Jackrabbit (Content); JMeter (Testing); JSPWiki (Content); Kafka (Big Data); Knox (Big Data); OpenMeetings (Web Conferencing); PDFBox (Content); Pulsar (Messaging); Rya (Big Data); ShardingSphere (Big Data); SINGA (Machine Learning); Skywalking (Application Performance Management); Struts (Web Frameworks); Syncope (Identity Management); Tika (Big Data); Tomcat (Servers); Traffic Control (Servers); Traffic Server (Servers); Yetus (Library).

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. New to the Apache Incubator in December: Wayang (Big Data). We invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ .

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 10:35AM Jan 01, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 25 December 2020

Hurrah for Friday: Happy Christmas to those who celebrate! We've had a great week within the Apache community. Here's what happened:

Support Apache – final days to make a tax-deductible, year end donation! Help the ASF continue to provide $20B+ worth of software –at 100% no cost– for the public good https://s.apache.org/2020SupportApache

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.98%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 301 Apache Committers changed 1,718,280 lines of code over 2,668 commits. Top 5 contributors, in order, are: Andi Huber, Michael Stack, Sylwester Lachiewicz, Andrea Cosentino, and Claus Ibsen.                              

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Kafka 2.7.0 released https://kafka.apache.org/

Content --
 - Apache PDFBox 2.0.22 released https://pdfbox.apache.org/
 - Apache JSPWiki 2.11.0.M8 released https://jspwiki-wiki.apache.org/

Identity Management --
 - Apache Syncope 2.1.8 released https://syncope.apache.org/

Integration --
 - Apache Camel 3.4.5 released https://camel.apache.org/

Did You Know?

- Did you know that some of the latest podlings to enter the Apache Incubator include BlueMarlin (advertising), Hop (orchestration), Liminal (Machine Learning), Sedona (geospatial), and Wayang (Big Data)? http://incubator.apache.org/projects/

- Did you know that the top 5 languages of all Apache projects are (in order): Java, C, Python, C++, and JavaScript? https://projects.apache.org/

- Did you know that ASF Targeted Sponsor Manning Publications is offering special deals on the latest books on Apache Airfow, Pulsar, Spark, and Thrift, among other titles and MEAP (Manning Early Access Program) eBooks? https://deals.manning.com/the-latest-apache-innovations/

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 11:26AM Dec 25, 2020 by Swapnil M Mane in Newsletter  |   | 

The Apache Software Foundation Operations Summary: 1 August - 31 October 2020

FOUNDATION OPERATIONS SUMMARY

Second Quarter, Fiscal Year 2021 (August - October 2020)

"The Apache Way ensures all participants have equal representation and footing, and developers are valued based on their contributions' merits. Bloomberg developers first got involved as Open Source community collaborators and contributors seven years ago, and we've been involved with –and a sponsor of– the ASF almost this entire time, as it’s the home of dozens of projects that are incredibly important to us."
—Kevin Fleming, Head of Open Source Community Engagement and Member of the CTO Office at Bloomberg (ASF Gold Sponsor)

> President's Report

This has been a largely quiet quarter for The Apache Software Foundation. By quiet, I mean that the operations side of the ASF has just been working with little drama, despite the fact that we're in the midst of a global pandemic. Whether it's been Apachecon@Home, the publication of research from Diversity and Inclusion, the day-to-day operations of Fundraising, Marketing, and Infrastructure continue unabated.

In some ways, I guess that is boring. There were no disasters that we had to deal with. While I was getting ready for my Apachecon@Home keynote, I was thinking about the impact of the pandemic on the ASF and the world. If you look at the statistics you'd be hard pressed to find much in terms of impact of the pandemic. In many ways, our distributed, asynchronous, consensus-based method of getting things done has set us up for success.

Maybe 'boring' is the definition of success for the ASF. A 'boring' status where our project communities deliver innovative Open Source software unabated.

> Conferences and Events http://apachecon.com/ 

During this time we held ApacheCon @Home 2020, September 28th through October 1st. This was our first virtual conference, and the largest conference we have yet held in our 22 years of running ApacheCon.

We have provided some statistics in our post-event report, at https://blogs.apache.org/conferences/entry/apachecon-home-2020-was-a

Some highlights include:

• 5743 registrations
• 66.7% of speakers were first time speakers
• 82.9% of attendees were at their first ApacheCon ever
• 306 sessions (all now on YouTube at https://www.youtube.com/theapachefoundation )
• 26 tracks of content
• Sessions in German, Hindi and Mandarin, in addition to English
• Attendees, and speakers, from 6 continents

ApacheCon was made possible by our sponsors. Platinum sponsors were Instaclustr, Red Hat, DataStax, VMWare, Apple, Amazon, IBM, and Imply. Gold sponsors were OpenLogic, Cerner, and RX-M. Bronze sponsors were Codethink, US Postgresql Association, and Muse.dev. A huge thank you to them!

In the coming months we hope to have some smaller, project/topic focused events, but planning for these is still in the early stages, and we have no specific plans yet.

We are also cautiously looking at plans for 2021: We assume, at this point, based on the employee travel policies of major tech companies, that we will be holding ApacheCon 2021 online also. We hope to have details in early 2021.

The Pulsar Summit Asia will be held November 28th and 29th, also online. Details are available at https://pulsar-summit.org/  

> Community Development http://community.apache.org/ 

The main focus of this quarter was preparing for and participating in ApacheCon@Home. Our Community track ran over 3 days and 2 time zones and began with a presentation in Hindi. This was very significant for us as it was the first time that we have presented community content at ApacheCon in a language other than English. Being accessible in other languages is helping reach other potential contributors. Our track attracted a good audience and many of the sessions achieved a good interaction and participation via questions from the audience. 

During the event we showed the recently released ASF documentary video "Trillions and Trillions Served" at our online booth. We need to continue to investigate new ways for managing an online booth as it was difficult to understand when and how we could interact with the community at the same time being focussed on our own track.

Our Apache Local Communities (ALC) were strongly represented at ApacheCon@Home and the Indore Chapter held a range of meetings focussed on promoting the Apache Way.

All the videos from all the community sessions are now available on the ASF Youtube channel.

We have started preparing for GSoC 2021 and will once again be applying to become a mentoring organisation. In parallel we have sent out communications to all ASF project to begin gathering ideas for potential GSoC projects.

We are continuing to look for events where we can participate such as our Apache Roadshow China and FOSS Backstage.

Our mailing list has seen a significant decrease in traffic compared with the previous quarter. Even with the decrease we did get a lot of community involvement and activity during ApacheCon@Home which is not reflected in the mailing list statistics.

> Committers and Contributions http://apache.org/licenses/contributor-agreements.html 

Over the past quarter, 1,540 contributors committed 61,208 changes that amount to 28,336,795 lines of code across Apache projects. The top 5 contributors, in order, were: Andrea Cosentino (1,813 commits), Mark Miller (926 commits), Claus Ibsen (790 commits), Mark Thomas (771 commits), and Jean-Baptiste Onofré (742 commits).

All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF.

During Q2 FY2021, the ASF Secretary processed 151 ICLAs, 9 CCLAs, and 5 Software Grants. History of Apache committer growth can be seen at https://projects.apache.org/timelines.html

> Brand Management http://apache.org/foundation/marks/ 

Operations —the work of the Brand Management team falls broadly into one of three categories:

• trademark transfers and registrations
• granting permission to use our marks
• addressing potential infringements of our marks

The volume of work this quarter is about half of what it was last quarter. This may be an impact of Covid-19 (fewer events), part of the natural fluctuation in activity or a combination of the two.

This quarter has seen the usual collection of requests to use Apache marks for user groups, events, merchandise and publications with nearly all requests being granted, subject to our Trademark Usage Policy.

Registrations —This quarter was also a relatively quiet one for registrations. We made progress on a number of our pending registrations, particularly in China, but we did not complete any registrations this quarter.

Infringements —Potential infringements are brought to our attention from both internal and external sources. The majority of infringements we see are accidental and our project communities are able to resolve these quickly and informally with occasional input from the Brand Management team. A small number of issues take longer to resolve. We made progress on some of these this quarter and hope that that progress will continue next quarter.

We have continued to address the infringements reported to us relating to products using our marks being sold through various online stores. We hope to resolve a number of these in the coming quarter.

And finally…

The Brand Management team welcomes your comments and suggestions as well as any questions you might have. Please see https://www.apache.org/foundation/marks/contact for our contact details.

> Security http://apache.org/security/ 

We continued to work on handling incoming security issues, keeping projects reminded of their outstanding issues, allocation of CVE names, and other general oversight and advice.

For Q2 we tracked 124 new vulnerability reports across 48 projects. (Q2 last year for comparison was 116 reports). Those reports led to 23 published CVE vulnerabilities.

> Privacy http://apache.org/foundation/policies/privacy.html 

This quarter ends without any complaints from users, committers or other parties.

The VP Privacy can be reached in private with the new email alias vp-privacy@apache.org.

A check of our privacy policy showed that we have several issues with our main site which needs to be addressed (not exhaustive):

• We need to add Youtube, Google Fonts etc to the privacy statement
• We need to update the policy to give the correct contact for complaints (no longer dev@)
• We need to check if we actually need AdSense code 

Also, we should make sure to apply cookie laws.

The reason for the check is the open issue around status.apache.org since we need to cover that site with our privacy policy as well.

In another finding, Apache Whimsy shows all kinds of email addresses (i.e. personal ones) to all committers. This should be an option, so committers can decide if they want their email address shown and also the possibility to remove email addresses. Same issue is with the postal address shown. This issue has not yet been addressed and needs to be communicated to the Apache Whimsy team.

We have open discussion how ICLA (and similar documents) should be stored.

> Treasury and Financial Statement --map against https://s.apache.org/FY2019AnnualReport 

The Foundation is in excellent fiscal shape with all tax and compliance forms filed on time. Latest public filings can be found at http://www.apache.org/foundation/records/ . I have advised that officers minimize expenses until there is more certainty in global economic outlooks.  Officers have done so by delaying new investments.  This quarter we conducted ApacheCon@Home which operated with a profit via our generous sponsors.

We made a technical adjustment to our accounting to recognize the income of $892,882 from the very generous Pineapple fund donation as a public donation. The donation was originally made at the beginning of 2018. Removing this one-time donation from consideration, our losses this quarter were $141,848.

The majority of our cash remains in a CDARS account at Boston Private which provides FDIC insurance for the full amount. See below for income and expenses:

> Diversity and Inclusion http://diversity.apache.org/

Important milestones were accomplished for two of the major projects driven by the Diversity and Inclusion committee as follows: 

Project 1: Research on the current status of Diversity and Inclusion at the ASF

This project was composed of two initiatives: The ASF Community Survey and a User Experience Research for contributors of underrepresented groups. These two initiatives concluded in Q2 and we are now working on a final report, expected to be published and shared with the ASF membership in Q3. 

For the ASF Community Survey, we recorded a read out, which you can watch in our official YouTube channel https://s.apache.org/pnkzw , and read the slides shared in the D&I wiki https://cwiki.apache.org/confluence/display/EDI/**+Files+and+Resources .

In the User Experience research, we conducted 19 one-on-one interviews, which provided insightful information on how we can help our community to ease the challenges experienced by contributors in our Apache community, especially those coming from under-represented backgrounds. You can find early results on these interviews in our public mailing list https://s.apache.org/ibs4z . 

In Q3, the work will be focused on publishing the official reports, which will include recommendations for our projects and the community in general, to enable the participation of folks from diverse backgrounds. 

Project 2: Internships for underrepresented groups (Outreachy)

The second round of internships for the Outreachy program concluded in August. We had four participants, which brought the total number of interns to 5 in our first year of participation. 

The third period of internships starts this December, we’ll have six interns for six different Apache projects, you can see the full list of interns and projects in the Outreachy working group notes https://s.apache.org/8ahu8 .

This program has provided opportunities to learn about the experience of new contributors to the participation project, and we look forward to analyzing them in the same context as the scientific data gathered with the survey and user experience interviews. 

> Fundraising http://apache.org/foundation/contributing.html

This past quarter has been fairly quiet for the Fundraising team aside from the wonderful success of ApacheCon@Home. We are ecstatic to report that eight Sponsors joined the ApacheCon family this year for the event. Feel free to check out our YouTube channel for recordings of all the talks.

Despite the pandemic and challenges it brings, we continue to see strong support from the community. Individual donations have been particularly strong this quarter (see https://whimsy.apache.org/board/minutes/Fundraising.html  for month by month playlist). We have also had a few Sponsors either increase or decrease their support level this quarter and are pleased to welcome two new Bronze sponsors to the Apache family.

As always, we are immensely thankful to our sponsors, who make it possible for our communities to build world-changing software -- 

PLATINUM: Amazon Web Services, Comcast, Facebook, Google, LeaseWeb, Pineapple Fund, Verizon Media, Tencent

GOLD: Anonymous, ARM, Bloomberg, Cloudera, Handshake, Huawei, IBM, Indeed, Union Investment, Workday

SILVER: Aetna, Alibaba Cloud Computing, Baidu, Budget Direct, Capital One, Cerner, Inspur, Red Hat, Target

BRONZE: Airport Rentals, The Blog Starter, Bookmakers, Cash Store, Bestecasinobonussen.nl, CarGurus, Casino2k, The Economic Secretariat, Emerio, Footprints Recruiting, Gundry MD, HostChecka.com, Host Advice, HostingAdvice.com, Journal Review, LeoVegas Indian Online Casino, Mutuo Kredit AG, Online Holland Casino, ProPrivacy, PureVPN, RX-M, SCAMS.info, Site Builder Report, Start a Blog by Ryan Robinson, Talend, The Best VPN, Top10VPN, Twitter, Web Hosting Secret Revealed, Xplenty

TARGETED PLATINUM: CloudBees, DLA Piper, JetBrains, Microsoft, OSU Open Source Labs, Sonatype, Verizon Media

TARGETED GOLD: Atlassian, The CrytpoFund, Datadog, PhoenixNAP, Quenda

TARGETED SILVER: Amazon Web Services, HotWax Systems, Rackspace

TARGETED BRONZE: Bintray, Education Networks of America, Google, Hopsie, No-IP, PagerDuty, Peregrine Computer Consultants Corporation, Sonic.net, SURFnet, Virtru

To sponsor The Apache Software Foundation, visit http://apache.org/foundation/sponsorship.html . To make a one-time or monthly recurring donation, please visit https://donate.apache.org/ .

= = =

Report prepared by Sally Khudairi, Vice President Marketing & Publicity, with contributions by David Nalley, President; Rich Bowen, Vice President Conferences; Mark Cox, Vice President Security; Sharan Foga, Vice President Community Development; Christian Grobmeier, Vice President Data Privacy; Myrle Krantz, Treasurer; Griselda Cuevas, Vice President Diversity & Inclusion, Vice President Fundraising; and Mark Thomas, Vice President Brand Management.

For more information, subscribe to the announce@apache.org mailing list http://apache.org/foundation/mailinglists.html#foundation-announce and visit http://www.apache.org/ , the ASF Blog at http://blogs.apache.org/ , the @TheASF on Twitter https://twitter.com/TheASF , and LinkedIn https://www.linkedin.com/company/the-apache-software-foundation .

(c) The Apache Software Foundation 2020.

# # #

Posted at 02:31PM Dec 22, 2020 by Sally Khudairi in General  |   | 

The Apache News Round-up: week ending 18 December 2020

And it's Friday! Let's take a look at what the Apache community has been up to over the past week:

Inside Infra – the interview series featuring members of the ASF Infrastructure team.
 - Andrew Wetmore --Part II https://s.apache.org/InsideInfra-Andrew2

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.93%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 356 Apache Committers changed 1,752,073 lines of code over 3,151 commits. Top 5 contributors, in order, are: Gary Gregory, Andi Huber, Claus Ibsen, Tilman Hausherr, and Tomaz Muraus.                          

Apache Project Announcements – the latest updates by category.

API --
 - Apache APISIX Dashboard 2.2 released https://apisix.apache.org/

Big Data --
 - Apache Beam 2.26.0 released https://beam.apache.org/
 - Apache Knox 1.5.0 released http://knox.apache.org/
 - Apache Flink 1.12.0 and 1.11.3 released https://flink.apache.org/
 - Apache Qpid JMS 0.56.0 released https://qpid.apache.org/
 - Apache Bigtop 1.5.0 released https://bigtop.apache.org/
 - Apache HBase 2.4.0 released https://hbase.apache.org/
 - Apache Airflow 1.10.14 released https://airflow.apache.org/
 - Apache Airflow CVE-2020-17513: Server-Side Request Forgery (SSRF) in Charts & Query View https://s.apache.org/162rf , and
   CVE-2020-17511: Airflow admin password gets logged in plain text https://s.apache.org/2bbfj

Integration --
 - Apache Camel 3.7.0 released https://camel.apache.org/

IoT --
 - Apache IoTDB 0.11.1 released https://iotdb.apache.org/

Messaging --
 - Apache Pulsar CVE-2020-17520: Pulsar Manager security bug (bypass admin interceptor) https://s.apache.org/4fj8c

 
Did You Know?

- Did you know that the Apache Roadshow/China drew more than 1.5M viewers online? Sessions were organized by ASF Members and Apache Local Community Beijing Chapter participants, and featured Apache eCharts, IoTDB, SkyWalking, and more https://www.bagevent.com/event/6844986/p/431034  

- Did you know that Apache Airflow, Druid, Hadoop, HDFS, Hive, Kafka, Superset, and other projects power more than 1.5 petabytes of data at Airbnb? https://projects.apache.org/projects.html?category

- Did you know that ASF Corporate Giving Contributors Bloomberg Philanthropy, IBM, Microsoft, PayPal, Charles Schwab, Vanguard, and other supporting organizations help the ASF's all-volunteer community provide $20B+ worth of software 100% free-of-charge? Support Apache today with a one-off, recurring, matching gift, or other corporate contributions? Consider a year-end gift to benefit the ASF http://apache.org/foundation/contributing.html  

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 04:06PM Dec 18, 2020 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 11 December 2020

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 December 2020. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.91%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 398 Apache Committers changed 1,767,303 lines of code over 3,476 commits. Top 5 contributors, in order, are: Hugh Miles, Andi Huber, Mark Thomas, Ganesh Murthy, and Claus Ibsen.                   

Apache Project Announcements – the latest updates by category.

API --
 - Apache APISIX Dashboard 2.1.1 released https://apisix.apache.org/

Big Data --
 - Apache Avro 1.10.1 released https://avro.apache.org/

Content --
 -  Apache Jackrabbit Oak 1.8.24 released http://jackrabbit.apache.org/

Library --
 - Apache Yetus 0.13.0 released https://yetus.apache.org/

Programming Languages --
 - Apache Groovy 2.4.21, 2.5.14, 3.0.7, and 4.0.0-alpha-2 released https://groovy.apache.org/
 - Apache Groovy CVE-2020-17521: Groovy Information Disclosure https://s.apache.org/k8n0d

Messaging --
 - Apache Pulsar 2.7.0 released https://pulsar.apache.org/

Servers --
 - Apache Traffic Control 4.1.1 released https://trafficcontrol.apache.org/
 - Apache Tomcat 8.5.61, 9.0.41, and 10.0.0 (beta) available http://tomcat.apache.org/

Testing --
 - Apache JMeter 5.4 released https://jmeter.apache.org/

Web Conferencing --
 - Apache OpenMeetings 5.1.0 released https://openmeetings.apache.org/

Web Frameworks --
 - Apache Struts 2.5.26 released https://struts.apache.org/
 - Apache Struts CVE-2020-17530: Potential RCE when using forced evaluation https://s.apache.org/hwr92

 
Did You Know?

- Did you know that when we founded the ASF 21 years ago, we made a commitment to ensure our software is freely available to all users worldwide at 100% no cost? Today the ASF provides more than $21B worth of software developed by an all-volunteer community. Your tax-deductible contribution helps us continue our effort. https://donate.apache.org/  

- Did you know that the Financial Times' real-time batch processing, stream processing, and analytics are powered by Apache Airflow, Avro, Kafka, Parquet, and Spark? https://projects.apache.org/projects.html?category#big-data 

- Did you know that Airbnb uses Apache Druid, Hadoop, Hive, Kafka, Spark, Superset, ZooKeeper, and other Apache projects to power 1.5 petabytes of data in real-time? https://projects.apache.org/projects.html?category#big-data 

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 12:27PM Dec 11, 2020 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 4 December 2020

Welcome, December --we're opening the month with another great week. Here's what the Apache community has been up to:

Inside Infra – the interview series featuring members of the ASF Infrastructure team.
 - Andrew Wetmore --Part I https://s.apache.org/InsideInfra-Andrew

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 December 2020. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home now available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 407 Apache Committers changed 1,758,756 lines of code over 3,611 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Paul King, Daniel Sun, Hugh Miles, and Jarek Potiuk.                    

Apache Project Announcements – the latest updates by category.

API --
 - Apache APISIX 2.1 released https://apisix.apache.org/

Application Performance Monitoring --
 - Apache SkyWalking 8.3.0 and CLI 0.5.0 released https://skywalking.apache.org/

Content --
 - Apache Tika 1.25 released https://tika.apache.org/
 - Apache Jackrabbit 2.18 released http://jackrabbit.apache.org/

IoT --
 - Apache IoTDB 0.11.0 released https://iotdb.apache.org/

Programming Languages --
 - Apache Groovy 2.4.21 released https://groovy.apache.org/

Machine Learning --
 - The Apache Software Foundation Announces Apache® TVM™ as a Top-Level Project https://s.apache.org/59g4a
 - Apache SINGA 3.1.0 released http://singa.apache.org/

Servers --
 - Apache HttpComponents Core 4.4.14, 5.0.3 GA, and 5.1 BETA2 released https://hc.apache.org/
 - Apache Traffic Server 8.1.1 and 7.1.12 released https://trafficserver.apache.org/

 
Did You Know?

- Did you know that 17 Apache projects are celebrating anniversaries this month? Many happy returns to Apache Portable Runtime (APR; 20 years); Logging Services (17 years); Cayenne and OFBiz (14 years); Synapse (13 years); Camel (12 years); Axis, OpenWebBeans, Pivot (11 years); Aries (10 years); Flex (8 years); Helix (7 years); Flink (6 years); Beam (4 years); Trafodion (3 years); Airflow (2 years); and Druid (1 year)! https://projects.apache.org/committees.html?date

- Did you know that organizations wishing to support Apache do so through Sponsorship, Corporate Giving Programs, Matching Gifts, and more. Thank you for considering a one-time tax-deductible donation today! http://apache.org/foundation/contributing.html 

- Did you know that Apache TVM is the ASF's first full stack software and hardware co-optimization project? http://tvm.apache.org/

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 10:35AM Dec 04, 2020 by Swapnil M Mane in Newsletter  |   |