The Apache Software Foundation
Blogging in Action.

The Apache News Round-up: week ending 24 June 2022

Happy Friday, everyone --let's review the Apache community's activities from over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - FINAL CALL: Travel Assistance available for ApacheCon North America. Application deadline 1 July

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 July 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 306 Apache Committers and 829 contributors changed 2,186,931 lines of code over 3,155 commits. Top five contributors, in order, are: Sebastian Rühl, Mark Thomas, Ivan Zhakov, Gary Gregory, and Andriy Redko.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Druid 0.23.0 released
 - Apache Kyuubi (Incubating) 1.5.2-incubating released
 - Apache ShardingSphere 5.1.2 released

Databases --
 - Apache Geode 1.15.0 released

Middleware --
 - Apache Karaf runtime 4.2.16 released

Observability --
  - Apache SkyWalking Java Agent 8.11.0 released

Search --
 - Apache Lucene 8.11.2 released
 - Apache Solr 8.11.2 released

Servers --
 - Apache Tomcat CVE-2022-34305 - XSS in examples web application

Web Frameworks --
 - Apache Portals Jetspeed-2, Bridges and Applications are now retired as dormant

Workflow -
 - New Apache Airflow Providers released

Did You Know?

- Did you know that Lyft uses Apache Beam to enable real-time ML streaming feature generation and model execution, optimize  Marketplace ML predictions, and process ~4 million events/minute?   

- Did you know that eCommerce platform Fordeal's Big Data platform scheduler is powered by Apache DolphinScheduler? 

- Did you know that Apache Druid's extremely efficient data representation as rollup makes it the database of choice for AdTech data?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 11:46AM Jun 27, 2022 by Sally Khudairi in Newsletter  |   | 

The Apache News Round-up: week ending 17 June 2022

Happy Friday, everyone --here's what the Apache community has been up to over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - Sponsorships available for ApacheCon Asia - 29-31 July (online) and ApacheCon North America - 3-6 October (New Orleans) https://www.apachecon.com/
 - Travel Assistance available for ApacheCon North America. Application deadline 1 July https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 July 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 304 Apache Committers and 847 contributors changed 1,476,355 lines of code over 3,324 commits. Top 5 contributors, in order, are: Mark Thomas, Otavio R. Piske, Clebert Suconic, Harikrishna Patnala, and Robbie Gemmell.    

Apache Project Announcements – the latest updates by category.

Build Management --
 - Apache Maven Enforcer Plugin 3.1.0 released 

Content --
  - Apache Jackrabbit Oak 2.21.11 released

IDE --
  - Apache NetBeans 14 released

Servers --
 - Apache Tomcat 8.5.81, 10.0.22 and Tomcat Native 1.2.34 released

Testing --
 - Apache JMeter 5.5 released 

Did You Know?

- Did you know that Apache CloudStack 4.17 features include IPv6 with static routing and zero downtime upgrades? 

- Did you know that Apache SkyWalking has released 18 versions of various sub-projects in 2022 thus far? 

- Did you know that Apache Camel 3.x features the ability to run standalone without the need for a runtime such as Apache Karaf? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 08:21PM Jun 20, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Software Foundation Announces Apache® Doris™ as a Top-Level Project

Open Source Big Data MPP analytical database engine in use at Baidu, JD, Meituan, Sina, Tencent, and Xiaomi, among others.

Wilmington, DE —16 June 2022— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today Apache® Doris™ as a Top-Level Project (TLP).

Apache Doris is a modern, easy-to-use MPP (massively parallel processing) analytical database system that provides sub-second queries and efficient real-time data analysis. The project was originally developed at Baidu as "Palo", was open-sourced in 2017, and entered the Apache Incubator in July 2018.

"We are very proud that Doris graduated from the Apache Incubator —it is an important milestone," said Mingyu Chen, Vice President of Apache Doris. "Under the guidance of our incubator mentors, we learned how to successfully develop our project and community the Apache Way. We have achieved great growth during the incubation process."

Apache Doris is a database system for OLAP (online analytical processing) scenarios. It integrates Apache Impala, Google Mesa, and state-of-art vectorization technologies to provide sub-second queries and efficient real-time data analysis. Apache Doris meets rigorous data analysis demands in many business fields that include multi-dimensional reporting, user portrait, ad-hoc query, and real-time dashboards. Features include:

• High performance: Use column storage, index, parallel execution, vectorization technology, query optimizer and many other technologies to achieve fast query response.
• Easy-to-use: ANSI SQL syntax support. It can be easily scaled horizontally, and the data replica is automatically repaired and balanced. Does not rely on third-party services.
• Pre-aggregation: Provides multiple pre-aggregation data models and ensures data consistency and automatic query routing.
• Big Data ecosystem integration: Supports the connection with Apache Flink, Apache Hive, Apache Hudi, Apache Iceberg, Apache Spark, and ElasticSearch, among other systems.

Developers using Apache Doris enjoy its simplicity in deploying to hundreds of terabytes, and the ability to meet a variety of data-serving requirements in a single system.

Doris is in use at more than 500 enterprises globally, across a variety of industries such as finance, energy, manufacturing, and telecommunications, among other fields. Many of China’s top 50 Internet companies use Apache Doris, including 360, Baidu, ByteDance, JD, Kwai, Meituan, Netease, Sina, Tencent, and Xiaomi, among others. 

The project recently celebrated the release of Apache Doris 1.0, its eighth release whilst undergoing development in the Apache Incubator (along with six Connector releases), and also welcomed its 300th contributor. 

"Graduation is the starting point of a new journey," added Chen. "Our many plans for the future include continuing to develop Apache Doris, with new contributors and open source technology enthusiasts joining us to help grow our project and community together in the Apache Way."

Catch Apache Doris in action at ApacheCon Asia 2022, taking place 29-31 July https://www.apachecon.com/acasia2022/ .

Availability and Oversight
Apache Doris software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache Doris, visit https://doris.apache.org/ .

About the Apache Incubator
The Apache Incubator is the primary entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects enter the ASF through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/ .

About The Apache Software Foundation (ASF)
Established in 1999, The Apache Software Foundation is the world's largest Open Source foundation, stewarding 227M+ lines of code and providing more than $22B+ worth of software to the public at 100% no cost. The ASF’s all-volunteer community grew from 21 original founders overseeing the Apache HTTP Server to 820+ individual Members and 200 Project Management Committees who successfully lead 350+ Apache projects and initiatives in collaboration with 8,400+ Committers through the ASF's meritocratic process known as "The Apache Way". Apache software is integral to nearly every end user computing device, from laptops to tablets to mobile devices across enterprises and mission-critical applications. Apache projects power most of the Internet, manage exabytes of data, execute teraflops of operations, and store billions of objects in virtually every industry. The commercially-friendly and permissive Apache License v2 is an Open Source industry standard, helping launch billion dollar corporations and benefiting countless users worldwide. The ASF is a US 501(c)(3) not-for-profit charitable organization funded by individual donations and corporate sponsors that include Aetna, Alibaba Cloud Computing, Amazon Web Services, Anonymous, Baidu, Bloomberg, Capital One, Cloudera, Comcast, Confluent, Didi Chuxing, Facebook, Google, Huawei, IBM, Indeed, LINE Corporation, Microsoft, Namebase, Pineapple Fund, Red Hat, Replicated, Salesforce, Talend, Target, Tencent, Union Investment, VMware, Workday, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF .

© The Apache Software Foundation. "Apache", "Doris", "Apache Doris", "Flink", "Apache Flink", "Hive", "Apache Hive", "Hudi", "Apache Hudi", "Iceberg", "Apache Iceberg", "Apache Impala", "Apache Impala", "Spark", "Apache Spark", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Posted at 01:00PM Jun 16, 2022 by Sally Khudairi in General  |   | 

The Apache News Round-up: week ending 10 June 2022

We're wrapping up another great week with the following activities from the Apache community:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - Sponsorships available for ApacheCon Asia - 29-31 July (online) and ApacheCon North America - 3-6 October (New Orleans) https://www.apachecon.com/
 - Travel Assistance available for ApacheCon North America. Application deadline 1 July https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 June 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 307 Apache Committers and 809 contributors changed 7,940,603 lines of code over 3,256 commits. Top 5 contributors, in order, are: Gary Gregory, Jean-Baptiste Onofré, Mark Thomas, Sebastian Rühl, and Claus Ibsen.

Apache Project Announcements – the latest updates by category.

Build Management --
 - Apache Maven Surefire 3.0.0-M7 released

Content --
  - Apache UIMA uimaFIT v3.3.0 released

Cloud Computing --
  - Apache CloudStack 4.17.0.0 released 

Messaging --
 - Apache Qpid proton-dotnet 1.0.0-M1 released 

Observability --
 - Apache SkyWalking 9.1.0 and BanyanDB 0.1.0 released

Servers --
 - Apache HTTP Server 2.4.54 released
    -- CVE-2022-26377: mod_proxy_ajp: Possible request smuggling
    -- CVE-2022-28330: read beyond bounds in mod_isapi
    -- CVE-2022-28614: read beyond bounds via ap_rwrite()
    -- CVE-2022-29404: Denial of service in mod_lua r:parsebody
    -- CVE-2022-30522: mod_sed denial of service
    -- CVE-2022-30556: Information Disclosure in mod_lua with websockets 
    -- CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
 - Apache HttpComponents Client 5.2-beta1 released
 - Apache Tomcat 9.0.64 and 10.1.0-M16 (beta) released

Web Frameworks --
 - Apache MyFaces Core 2.3.10, 2.3-next-M7, 3.0.2 released 
 - Apache Struts 2 ver. 6.0.0 released

Workflow -
 - Apache Airflow 2.3.2 released

Did You Know?

- Did you know that today is the last day you can apply for ASF Security team's paid Security Response Program Manager? Details at https://blogs.apache.org/security/entry/position-available-security-response-program

- Did you know that the latest projects undergoing development in the Apache Incubator include DevLake (Big Data), HugeGraph (graph database), Kvrocks (database), and Uniffle (unified Remote Shuffle Service)? https://incubator.apache.org/projects/#current

- Did you know that the logos of (nearly) all Apache projects are available at http://www.apache.org/logos/ ? Brand and logo usage guidelines are at https://apache.org/foundation/marks/ 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 05:28PM Jun 13, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Software Foundation Announces Apache® AGE™ as a Top-Level Project

Open Source PostgreSQL extension for graph database functionality in use in government agencies, research and education institutions, utility providers, and more.

Wilmington, DE —8 June 2022— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today Apache® AGE™ as a Top-Level Project (TLP).

Apache AGE ("A Graph Extension") is a PostgreSQL extension that provides graph database functionality. The project was originally developed in 2019 as an extension to AgensGraph (Bitnine Global's multi-model database fork of PostgreSQL), and entered the Apache Incubator in April 2020.

"It is incredible to see how far the AGE project has come to its maturity by graduating as a Top-Level Project from the Apache Incubator, which demonstrates the project's ability to self-govern, and furthermore to be a part of the broader ASF community," said Eya Badal Abdisho, Vice President of Apache AGE. "With AGE, our goal is to provide a multi-model database that is designed to be simple and user-friendly, which simultaneously supports the relational and graph data model. AGE enables users to integrate the legacy relational data model and the flexible graph data model in one database."

AGE is a PostgreSQL extension that adds graph query functionality to Postgresql. Through using the Cypher query language in accordance with the openCypher specification, users can access, store and query graph data using PostgreSQL. Users may read and write nodes and edges stored in Postgres, as well as use various algorithms such as variable length edge traversal to analyze data in AGE. Other features include:

• Support for openCypher query language
• Hybrid querying using SQL and Cypher
• Querying multiple graphs
• Property indexes on both vertices and edges
• Integration with Postgres' existing features

Hybrid queries are queries using both openCypher and SQL together. These queries allow data to move between the regular relational database and the graph representation that AGE provides.

AGE is in use across a variety of user organizations, including government agencies, research and education institutions, and utility providers, among others.

"We are very pleased that Apache AGE is the first formal graph database project of the Apache Software Foundation to achieve top-level graduation. We believe that it is a result that proves the development of the only graph database extension based on RDB," said Cheolsun Kang, CEO of Bitnine Global. "In the future, Bitnine Global will continue to support the development of Apache AGE. We are advancing our product by developing a service subscription model based on Apache AGE product support."

"I have been advising my clients to watch this space. The potential of Apache AGE, as a multi-model database, to fill an unmet ‘best of both worlds’ niche was evident," said Jasper Blues, CEO of Liberation Data. "With the community behind it, I’m not at all surprised in the way that AGE has blazed ahead towards that prospective future.

Congratulations to the Apache AGE community on the successes to date! With this graduation milestone, I’m proud to recommend AGE to a number of clients in the SE Asia/Oceania region. For them, a CYPHER-compatible ACID graphDB built on a rock solid foundation is perfect for their business cases."

"Postgres’s fundamental architecture has created a rich ecosystem of extensions and made Postgres the de-facto choice for developers and enterprises looking for a next-generation flagship data platform. AGE continues to build on that tradition and adds powerful graph analytics functionality to the traditional relational data platforms," said Mehboob Alam, Postgres community advocate. "Melding traditional analytics and real-time graph intelligence is going to be a game-changer and AGE will be instrumental in this exciting future."

The project recently released Apache AGE v1.0.0-incubating, the sixth release whilst undergoing development in the Apache Incubator. Future releases of Apache AGE will support PostgreSQL 12 and higher, more key features from AgensGraph, and will be further improved to be a compatibility extension for all relational DB, starting with integration into MySQL and MariaDB.

"Graduating as an Apache Top-Level Project is only the beginning, our journey continues through the excellent efforts of the greater Apache AGE community," added Badal Abdisho. "Join our community. We always welcome new additions and contributions to the Apache AGE project to help data communities explore and utilize the benefits of graph technologies, under the Apache Way."

Catch Apache AGE in action at ApacheCon Asia 2022 (29-31 July; https://apachecon.com/acasia2022/), and PostgreSQL Conference Europe (25-28 October; https://2022.pgconf.eu/)

Availability and Oversight
Apache AGE software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache AGE, visit https://age.apache.org and https://twitter.com/apache_age .

About the Apache Incubator
The Apache Incubator is the primary entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects enter the ASF through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/ . 

About The Apache Software Foundation (ASF)
Established in 1999, The Apache Software Foundation is the world's largest Open Source foundation, stewarding 227M+ lines of code and providing more than $22B+ worth of software to the public at 100% no cost. The ASF’s all-volunteer community grew from 21 original founders overseeing the Apache HTTP Server to 820+ individual Members and 200 Project Management Committees who successfully lead 350+ Apache projects and initiatives in collaboration with 8,400+ Committers through the ASF's meritocratic process known as "The Apache Way". Apache software is integral to nearly every end user computing device, from laptops to tablets to mobile devices across enterprises and mission-critical applications. Apache projects power most of the Internet, manage exabytes of data, execute teraflops of operations, and store billions of objects in virtually every industry. The commercially-friendly and permissive Apache License v2 is an Open Source industry standard, helping launch billion dollar corporations and benefiting countless users worldwide. The ASF is a US 501(c)(3) not-for-profit charitable organization funded by individual donations and corporate sponsors that include Aetna, Alibaba Cloud Computing, Amazon Web Services, Anonymous, Baidu, Bloomberg, Capital One, Cloudera, Comcast, Confluent, Didi Chuxing, Facebook, Google, Huawei, IBM, Indeed, LINE Corporation, Microsoft, Namebase, Pineapple Fund, Red Hat, Replicated, Salesforce, Talend, Target, Tencent, Union Investment, VMware, Workday, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF . 

© The Apache Software Foundation. "Apache", "AGE", "Apache AGE", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Posted at 01:00PM Jun 08, 2022 by Sally Khudairi in General  |   | 

The Apache News Round-up: week ending 3 June 2022

Welcome, June --we're opening the month with another great week. Here's what the Apache community has been up to:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - Sponsorships available for ApacheCon Asia - 29-31 July (online) and ApacheCon North America - 3-6 October (New Orleans) https://www.apachecon.com/
 - Travel Assistance available for ApacheCon North America. Application deadline 1 July https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 June 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 296 Apache Committers and 769 contributors changed 1,747,550 lines of code over 3,685 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Igor Ostapenko, Jarek Potiuk, Mark Thomas, and Gary Gregory.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.14.1 released

Build Management --
 - Apache Maven Invoker Plugin 3.3.0 released 
 - Apache Archiva 2.2.8 released

Content --
  - Apache Tika 1.28.3 released 
    -- CVE-2022-30973: Missing fix for CVE-2022-30126 in 1.28.2

Messaging --
 - Apache Qpid ProtonJ2 1.0.0-M6 released 

Libraries --
  - Apache MXNet (Incubating) 1.9.1 released

Orchestration --
  - Apache Hop 2.0.0 released

Programming Languages --
 - Apache Groovy 2.5.17 and 3.0.11 released

Workflow -
 - Apache DolphinScheduler 3.0.0-beta-1 released

Did You Know?

- Did you know that the following Apache projects and their communities are celebrating anniversaries this month? Many happy returns to SpamAssassin (18 years); Santuario (16 years); Commons and Wicket (15 years); Sling (13 years); Karaf (12 years); Flume and VCL (10 years); Mesos (9 years); Atlas and Mynewt (5 years). Congratulations!  https://projects.apache.org/committees.html?date

- Did you know that the second Apache Hop Meetup will be taking place online on 9 June?

- Did you know that Ignite Summit (14 June/Online) will start with full-day trainings on 13 June? 

- Did you know that Beam Summit (18-20 July/Austin and Online - hybrid) will be holding workshops on 20 July? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 03:27PM Jun 07, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 27 May 2022

Farewell, May --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 June 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 291 Apache Committers and 798 contributors changed 3,065,234 lines of code over 3,676 commits. Top 5 contributors, in order, are: Clebert Suconic, Gary Gregory, Robbie Gemmell, Jarek Potiuk, and Mark Thomas.   

Apache Project Announcements – the latest updates by category.

Build Management --
 - Apache Maven CVE-2022-29599: Commandline class shell injection vulnerabilities

Messaging --
 - Apache Pulsar Manager 0.3.0 released

Middleware --
 - Apache Linkis 1.1.1 (incubating) released

Observability --
 - Apache SkyWalking Rover 0.1.0, Satellite 1.0.0, and BanyanDB Java Client 0.1.0 released

Search --
 - Apache Lucene 9.2.0 released

Servers --
 - Apache Tomcat 8.5.79 released

Did You Know?

- Did you know that the ASF Security team has opened a paid position for Security Response Program Manager?

- Did you know that the upcoming Apache Cassandra 4.1 will feature a new client-side hash password tool?

- Did you know that you can support the ASF through one-time and recurring tax-deductible donations online using Apple Pay, Google Pay, and Microsoft Pay using your mobile phone? https://donate.apache.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:09PM May 30, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 20 May 2022

Happy Friday, everyone --here's what the Apache community has been up to over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - CFP open: ApacheCon North America - 3-6 October (New Orleans) https://cfp.apachecon.com/
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 June 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.91%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 301 Apache Committers and 836 contributors changed 4,481,686 lines of code over 3,397 commits. Top 5 contributors, in order, are: Jiajing Lu, Mark Thomas, Clebert Suconic, Liang Zhang, and Andi Huber.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache ShenYu (incubating) https://s.apache.org/x1a1q: Regular expression denial of service

Content --
 - Apache Jackrabbit Oak 1.6.x deprecated 
 - Apache Tika CVE-2022-25169: BPGParser Memory Usage DoS
   -- CVE-2022-30126: Regular Expression Denial of Service in Standards Extractor 

Cloud Computing --
 - Apache Kafka 3.1.1 and 3.2.0 released 

Data Management Platform --
 - New Apache Ignite Extensions released

Libraries --
 - Apache ServiceComb Pack version 0.7.0 released 
 - Apache Commons Imaging 1.0-alpha3 released

Observability --
 - Apache SkyWalking Eyes 0.3.0 released 

Servers --
 - Apache Tomcat 9.0.63, 10.0.21, 10.1.0-M15 (alpha) released

Web Conferencing --
  - Apache OpenMeetings 6.3.0 released 

Did You Know?

- Did you know that the ASF Security team has opened a paid position for Security Response Program Manager? https://blogs.apache.org/security/entry/position-available-security-response-program

- Did you know that Zhongshang Huimin's eCommerce platform uses Apache ShardingSphere for order transaction processing and fulfillment for over 1 million supermarkets? 

- Did you know that the Airflow Summit local meetup in Tokyo will be held on 24 May?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:06PM May 23, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 13 May 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - CFP open: ApacheCon North America - 3-6 October (New Orleans) https://cfp.apachecon.com/
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 May 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 352 Apache Committers and 867 contributors changed 5,014,702 lines of code over 3,393 commits. Top 5 contributors, in order, are: Mark Thomas, Liang Zhang, Claus Ibsen, Jarek Potiuk, and Andi Huber.       

Apache Project Announcements – the latest updates by category.

Content --
 - Apache UIMA Java SDK 3.3.0 released 
 - Apache OpenOffice 4.1.12 released

Embedded OS --
 - Apache Mynewt 1.10.0 and Apache NimBLE 1.5.0 released

FinTech --
 - Apache Fineract 1.7.0 released

Libraries --
 - Apache Commons Daemon 1.3.1 released

Search --
 - Apache Solr 9.0.0 released

Did You Know?

- Did you know that China Unicom uses Apache DolphinScheduler for cross-cluster calls in automated billing procedures, including auditing, revenue sharing, and other operations to serve 40 billion voice orders per day? https://dolphinscheduler.apache.org/

- Did you know that Beam Summit (18-20 July/Hybrid) has announced hands-on Workshops?

- Did you know that the Apache Cassandra project is requesting community members to share their experiences of ApacheCon? https://t.co/XumUaVCuTB

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:32PM May 16, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Software Foundation Announces Apache® YuniKorn™ as a Top-Level Project

Open Source universal Big Data and Machine Learning resource scheduler in use at Alibaba, Apple, Cloudera, Lyft, Visa, and Zillow, among others.

Wilmington, DE —16 May 2022— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today Apache® YuniKorn™ as a Top-Level Project (TLP).

Apache YuniKorn is a cloud-native, standalone Big Data and Machine Learning resource scheduler for batch jobs and long-running services on large scale distributed systems. The project was originally developed at Cloudera in March 2019, entered the Apache Incubator in January 2020, and graduated as a Top-Level Project in March 2022.

"The Apache YuniKorn community is striving together to solve the resource scheduling problems on the cloud," said Weiwei Yang, Vice President of Apache YuniKorn. "It's really great to see the Apache Way shine in the incubating process of YuniKorn. We are lucky to have such an open, collaborative, and diverse community, which is sympathetic and cares about everyone's success. This motivates us to keep evolving and gets better every day."

Apache YuniKorn natively supports Big Data application workloads and mixed workloads, and provides a unified, cross-platform scheduling experience. Features include:

• Cloud native —runs on-premise and in a variety of public cloud environments; maximizes resource elasticity with better throughput.
  
  
• Hierarchical resource queues —efficiently manages cluster resources; provides the ability to control the resource consumption for each tenant.
  
  
• Application-aware scheduling —recognizes users, applications, and queues; schedules according to submission order, priority, resource usage, and more.
  
  
• Job ordering —built-in robust scheduling capabilities; supports fairness-based cross-queue preemption, hierarchies, pluggable node sorting policies, preemption, and more.
  
  
• Central management console —monitors performance across different tenants; one-stop-dashboard tracks resource utilization for managed nodes, clusters, applications and queues.
  
  
• Efficiency —reduces resource fragmentation and proactively triggers up-scaling; cloud elasticity lowers overall operational costs.

In addition, the Project has announced the release of Apache YuniKorn v1.0, the fifth update since entering the Apache Incubator. Improvements include: 

• Decreased memory and cpu usage
• Extended metrics and diagnostics information
• New deployment model supporting future upgrades
• Technical preview of the plugin deployment mode

Optimized to run Apache Spark on Kubernetes (open source software container orchestration system), Apache YuniKorn’s performance makes it an optional replacement to the Kubernetes default scheduler. Apache YuniKorn excelled in benchmark tests with other schedulers in resource sharing, resource fairness, preemption, gang scheduling, and bin packing categories, with throughput exceeding 610 allocations per second across 2,000 nodes. 

Posted at 01:00PM May 16, 2022 by Sally Khudairi in General  |   | 

The Apache News Round-up: week ending 6 May 2022

Welcome, May --we're opening the month with another great week. Here's what the Apache community has been up to:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - CFP open: ApacheCon North America - 3-6 October (New Orleans) https://cfp.apachecon.com/
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 May 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 298 Apache Committers and 714 contributors changed 2,668,743 lines of code over 3,291 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Gary Gregory, Liang Zhang, Jiajing Lu, and Benoit Tellier. 

Apache Project Announcements – the latest updates by category.

Content --
 - Apache Tika 1.28.2 and 2.4.0 released 
 - Apache PDFBox 3.0.0-alpha3 released 

Integration --
 - Apache Camel 3.11.7 (LTS) and 3.14.3 (LTS) released

Libraries --
 - Apache Jena CVE-2022-28890: Processing external DTDs

Messaging --
 - Apache ActiveMQ 5.16.5 and 5.17.1 released

Did You Know?

- Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache Geronimo (18 years); Tomcat (17 years); OpenJPA, POI, TomEE, Turbine (15 years); Libcloud (11 years); Giraph, ManifoldCF (10 years); Phoenix (8 years); Whimsy (7 years); Bahir, TinkerPop, Zeppelin (6 years); SystemDS (5 years); Traffic Control (4 years); Dubbo (3 years); Hudi, Iceberg (2 years). https://projects.apache.org/committees.html?date

- Did you know that the ASF Security team has opened a paid position for Security Response Program Manager? https://blogs.apache.org/security/entry/position-available-security-response-program

- Did you know that Japan's Nara Women's University's Researchers Database webapp is powered by Apache Wicket? https://wicket.apache.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:04PM May 09, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 29 April 2022

Farewell, April --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - CFP open: ApacheCon North America - 3-6 October (New Orleans) https://cfp.apachecon.com/
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 May 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 330 Apache Committers and 838 contributors changed 3,654,519 lines of code over 3,500 commits. Top 5 contributors, in order, are: Andi Huber, Liang Zhang, Jean-Baptiste Onofré, Tamas Cservenak, and Tim Allison.    

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf 4.3.7 and Karaf runtime 4.4.0 released

Libraries --
 - Apache Log4cxx 0.13.0 released

Messaging --
 - Apache Qpid JMS 2.0.0 released 

Programming Languages --
 - Apache Groovy 4.0.2 released 

Did You Know?

- Did you know that enterprises seeking to meet their growing demand for rapid analytics with terabytes of real-time analytical data use Apache Ignite? 

- Did you know that the CFP for Pulsar Summit (18 August/San Francisco) closes on 21 May?

- Did you know that Airflow Summit will be held 23-27 May online and free of charge? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:12PM May 02, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 22 April 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP open: ApacheCon Asia - 29-31 July (online) https://apachecon.com/acasia2022/cfp.html
 - CFP open: ApacheCon North America - 3-6 October (New Orleans) https://cfp.apachecon.com/
 - Travel Assistance applications open: for ApacheCon North America. Apply today https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 18 May 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 306 Apache Committers and 772 contributors changed 17,057,661 lines of code over 3,534 commits. Top 5 contributors, in order, are: Michael Osipov, Benoit Tellier, Olivier Lamy, Gary Gregory, and Henrik Krohns.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache CouchDB 3.2.2 released 
 - Apache Beam 2.38.0 released 
 - Apache Kyuubi (Incubating) 1.5.1-incubating released 

Confidential Computing --
 - Apache Teaclave (incubating) 0.4.0 and Teaclave TrustZone SDK 0.2.0 released 

Content --
 - Apache PDFBox 2.0.26 released 

Messaging --
 - Apache Pulsar 2.9.2 and 2.10.0 released 

Middleware --
 - Apache Linkis 1.1.0 (incubating) released

Servers -
 - Apache TomEE 8.0.11 released 

Did You Know?

- Did you know that recent projects undergoing development in the Apache Incubator include HugeGraph (graph database), Linkis (computational middleware), and SeaTunnel (Big Data integration)? https://incubator.apache.org/projects/

- Did you know that the ASF is the top-ranked Open Source not-for-profit organization with the most stars on GitHub? Also ranked #4 of all organizations https://gitstar-ranking.com/

- Did you know that the CFP for Ignite Summit (14 June - online) is now open? https://ignite-summit.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 01:59PM Apr 25, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 15 April 2022

Happy Friday, everyone --here's what the Apache community has been up to over the past week:

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP for ApacheCon North America 2022 (taking place 3-6 October in New Orleans) is now open https://blogs.apache.org/conferences/entry/call-for-presentations-apachecon-north
 - Travel Assistance applications for ApacheCon are open until 1 July https://apache.org/travel/

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 402 Apache Committers and 1,048 contributors changed 17,760,803 lines of code over 5,646 commits. Top 5 contributors, in order, are: Otavio Rodolfo Piske, Andi Huber, Jinrui.Zhang, Liang Zhang, and Dillon Walls.   

Apache Project Announcements – the latest updates by category.

Incubator --where new Apache projects (aka "podlings") are mentored in the Apache Way of community-led development.
 - Apache brpc (incubating) 1.1.0 released

Attic --provides process and solutions when an Apache project has reached its end of life.
 - Apache River is now retired

Big Data --
 - Apache Bigtop 3.0.1 released
 - Apache ShardingSphere 5.1.1 released

Business Intelligence/Data Visualization --
 - Apache Superset CVE-2022-27479: SQL injection vulnerability in chart data API

Messaging --
 - Apache Qpid ProtonJ2 1.0.0-M5 released

Observability --
 - Apache SkyWalking 9.0.0, Client JS version 0.8.0, and Java Agent 8.10.0 released

Web Frameworks --
- Apache Struts 2.5.30 released
- Apache Struts CVE-2021-31805: Forced OGNL evaluation ...
- Apache Wicket 9.9.1 released

Workflow --
- New Apache Airflow Providers released 

Did You Know?

- Did you know that Apache APISIX Summit Asia will be held online 20-21 May? https://s.apache.org/rhzue 

- Did you know that the next Apache Airflow Community Meetup is taking place on 20 April 2022? https://www.crowdcast.io/e/airflow-meetup-april/register

- Did you know that demand for Apache Syncope identity management artifacts were downloaded 22.5K times over the last month? https://syncope.apache.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) "Apache Innovation" [40 min] 

 - ASF Annual Report: FY2021 (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:27PM Apr 18, 2022 by Sally Khudairi in Newsletter  |   | 

Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs

“Responding to and Learning from the Log4Shell Vulnerability”

Opening Statement by David Nalley

President, Apache Software Foundation

Senate Committee on Homeland Security and Government Affairs

February 8, 2022

    Chairman Peters, Ranking Member Portman, and distinguished members of the Committee: thank you for the invitation to appear this morning.

    My name is David Nalley, and I am the President of the Apache Software Foundation (ASF). The ASF is a non-profit public-benefit charity established in 1999 to facilitate the development of open source software. Thanks to the ingenuity and collaboration of our community of programmers, the ASF has grown into one of the largest open source organizations in the world. Today, more than 650,000 contributors around the world contribute to more than 350 ongoing projects, comprising more than 237 million lines of code.

    Open source is not simply a large component of the software industry -- it is one of the foundations of the modern global economy. Whether they realize it or not, most businesses, individuals, non-profits, or government agencies depend on open source; it is an indispensable part of America’s digital infrastructure.

    Projects developed from open source, like Log4j, tend to resolve problems that many people have, essentially serving as reusable building blocks for solving those problems. This enables faster innovation because it eliminates the need for every company or developer to reimplement software for already solved problems. This efficiency allows programmers to stand on the shoulders of giants. The ASF provides a vendor-neutral environment to enable interested programmers – oftentimes direct competitors of one another – to do this common work together in transparent, open-handed cooperation.

This is the essence of open-source software: brilliant individuals contributing their time and expertise to do unglamorous work solving problems – many with the intent of incorporating the results into their employer’s products. And it’s why I’ve dedicated my professional life to it.

    Log4j – first released by Apache in 2001 – is the product of just this kind of collaboration. It performs a particular set of functions, like recording a computer’s operating events, so well that it has been used in products as diverse as storage management software, software development tools, virtualization software and (most famously) the Minecraft video game. As Log4j’s footprint grew over the years, so did its feature list. It was a 2013 addition to Log4j, along with a part of the Java programming environment, that combined in such a way that exposed this security flaw.

    The vulnerability was reported to Apache’s Log4j team late November 2021, after having been latent for many years. The Apache Logging project, and Apache’s Security team immediately got to work addressing the vulnerability in the code. The full solution was released approximately two weeks later. Given the near ubiquity of Log4j’s use, it may be months or even years before all deployed instances of this vulnerability are eliminated. As a software professional myself, I am proud of how the Logging project and the ASF’s security team (and many others across the ASF’s projects) responded and remediated last fall. We acted quickly and in accordance with practices we have adopted over many years of supporting a diverse set of open source projects. We will continue to develop our projects in responding to and preventing security vulnerabilities.

    Moreover, every stakeholder in the software industry – including its largest customers, like the federal government – should be investing in software supply chain security. While ideas like the Software Bills of Materials won’t prevent vulnerabilities, they can mitigate the impact by accelerating the identification of potentially vulnerable software. However, the ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry.

    The reality is that humans write software, and as a result there will continue to be bugs, and despite best efforts some of those will include security vulnerabilities. As we continue to become ever more connected and digital, the number of vulnerabilities and potential consequences are likely to grow. There is no easy software security solution - it requires defense in depth – incorporating upstream development in open source projects, vendors that incorporate these projects, developers that make use of the software in custom applications, and even down to the organizations that deploy these applications to provide services important to their users.

    Rather than shying away from this risk, I submit that software developers, open-source communities, and federal policymakers should face it head-on together – with the determination and the vigilance it demands.

    Thank you again, and I look forward to answering any questions you might have.

Posted at 06:16PM Feb 08, 2022 by Sally Khudairi in General  |   |