The Apache Software Foundation Board of Directors Meeting Minutes February 20, 2008 1. Call to order The meeting was scheduled for 10:00 (Pacific) and begin at 10:02 when sufficient attendance to constitute a quorum was recognized by the chairman. The meeting was held by teleconference, hosted by Jim Jagielski and Covalent. IRC #asfboard on irc.freenode.net was used for backup purposes. 2. Roll Call Directors Present: Justin Erenkrantz J Aaron Farr Jim Jagielski Geir Magnusson Jr William Rowe Jr Sam Ruby Henning Schmiedehausen Greg Stein Henri Yandell Directors Absent: none Guests: Brett Porter Sander Striker Jason van Zyl (dropped off at 11:08) 3. Minutes from previous meetings No minutes were available to be approved. 4. Executive Officer Reports A. Chairman [Jim] From a PMC and project point of view, the ASF appears quite healthy. There is a wide range of efforts underway, with PMCs varying from very quiet to very active. I do not consider that a Bad Thing. As long as PMCs are still able to provide oversight, respond to the developer and user community and are able to "kick-start" themselves if a release is required (able to get the required 3 +1s for a release), then non-activity (measured as time between releases) is not troublesome. From a community point of view, things don't look so rosy. We seem to be in yet another phase of navel gazing, prompted by various Emails on the board and member mailing lists (eg: 3rd party licensing and release guidelines). What is particularly "unsettling" about some of these is how quickly they degrade into personal attacks, or extremely bitter and antagonistic tirades. Debate, of course, is good, as long as it results in either re-validation of beliefs and/or guidelines, or in changes to address the shortcomings or problems that caused the debate to commence in the first place. It is, of course, quite possible that we have accepted as rule some aspects which are really more valuable guidelines than anything else, but that does not diminish their usefulness. If they were learned by experience, then there is a rationale behind them. After all, you don't just change a section of code that does something a specific way without looking over the mailing list archives and learning why it's coded the way it is first. In any case, we are in an interesting situation. We are always accepting into the Incubator new projects, and a key aspect of the Incubator process is to indoctrinate those projects into the various ASF processes, procedures, rules and guidelines. Yet we have a very vocal subset of members who feel that many of those very rules that are key to podlings graduating from the Incubator should be removed or redfined. Personally, I feel that the more we grow, and the more varied the membership, we will need to basically refine what our core tenets are. This is not a concern... my only concern is that we do so as adults and as peers. B. President [Justin] First off, thanks to the Board for approving the purchase of the backup equipment off-cycle of a meeting. All of the equipment should be delivered soon and we hope to bring the system online before ApacheCon EU in early April. The first new machine in our ASF-wide machine update plan is now nearing roll-out. JIRA and Confluence have already been migrated to the new machine, and our Bugzilla instance is scheduled to complete its migration by the end of this week. Many kudos to those involved in helping with the migration! Once this is complete, we'll start on the next machine in the plan. As you may know, over the past few years, the infrastructure team has been relying upon Sun equipment obtained through our own funds or donated from Sun. However, problems internal to Sun have arisen that make it impossible for us to obtain service or support for any of these machines. Progress has been repeatedly promised by Sun and their resellers, but as of this date, no substantive resolution has been accomplished. We currently have machines that have their 'trouble' light on and for which we can't obtain service. The infrastructure team has come to the conclusion that we should switch to another vendor, but the issue remains how to secure support for the equipment we currently have. Earlier this month, I attended an NSF Workshop on Free/Open Source Software Repositories and Research Infrastructures. As the title suggests, out of this came good discussions with researchers on how to best make Apache's data available to researchers. After discussing with a number of corporations and research institutions, we decided to provide our data to a team of researchers led by Kevin Crowston from Syracuse University. We will make our raw data available to them, and future requests for our data will be handled through them rather than going through us. We're currently setting up the process on how to efficiently transfer our data to them. On a positive note, we have seen some new volunteers step up and contribute to our infrastructure. We've tried to utilize this new blood in an effective manner that keeps them engaged and interested. So far, a few folks have seemed to 'stick' and we're hopeful they continue to contribute in the months ahead. On a slightly more sour note, we have seen some people who have concerns about our infrastructure and choose not to bring these issues directly to the team. Instead, these concerns have been brought up on a number of other lists besides the ones used by infrastructure. Replies that these concerns should be brought up on the appropriate list have so far been rebuffed. I'd greatly appreciate feedback on how to handle this situation. Finally, as an outcome of discussions from our last meeting, there is a resolution in this meeting for the creation of an Executive Assistant position. A job description was posted for review. This initial contract will run for six months after which we can examine the effectiveness of the position. C. Treasurer [J Aaron] For the report, I've broken out the credit card expenses. I've also included expenses on our business card that have not yet been paid (just under $3,000 USD) which would be why the numbers don't completely add up correctly in this report. I'll consider how to better report this for next month. Paypal $ 9,728.01 ($+ 5,236.63) [1] Checking $101,242.73 ($-31,342.55) Savings $156,417.81 ($+ 238.00) Total $267,388.55 ($-25,871.09) Expenses: Contractor Payments $10,244.44 Infrastructure $23,711.28 Banking Fees $ 233.62 Fed Ex $ 449.12 TOTAL $34,638.46 Income: Donations via Lockbox $ 560.40 Paypal Donations $ 5,236.63 TOTAL $ 5,797.03 [1] Including new Bronze Sponsor We discussed the status of the outstanding invoice for Sally. D. Exec. V.P. and Secretary [Sam] Worked with Justin in drafting a revised set of responsibilities for the secretary-assist position. Investigated efax options. Some offerings are free for a low number of FAXes. What we want is something we can depend on, so a one line, for fee service seems appropriate. The cost works out to be about ten US cents per page, with a monthly minimum of 200 pages (i.e. $20). We perhaps could do better, but at these rates, we aren't cost sensitive. The plans are to start this concurrent with the renewal of the secretary assistant contract, with a new non-toll-free phone number. I still do not have access to the Wells Fargo account. Still no urgency to the issue at the moment, but at some point it needs to be resolved. We agreed to proceed with eFax using Justin's credit card. 5. Additional Officer Reports A. VP of Legal Affairs [Sam Ruby] See Attachment 1 Approved by General Consent. B. VP of JCP [Geir Magnusson Jr] See Attachment 2 Approved by General Consent. C. Apache Security Team Project [Mark Cox / Will] See Attachment 3 Approved by General Consent. D. Apache Conference Planning Project [Lars Eilebrecht / Jim] See Attachment 4 The blocking issue on the Hong-Kong conference is cost. Approved by General Consent. E. Apache Audit Project [Henri Yandell] See Attachment 5 While there is nothing urgent at this time, it was suggested that it might be a good idea to spend this time doing prep work, and front-load the activities. Perhaps time could be spent nailing down the process now? Approved by General Consent. F. Apache Public Relations Project [Jim Jagielski] See Attachment 6 It was noted that it is time to start reaching out to sponsors for renewal. Approved by General Consent. 6. Committee Reports A. Apache Ant Project [Conor MacNeill / Justin] See Attachment A Approved by General Consent. B. Apache C++ Standard Library Project [Martin Sebor / Greg] See Attachment B Approved by General Consent. C. Apache Cocoon Project [Reinhard Poetz / Sam] See Attachment C Sam to follow up with Reinhard re: crypto. Approved by General Consent. D. Apache Forrest Project [David Crossley / Geir] See Attachment D Approved by General Consent. E. Apache Hadoop Project [Owen O'Malley / Henning] See Attachment E Approved by General Consent. F. Apache HiveMind Project [James Carman / Henri] See Attachment F We discussed the health of the project. The consensus was that while it is not exactly healthy, it is not harmful. Henri to follow up with James re: crypto-policy. Approved by General Consent. G. Apache HTTP Server Project [Roy T. Fielding / J Aaron] See Attachment G Approved by General Consent. H. Apache HttpComponents Project [Erik Abele / Justin] See Attachment H Approved by General Consent. I. Apache Incubator Project [Noel J. Bergman / Will] See Attachment I Bill to get with incubator crew to make crypto an explict checkbox as a process change. We discussed "nudging" a few projects onto graduation, and decided that that was a mentor todo, not a board todo. Approved by General Consent. J. Apache Lenya Project [Gregor J. Rothfuss / Jim] Jim to follow up with Gregor on Crypto See Attachment J Approved by General Consent. K. Apache Logging Project [Curt Arnold / Henri] See Attachment K Approved by General Consent. L. Apache Maven Project [Jason van Zyl / J Aaron] See Attachment L Aaron to follow up with Jason on Crypto notice requirements, will discuss on legal-internal whether or not maven is liable for the packages it distributes, or can simply be viewed as a common carrier. Approved by General Consent. M. Apache Perl Project [Geoffrey Young / Henning] See Attachment M Approved by General Consent. N. Apache POI Project [Nick Burch / Greg] See Attachment N Approved by General Consent. O. Apache Roller Project [Dave Johnson / Sam] See Attachment O Sam to follow up with Dave on Crypto policy. Approved by General Consent. P. Apache Santuario Project [Berin Lautenbach / Geir] See Attachment P It was noted that there was no notice requirements on each release if the crypto status did not change. Approved by General Consent. Q. Apache Shale Project [Craig R. McClanahan / J Aaron] See Attachment Q Henri to follow up with Craig on Crypto policy. Approved by General Consent. R. Apache Synapse Project [Paul Fremantle / Justin] See Attachment R Approved by General Consent. S. Apache Turbine Project [Scott Eade / Will] See Attachment S Approved by General Consent. T. Apache Velocity Project [Will Glass-Husain / Geir] See Attachment T Approved by General Consent. U. Apache Xalan Project [Brian Minchau / Jim] See Attachment U Approved by General Consent. V. Apache Xerces Project [Gareth Reakes / Henning] See Attachment V Minutes unavailble in time for the meeting. Gareth indicated that the would be ready for the next meeting. W. Apache XML Project [Gianugo Rabellino / Greg] See Attachment W Approved by General Consent. X. Apache XML Graphics Project [Jeremias Maerki / Sam] See Attachment X Sam to follow up with Jeremias re: crypto. Approved by General Consent. 7. Special Orders A. Change the Apache Lucene Project Chair WHEREAS, the Board of Directors heretofore appointed Doug Cutting to the office of Vice President, Apache Lucene, and WHEREAS, the Board of Directors is in receipt of the resignation of Doug Cutting from the office of Vice President, Apache Lucene, and WHEREAS, the Project Management Committee of the Apache Lucene project has chosen by vote to recommend Grant Ingersoll as the successor to the post; NOW, THEREFORE, BE IT RESOLVED, that Doug Cutting is relieved and discharged from the duties and responsibilities of the office of Vice President, Apache Lucene, and BE IT FURTHER RESOLVED, that Grant Ingersoll be and hereby is appointed to the office of Vice President, Apache Lucene, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed. Special order 7A, Change the Apache Lucene Project Chair, was approved by Unanimous Vote. B. Establish the Apache Continuum Project WHEREAS, the Board of Directors deems it to be in the best interests of the Foundation and consistent with the Foundation's purpose to establish a Project Management Committee charged with the creation and maintenance of open-source software related to the domain of continuous integration. NOW, THEREFORE, BE IT RESOLVED, that a Project Management Committee (PMC), to be known as the "Apache Continuum Project", be and hereby is established pursuant to Bylaws of the Foundation; and be it further RESOLVED, that the Apache Continuum Project be and hereby is responsible for the creation and maintenance of software related to the domain of continuous integration based on software licensed to the Foundation; and be it further RESOLVED, that the office of "Vice President, Apache Continuum" be and hereby is created, the person holding such office to serve at the direction of the Board of Directors as the chair of the Apache Continuum Project, and to have primary responsibility for management of the projects within the scope of responsibility of the Apache Continuum Project; and be it further RESOLVED, that the persons listed immediately below be and hereby are appointed to serve as the initial members of the Apache Continuum PMC: - Maria Odea Ching (oching@apache.org) - Joakim Erdfelt (joakime@apache.org) - Olivier Lamy (olamy@apache.org) - Trygve Laugstol (trygvis@apache.org) - Jesse McConnell (jmcconnell@apache.org) - Brett Porter (brett@apache.org) - Edwin Punzalan (epunzalan@apache.org) - Carlos Sanchez (carlos@apache.org) - Wendy Smoak (wsmoak@apache.org) - Rahul Thakur (rinku@apache.org) - Emmanuel Venisse (evenisse@apache.org) - Kenney Westerhof (kenney@apache.org) - Andrew Williams (handyande@apache.org) NOW, THEREFORE, BE IT FURTHER RESOLVED, that Emmanuel Venisse be appointed to the office of Vice President, Apache Continuum, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed; and be it further RESOLVED, that the initial Apache Continuum PMC be and hereby is tasked with the creation of a set of bylaws intended to encourage open development and increased participation in the Apache Continuum Project; and be it further RESOLVED, that the initial Apache Continuum PMC be and hereby is tasked with the migration and rationalization of the Apache Maven PMC Continuum subproject; and be it further RESOLVED, that all responsibility pertaining to the Maven Continuum sub-project and encumbered upon the Apache Maven PMC are hereafter discharged. Special order 7B, Establish the Apache Continuum Project, was approved by Unanimous Vote. C. Resolution for Executive Assistant WHEREAS, the Board of Directors has deemed it necessary to contract a position to support the work of the President, and WHEREAS, Jon Jagielski has been determined to meet the requirements of the Foundation; NOW, THERFORE, BE IT RESOLVED, that the President of The Apache Software Foundation, Justin Erenkrantz, is hereby directed to proceed with contracting Jon Jagielski for the services necessary to support the work of the President. Special order 7C, Resolution for Executive Assistant, was approved with 8 Yes votes and one Abstention. D. Resolution for Secretarial Assistant WHEREAS, the Board of Directors has deemed it necessary to contract a secretarial and organizational agency to support the work of the Secretary, and WHEREAS the current Secretarial Assistant has resigned their position in order to accept the Executive Assistant position, and WHEREAS, the identification of an agency which meets the service and technical requirements of the Apache Software Foundation has been difficult, and WHEREAS, Catherine Ruby has been determined to meet the requirements of the Foundation; NOW, THERFORE, BE IT RESOLVED, that the Chairman of The Apache Software Foundation, Jim Jagielski, is hereby directed to proceed with contracting Catherine Ruby for the services necessary to support the work of the Secretary. Special order 7D, Resolution for Secretary Assistant, was approved with 8 Yes votes and one Abstention. E. Update Legal Affairs Committee Membership WHEREAS, the Legal Affairs Committee of The Apache Software Foundation (ASF) expects to better serve its purpose through the periodic update of its membership; and WHEREAS, the Legal Affairs Committee is an Executive Committee whose membership must be approved by Board resolution. NOW, THEREFORE, BE IT RESOLVED, that the following ASF member be added as a Legal Affairs Committee member: Henri Yandell Special order 7D, Update Legal Affairs Committee Membership, was approved by Unanimous Vote. 8. Discussion Items A. Brett Porter wants to make a request of the board regarding the Maven repository. Brett will be available during the meeting to inform and discuss this. B. Justin Mason called the board's attention to a patent claim by Trend Micro towards Barracuda Networks. Some background is available at http://taint.org/2008/01/29/215108a.html Justin asked about an official statement from the ASF which resulted in a short discussion on the board list. Henning volunteered to bounce this "officially" to legal for discussion to find out whether we should have / have / don't have an official opinion about this. 9. Review Outstanding Action Items 10. Unfinished Business Henning to try to pursue "Apache Attic" 11. New Business 12. Announcements 13. Adjournment Scheduled to adjourn by 12:00 (Pacific) ============ ATTACHMENTS: ============ ----------------------------------------- Attachment 1: Report from the VP of Legal Affairs Last month, I mentioned a potential trademark infringment issue that was brought to our attention. I contacted the individual requesting more information, and have not heard back. Until I hear more, I have no plans of pursing this further. Sun continues to ignore our request that the licence headers be restored on the portions of Glassfish. I have sent a third request (the first was in September) that Sun follow the FSF's recommendations on this matter. If Sun continues to drag their feed on this matter, it is time to explore other options to get Sun to comply. While this work has been ongoing for some time, this month there has been a marked uptick in the export classification activities and general awareness of these ECCN related issues. Most of the efforts of this month were on trying to refine the ASF's Third Party Licensing policy, primarily by attempting to create an informal poll. I seeded this with three hypothetical positions, and mostly people were divided into two camps. One camp didn't see much of a dividing line between the first two positions, but clearly saw position three as distinct and reacted negatively towards it. The other saw little difference between positions two and three, but reacted equally negatively to position 1 as the first camp did to position 3. A bare minimum that I believe that we can achieve ready consensus on is a policy that all sofware developed at the ASF from here on is to be licensed under the Apache License, Version 2.0, and that we will take no actions that limit our ability to distribute our software under this license. Roy has indicated that this may not have been the policy in the distant past, but as near as I can tell, it has been the way that we have been operating for quite some time now, hence the conclusion that this should be able to readily gain consensus. One world view is that that bare minimum is not enough. One can argue that it makes little sense if our software is licensed under a pragmatic license if that sofware is entangled with dependencies that effectively eliminate all the pragmatic aspects of our license. The other world view is that our software is, well, soft; i.e., maleable. Our licensees are welcome to modify, combine, and optionally contribute back to our code bases. Furthermore, no matter how hard we try, our licensees are operate under a variety of different constraints or have a differing interpretations of license compatibility. Choosing between these two world views is difficult; but given that the former can only be executed if there are ample exceptions for "system" or "soft" dependencies -- concepts that are both undefinable and all too open to gaming -- clearly the latter is easiest to understand and administer. Or there is a belief that a "spec" from an industry consortia and with no independent implementations somehow makes copyright and patent issues less relevant. In any case, add to all this the evident divide, and the first world view becomes not only harder to understand and administer, it becomes absolutely unworkable. Simply put, an excemption for "system" dependencies that is based on a "I'll know it when I see it" policy doesn't work if a substantial portion of the people who may be drawn upon to express an opinion on the subject simply don't believe that any such distinction is either necessary or even makes sense as a policy. Therefore it appears that the only workable policy is one where we continue to require PMCs to compile a comprehensive set of LICENSEs to accompany each of our releases so that our licensees can make an informed decision. That, and perhaps to we can increase our efforts to educate PMCs as to the effects such dependencies have on community size. While this approach is workable, it is one that may be difficult to reverse. Hence, a slow and cautious approach is warranted. Should there be any as of yet unexpressed feedback, now would be a good time to provide it. I have reviewed the minutes for the meetings of 2005/06/22 and 2007/03/28 establishing the VP of Legal Affairs and the Legal Affairs Committee respectively, and believe that no board resolution and/or explicit approval is required for the Legal Affairs Committee to proceed on this matter. ----------------------------------------- Attachment 2: Report from the VP of JCP At the end of last month : "I look forward to finally reporting something positive next month." I can only say that this has to wait until next week when the February JCP EC call happens, as we have an unsusually long gap in the schedule this month. I am expecting a proposal from Sun on how to break the logjam. I have no expectations - tensds to help avoid disappointment :) In other actvities, things have been quiet. There was one request for a TCK update (Jaxws?), a few additions to people asking to participate in various projects' TCK testing. ----------------------------------------- Attachment 3: Status report for the Apache Security Team Project There continues to be a steady stream of reports of various kinds arriving at security@apache.org. These continue to be dealt with promptly by the security team. For Jan 2008: 1 Support question 3 Security vulnerability question, but not a vulnerability report 1 Phishing/spam/attacks point to site "powered by Apache" 1 User was hacked, but it wasn't ASF software at fault 3 Vulnerability report This month the press reported thousands of Apache HTTP on Linux servers being compromised and used to serve malicious files to visiting Windows clients. Although initial reports were sketchy, in the end the evidence pointed to the machines being compromised through leaked passwords and not through any ASF or third party software installed. The Security Team gave a short press statement which was used in some stories. ----------------------------------------- Attachment 4: Status report for the Apache Conference Planning Project General News ------------ * no general news Conference Overview ------------------- * ApacheCon Europe 2008 Location and date: Amsterdam, April 7-11, 2008 Lead: Noirin Shirley Co-Lead: Lars Eilebrecht Planning list: planners-2008-eu@apachecon.com Producer: Stone Circle Productions, Inc. * ApacheCon US 2008 Location and date: New Orleans, November 3-7, 2008 Lead: Shane Curcuru Co-Lead: Noel J. Bergman Planning list: planners-2008-us@apachecon.com Producer: Stone Circle Productions, Inc. * Apache Track or ApacheCon Peru 2008 Location and date: Lima, Peru, October 18, 2008 An Apache-related conference or track may be co-hosted with the VISION 2008. No final decision has been made yet. * OSSummit Asia 2008 (joint-conference with Eclipse Foundation) Location and date: (location and date to be defined) Leaders: J Aaron Farr, Justin Erenkrantz, Noirin Shirley Planning list: planners-2008-asia@apachecon.com Producer/Owner: OSSummit LLC ApacheCon Europe 2008 News -------------------------- * A press release about ApacheCon Europe was published 23 January. * ApacheCon Europe 2008 Hackathon Sponsorship: The ASF board has approved the special resolution of ConCom to sponsor the Hackathon at ApacheCon Europe 2008. ApacheCon US 2008 News ---------------------- * Unfortunately due to reduced volunteer attention, the CFP is not yet opened, but will be soon. Shane and Ken are currently working on getting the CFP ready by end of February. The deadline for the CFP will be the week of ApacheCon Europe 2008 as the planning meeting will be held the weekend following the conference. ApacheCon Peru 2008 News ------------------------ No news since last board report. OSSummit Asia 2008 News ----------------------- * The last conference call was held Feb 13th. Final date and location are still being determined, though Shanghai in early December seems most likely. There are several other open source events in China this spring. The planners have expressed interest in cooperating with these events to promote OSSummit. ----------------------------------------- Attachment 5: Status report for the Apache Audit Project No activity this month. ----------------------------------------- Attachment 6: Status report for the Apache Public Relations Project The last month has seen normal PRC activities: handling requests and questions about logos and trademarks, responding to media inquiries, etc. Yoav and J. Aaron have taken the lead on crafting an Acceptable Logo and Trademark Usage document, that we can place on the website and share. On the Sponsorship side we added one new Bronze sponsor (Matt Mullenweg) and are in discussions with a potential Silver Sponsor. It should be noted that renewals for Google, HP, Covalent and Tetsuya Kitahata are coming up quickly (currently expire June 1, 2008). Below is the activity report from HALO: = = = ACTIVITY: Strategic Planning DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Communications Plan/Announcement Schedule (finalizing dates) - Researching/Updating Editorial Calendar Opportunities ACTIVITY: Content Development DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Revised ASF boilerplate - Reviewed/Edited Press Release: Synapse 1.1 announcement - Edited Press Release: 13 December - Yahoo! Platinum Sponsorship - Issued Press Release: ASF 2007 Year In Review - Issued Press Release: ApacheCon Registration Open - Reviewing/Updating ASF/TLP/activity positioning - Drafting Copy deck: Website News section/second tier page - Researching Archives: ASF-issued press releases post June 1999 [awaiting PRNewsire announcements] - Drafted Press Release: Apache Synapse as TLP/v1.1.1 Available ACTIVITY: Outreach & Liaison DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Purchased new media lists (will be updated quarterly) - Honing database (ongoing): additional media, influencers, and bloggers - Face-to-Face Meeting with analysts at Forrester and Gartner - Contacting industry analysts/influencers: RedMonk, Gartner Group, Forrester, The451, ZapThink, O'Reilly, InfoWorld, Elemental - Media Coordination: Yahoo!, Mark Logic, Radar Networks, IT Conversations - ASF Sponsor Liaison: HP > onto ApacheCon sponsorship - Outreach to Tim Berners-Lee re: clarification on "Apache/W3C relations" - Coordinate with Arje Cahn and Hippo PR team to translate/distribute ApacheCon press release in Dutch - Liaising with Delia Frees re: ApacheCon Business Track panel sponsorship - Response to Markus Stiegler, XDEV Software, re: CeBIT; liaise with Charel Morris - Forwarding contact - Ilan Rabinovitch re: SCALE; liaise with Charel Morris - Forwarding contact Armijn Hemel re: Dutch Java Users Group and Utrecht Linux Users Group; liaise with Charel Morris ACTIVITY: Media Training DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Secured Michael Cote/RedMonk as partner for Media Training cover the ASF's activities during ApacheCon [NOTE: may need backup for ApacheCon Europe due to possible scheduling conflict] ACTIVITY: Process DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Developing "How to Work with the PRC" (will be part of Intermediate Media Training offered at ApacheCon) - Developing Announcement Guidelines, Tips, and Timeframes ACTIVITY: Media Relations/Coordination DELIVERABLES IN PROGRESS/COMPLETED TO DATE: - Elise Ackerman/San Jose Mercury News re: Doug Cutting on Wikia Search - Joe Barr/Linux.com re: Security Infestation - Dennis Byron/ebizQ.net re: ASF 2007 Year in Review (article will appear in 15 February newsletter on Open Source); podcast to be scheduled - Dennis Byron/ebizQ.net re: Sun-MySQL acquisition - Clint Boulton/eWeek re: Oracle-BEA acquisition SELECTED CLIPPINGS: http://lwn.net/Articles/264525/ http://blogs.cnet.com/8301-13505_1-9852945-16.html?tag=head http://www.reuters.com/article/pressRelease/idUS135655+15-Jan-2008+PRN20080115 http://www.thewhir.com/marketwatch/011608_The_ASF_Shares_2007_Milestones.cfm http://www.linuxtoday.com/news_story.php3?ltsn=2008-01-16-013-26-OS-CY-SV http://www.linuxelectrons.com/news/roundup/15756/2007-earns-apache-more-feathers-its-cap http://lwn.net/Articles/265182/ http://apache.sys-con.com/read/485557.htm http://www.nabble.com/The-Apache-Software-Foundation-Wraps-Up-2007-As-Its-Strongest-Year-to-Date-td14858613.html http://www.tectonic.co.za/?p=2039 http://www.covalent.net/about/news/pressreleases.html?pressid=106 [NOTE: not sure if this should be posted as a "Covalent press release" ...] http://www.openpr.com/news/36000/REGISTRATION-NOW-OPEN-FOR-APACHECON-EUROPE-2008.html http://biz.yahoo.com/prnews/080123/clw053.html?.v=101 http://www.reuters.com/article/pressRelease/idUS139357+23-Jan-2008+PRN20080123 http://upcoming.yahoo.com/event/408827/ http://apache.sys-con.com/read/489398.htm http://ajax.sys-con.com/read/489398.htm http://www.lanmagazine.nl/site/jsp/nieuws.jsp?art_iID=9043 http://usstock.jrj.com.cn/news/2008-01-23/000003218199.html http://www.persberichten.com/persbericht.aspx?id=45978 ----------------------------------------- Attachment A: Status report for the Apache Ant Project Here is the Ant status report for this quarter. I did not submit a status report for the previous quarter - my apologies. I had a somewhat busy period at work and I don't think I received the reminder. Nevertheless, mea culpa. o Current Releases Core ---- Ant 1.7 was released on December 19, 2006. The release is currently now over 1 year old so it can be considered a very successful, stable release. An Ant 1.7.1 release is in the works and is undergoing final testing across different platforms. Ivy ------ The major development within the Ant project has been the integration of the Ivy project after its graduation from the Incubator around October 2007. This has resulted in the addition of the Ivy committers to the Ant PMC: Xavier Hanin Maarten Coene Gilles Scokart Export Notification policy ---------------------------------------- My thanks to Stefan Bodewig for ensuring both the Ant and Ivy project outputs have the required Export Control Notifications in place. o Development Activities The addition of the Ivy project has spurred a lot of discussions on the Ant dev list including ways to make Ant easier to use, etc. o Community There are no problems in the Ant community. I should note that there is a lot of discussion in the wider Java development community (blogs, etc) about the use of Ant v Maven, etc. I believe each project presents users with different tradeoffs and benefits, which is healthy. No other issues. ----------------------------------------- Attachment B: Status report for the Apache C++ Standard Library Project This is the third stdcxx Board report since graduating on 11/15. Starting with next report we will be reporting on a quarterly schedule. Notable changes since the last report (2008/1): The project activity has picked up quite a bit since the January report, both in terms of the number of commits as well as on the mailing lists. Migration out of Incubator and into TLP (INFRA-1421) has been completed. Some progress has been made on redesigning and reimplementing the project site using Apache Forrest (STDCXX-686). BIS Export Control Classification: Apache C++ Standard Library contains no encryption source code nor does it make use of any third party encryption software. Future plans: We are making progress, albeit slowly, toward the 4.2.1 release. The expected timeframe for this maintenance release is February to March 2008. Next week we look forward to attending the Microsoft Open Source Software Labs meeting in Redmond. Community: The active community remains small and dominated by contributors from Rogue Wave, despite efforts to reach out to other developers. 16 committers (unchanged) 11 PMC members (unchanged) Mailing List Activity Changes Since December 2007: commits: 18 (+4) subscribers, 4.38 (+1.80) posts/day dev: 56 (+4) subscribers, 6.48 (-0.93) posts/day issues: 10 subscribers, 12.95 posts/day user: 46 (+6) subscribers, 0.10 (-0.18) posts/day Bug Tracking Changes Since January 2008: Total issues: 729 (+ 36) Outstanding: 273 (+ 10) Resolved: 95 (+ 5) Closed: 361 (+ 18) Planned releases: 4.2.1 February/March 2008 4.3.0 Summer/Fall 2008 5.0 Winter 2008 Release history: 4.2.0 October 29, 2007 (incubating) 4.1.3 January 30, 2006 (incubating) 4.1.2 September 7, 2005 (snapshot, incubating) ----------------------------------------- Attachment C: Status report for the Apache Cocoon Project RELEASES / ONGOING WORK - Cocoon 2.1.11 was released on 2008/01/09. - The final release of Cocoon 2.2 is expected for February/March. - The Cocoon sample web application got a new skin following the style of the new website. - There have been some experiments with completly removing all dependencies on Avalon/Excalibur and providing a Java API for pipelines in the whiteboard section of our SVN repository. COMMUNITY - nothing that requires board attention LEGAL - The Export Notification Policy reminder from the board didn't show anything to be done from the Cocoon PMC. ----------------------------------------- Attachment D: Status report for the Apache Forrest Project Apache Forrest mission is software for generation of aggregated multi-channel documentation maintaining a separation of content and presentation. Issues needing board attention ------------------------------ None Changes in the PMC membership ----------------------------- None General status -------------- Progress has been generally slow this quarter. Most developers seem busy with other stuff. Most issues on the user mail list are being attended to by various developers. That list is also quiet. Progress of the project ----------------------- A committer is working on a branch to utilise an updated Apache FOP. An initial proposal for a "Windows installer". An issue was raised about Forrest including some not-yet-released Cocoon code. Forrest PMC needs to follow up to summarise. We already attend to legalities of included products on a day-to-day basis, and some efforts have been made to better document our licensing situation. Started to attend to "Export Notification policy". Commenced review of our SVN, added Forrest entry to "exports" page, encouraged PMC to help with review, waiting for more input before sending BIS email. See FOR-1069. No releases since 0.8 on 2007-04-18. ----------------------------------------- Attachment E: Status report for the Apache Hadoop Project TLP The top-level project completed the split of Hadoop out of Lucene and into a TLP. The subproject that was Hadoop, is now called Hadoop Core. We have also moved HBase into a sub-project from being in Hadoop Core's contrib directory. Although Core and HBase have many ties, the contributor list and code base is largely disjoint between them and the split will reduce the heavy traffic on both development lists. CORE Hadoop Core has released 0.16.0, 0.15.3, and 0.15.2. As we move toward more stability, we've moved our feature freezes to every 3 months (beginning of Jan, Apr, July, and Oct). Development has been very active, including adding user permissions to HDFS. (Fixed Jira counts: 23 unreleased, 180 for 0.16.0, 4 for 0.15.3, and 15 for 0.15.2) HBASE HBase, which is a distributed storage system for structured data, has become a subproject of Hadoop. We have added Bryan Duxbury as a committer. Development has been very active (Fixed Jira counts: 7 unreleased, 142 for 0.16.0) ----------------------------------------- Attachment F: Status report for the Apache HiveMind Project The HiveMind project has remained quite inactive during the last 3 months. There are currently no active developers on the project. However, some of the users have expressed interest in becoming contributors. They have been asked to begin providing patches to JIRA issues. After I sent this out to the development list for review (Feb 9th), the JIRA issues started to get some attention. In particular, Johan Lindquist and Jochen Zimmerman started commenting and attaching patches. ----------------------------------------- Attachment G: Status report for the Apache HTTP Server Project The Apache HTTP server project has made progress through the quarter without any significant issues. We have no board-level issues at this time. We have added two PMC members, Guenter Knauf and Tony Stevenson, and three committers: Davi Arnaut, Issac Goldstand, and Niklas Edmundsson. We released Apache HTTP Server 2.2.8, 2.0.63, and 1.3.41. We have not done any releases for flood, libapreq, mod_arm4, mod_bw, mod_cache_requester, mod_mbox, mod_pop3, mod_smtpd, mod_wombat, or mod_ftp, though the latter has seen quite a bit of activity from William Rowe Jr. getting it ready for release testing as well as some new contributors showing interest. We have decided to accept another protocol implementation in the form of mod_dns (most likely to be renamed mod_named); a software grant has been received and the incubator clearance should be complete before the board meeting. Justin and Roy participated in the IETF httpbis WG meetings at the 70th IETF meeting in December. http://www.ietf.org/proceedings/07dec/minutes/httpbis.txt Roy Fielding, Yves Lafon and Julian Reschke will share editorship of the proposed replacement for RFC 2616, partitioned into seven drafts. More information on that effort can be found at http://www3.tools.ietf.org/wg/httpbis/trac/ Our ECCN classifications are complete and current, though we are still listed as responsible for Apache mod_python. That listing will remain until Apache Quetzalcoatl has a website. ----------------------------------------- Attachment H: Status report for the Apache HttpComponents Project -- Status -- There are no items needing immediate attention of the board though it is worth to note that we had one release since the last report in January and that we are eagerly working on the crypto export requirements as well as finalizing our own project bylaws. See below for more details. -- Releases -- We have had one release since last report: 24 January 2008 - HttpComponents HttpCore 4.0 beta 1 -- Community -- No arrivals or departures. As soon as the remaining tasks from the TLP migration are completed, we will probably be able to dedicate some effort to the improvement of our entry level documentation. Also, Google Android has been updated from HttpClient 3.1 to 4.0 alpha which will hopefully give the new codebase additional visibility and perhaps attract some more contributors. -- Migration -- Items done: - moved old wiki including relevant content to new one http://wiki.apache.org/HttpComponents/ - adjusted links on main website to point to the new wiki - drafted and approved project charter http://hc.apache.org/charter.html - drafted project bylaws http://hc.apache.org/bylaws.html Items still in work: - finalize and approve project bylaws - re-instate deployment of website via Subversion (currently deployed by Maven due to TLP migration) -- Development -- HttpCore beta1 has been released. We already have a few minor and compatible modifications in the queue for the next beta. We are receiving a lot of input for module-nio, both suggestions and patches for extensions, especially from the Limewire developers. HttpClient alpha3 will be released shortly. A new module has been added to provide multipart support based on mime4j from the Apache James project. It's dragging in a few additional dependencies, but is also way better than maintaining duplicate functionality. The problem of NTLM support is still open, and augmented by the lack of developer cycles. We will probably end up with a solution based on the existing code with NTLMv1 support only. We are aware that a potential usage of JCIFS (which is licensed under the LGPL) would violate the ASFs Third-Party Licensing Policy and are therefore not planning anymore on using it. In response to the global request to examine the crypto export classification and notification requirements for each project, we've identified the relevant code parts: a) HttpCore 4.x Java Secure Socket Extension (JSSE) for HTTPS support b) HttpClient 4.x Java Secure Socket Extension (JSSE) for HTTPS support c) HttpClient 2.x / 3.x Java Secure Socket Extension (JSSE) for HTTPS support Java Cryptography Extension (JCE) for NTLM authentication We will update the ASF Product Classification Matrix today and send out the required notifications as soon as the changes are published. ----------------------------------------- Attachment I: Status report for the Apache Incubator Project One issue that came up during the past month is regarding the use of org.apache.* package spaces when someone takes ASF code and forks it downstream, releasing a non-ASF codebase using org.apache.* as the namespace. I suggested that the appropriate venue for the discussion was with the Legal Committee, and that no one in the Incubator was authorized by the ASF to provide legal advice, neither on behalf of the ASF nor users of our code. The topic has not been raised on the legal mailing lists as yet. In the specific case of the package(s) in mind, we may end up resurrecting a stalled project. We will see how it goes. A number of projects have been informally or formally proposed for Incubation. Those that we have voted on to accept are: Thrift - http://wiki.apache.org/incubator/ThriftProposal CouchDB - http://wiki.apache.org/incubator/CouchDBProposal PDFBox - http://wiki.apache.org/incubator/PDFBoxProposal CXF and Tuscany did incubation releases. A number of projects are properly recording their IP forms within the Incubator structure. There has been a discussion of source control systems, with some people vocally expressing interest in using another SCM. We have tried to make it clear that projects are not free to choose and/or run alternate critical infrastructure, especially source control, and that the Incubator is not the correct venue to discuss the adoption of a new source control system for the ASF. We've also tried to explain ASF practices regarding collaborative development, independent of technology choice. ----------------------------------------------------------------- February 2008 Board reports for Incubator Projects: === Abdera === Abdera is an implementation of the Atom Syndication Format and Atom Publishing Protocol standards. The Abdera project is preparing release 0.4.0 which includes many new features and improvements including a new StreamWriter interface and a complete refactoring of the Atompub server APIs. The community has continued to grow with patches for bugs and improvements being actively submitted by members of the user community. Once the 0.4.0 release it out the door, the Abdera PMC will likely begin working towards graduation. === Lokahi === Lokahi is a configuration and management console for Apache httpd, tomcat and other web server infrastructure. Incubating since: 2006-01-07 Testing on the MySQL port is continuing. A Fast Feather presentation on Lokahi was given at Apachecon in Atlanta. Recently talk (and some code) has begun around templating of configuration files, specifically for Apache Httpd at this time. And the need to extend Lokahi to manage Geronimo has been mentioned. Obstacles to graduation: * community - now includes authors outside of the original dev community, but additional committers are sought. * licensing - oracle-only back end is now 95% of the way to an alternate MySQL backend, and soon to be enhanced with license agnostic interfaces === NMaven === NMaven develops plugins and integration for Maven to make building and using .NET languages a first-class citizen in Maven. Incubating since: 2006-11-17 Items to resolve before graduation * More active committer involvement. We have two active committers from different organizations but need at least one more. Status: * We are currently voting on our first release. * We have brought NMaven fully in line with Maven architecture. This took a major rewrite of the code. * Steady increase of mailing list subscribers over this period (from 35 to 43). Plans: * We lost a lot of features when we rewrote the code so the plan is to start reimplementing these features. * Proceed with frequent release cycle === PDFBox === PDFBox is an open source Java PDF library for working with PDF documents. PDFBox entered incubation on February 7th, 2008. The PDFBox project has just entered incubation, and we're currently setting up the project infrastructure. A question about the licensing of the JAI dependency was voiced on the mailing list. === RAT === RAT is auditing and comprehension for source code and binary releases. RAT entered incubation in October 2007 but only in the last few weeks started to setup the required infrastructure. Most of this is now in place and the IP clearance for the code import is being worked upon now. === Sling === Sling is a framework to develop content centric web applications based on the idea of modularizing the rendering of HTTP resources. Sling entered incubation on September 5th, 2007. Community * The Sling PPMC voted and passed the "Community Roles and Processes" document. * Paddy Hannon added as Committer and member of the PPMC Software * The Sling API has been finalized and the project migrated to the new API. * Creation of the Sling Launchpad, based on the former microsling module, provides a ready to run configuration of Sling. * General stabilization of the API and implementation, should lead to a first release soon. * No export control notifications are needed for Apache Sling. Issues before graduation * Make an incubating Sling release. * Grow a more diverse community (so far commits mostly from Day employees). Licensing and other issues * none === Tuscany === Tuscany simplifies the development, deployment and management of distributed applications built as compositions of service components. These components may be implemented with a range of technologies and connected using a variety of communication protocols. Tuscany implements relevant open standards including, but not limited to, the SCA and SDO standards defined by the OASIS OpenCSA member section. Incubating since: 2005-11-30 Top issues? * Graduation discussion * Getting the wiki to handle Chinese characters in order to support Chinese documentation Community aspects: * There has been open discussion about what are the next steps towards graduating Tuscany as a TLP, trying to address concerns raised by the IPMC related to the level of diversity in Tuscany. * Voted in Rajini Sivaram as new committer * Community involvement continues apace - users are answering mailing list questions, providing patches, and being voted in as committers * Users feedback indicates real usage of Tuscany in production environments. Releases since last report: * Java SCA 1.0.1 and Java SCA 1.1 released Ongoing work: * SDO 1.1 is being worked on * A Native SCA, SDO and DAS release is slowly being worked on * The Java SCA 1.2 release contents are being discussed * Links with other Apache projects continue to be forged and lots of exciting new features are being worked on\! * On going discussion about the JSR235 incubator proposal and having a new podling dedicated to SDO === Woden === On 8th December 2007 Woden graduated from Incubation to a sub-project of Apache Web Services. The results of the IPMC vote were 8 +1s, no 0s, no -1s. This will be the last Woden report to the Incubator. From the Woden team, thankyou to the IPMC for guiding us to the Apache Way. === XAP === XAP is an XML-based declarative framework for creating Ajax applications. Community * There was some movement to make a few more people committers who have been filing numerous bugs and bug fixes, we need to follow up on that. * Lack of activity on the mailing lists is a problem; we will have to do better there. Software * I (James M) was onsite at a real customer creating a production deployment. Ran into some bugs and performance issues, especially in IE6, which have been fixed and rolled into the XAP codebase. In particular data centric widgets like tables and comboBoxes should perform better, application startup time is greatly reduced and some stability issues with table were addressed. (No more crashing) * We are starting the process of doing another release that incorporates these changes. Issues before graduation * Aforementioned community issues as well as community diversity. ----------------------------------------- Attachment J: Status report for the Apache Lenya Project Issues needing board attention ------------------------------ None Changes in the PMC membership ----------------------------- None General status -------------- Lenya 2.0 is released! Woohoo! Issues still to be dealt with by the Lenya PMC ------------------------------------------------ None at this time. Progress of the project ----------------------- After we struggled for a long time to get 2.0 out, we finally did this quarter, and things have picked up steam since then. It appears that we overcame some psychological barriers ;) A vote to branch 2.0 from trunk is currently underway, as is a vote for a 2.0.1 release. Several nice cleanups are taking place, such as the removal of XSP from Lenya, performance improvements, and bug fixes. We are also discussing the scope of 2.1 development. ----------------------------------------- Attachment K: Status report for the Apache Logging Project log4cxx is very close to having a viable 0.10.0 release candidate after years of Real Soon Now. I was hoping to beat the reporting deadline, but came up a little short. log4j has a couple of issues that warrant a 1.2.16 maintenance release however the log4cxx push has taken priority. log4j 2.0 development is still just a good intention. log4net has had steady flow of fixes to long standing bugs and is likely due for a new release. log4php has had no development or mailing list activity and appears to have drifted back off into dormancy after restarting incubation last summer. chainsaw needs a concentrated push to release. Mailing lists have been active, but development outside of the log4cxx push and log4net maintenance has been minimal. Several committers and PMC members have had no activity this quarter and there are no obvious candidates for additional PMC members or committers. Curt Arnold and Ron Grabowski are both expecting to attend the Microsoft compatibility lab the week of February 25th. * Export Notifications The log4cxx, log4j and log4net code bases were reviewed and did not appear to require a notice. Chainsaw and log4php were not reviewed, but are considered unlikely to contain issues. log4cxx depends on APR-Util which requires a notice due to the SSL abstraction, however log4cxx does not use that feature in APR-Util. log4net when compiled for the .NET Compact Framework 1.0 calls Win32's CryptGenRandom for random numbers, but no other methods from the platform's encryption API. log4j had no identified issues. ----------------------------------------- Attachment L: Status report for the Apache Maven Project * General Information 1) Henri Yandell resigned as a committer due to not having enough time 2) We have released quite a few plugins and shared components that hadn't been released in a while. 3) A new 2.0.x patch has been released that seems to be pretty stable. 4) Work on 2.1 alpha-1 is progressing and we are driving towards a release as soon as things are stabilized. 5) A new archetype codebase has been moved to trunk and is in the process of being released. 6) some debate occurred about the possibility of changing voting timeframes for alpha releases. No consensus for change has yet been reached. * New PMC Members * Dan Fabulich * PMC Members going Emeritus * Mike Perham * New Committers * Nicolas de Loof (Sunday November 25th 2007) * Alexandru Popescu (Saturday December 1st 2007) * Releases Maven * Maven 2.0.8 (Tuesday November 27th, 2007) Plugins * Maven WAR Plugin 2.1-alpha-1 (Wednesday October 24th, 2007) * Maven Changes Plugin 2.0-beta-3 (Thursday October 25th, 2007) * Maven Release Plugin 2.0-beta-7 (Thursday October 25th, 2007) * Maven Source Plugin 2.0.4 (Sunday November 11th, 2007) * Maven Help Plugin 2.0.2 (Tuesday November 27th, 2007) * Maven Site Plugin 2.0-beta-6 (Wednesday November 28th, 2007) * Maven Clean Plugin 2.2 (Monday December 3th, 2007) * Maven Dependency Tree 1.1 (Wednesday December 19th, 2007) * Maven Invoker plugin 1.1 (Thursday December 20th, 2007) * Maven Test Tools 1.0-alpha-2 (Tuesday January 1st, 2008)) * Maven Archiver 2.3 (Monday January 7th, 2008) * Maven PMD Plugin 2.3 (Tuesday January 8th, 2008) * Maven Common Artifact Filters 1.0 (Saturday January 12th, 2008) * Maven Jar Plugin 2.2 (Tuesday January 16th, 2008) * Maven Surefire 2.4 (Tuesday January 16th, 2008) Archiva * 1.0-beta-2 (Saturday September 22nd, 2007) * 1.0-beta-3 (Thursday November 1st, 2007) * 1.0-beta-4 (Wednesday November 14th, 2007) * 1.0 (Tuesday November 27th, 2007) Continuum * 1.1-beta-3 (Wednesday September 26th, 2007) * 1.1-beta-4 (Tuesday October 30th, 2007) * 1.1 (Friday November 23th, 2007) Doxia * Doxia 1.0-alpha-10 (Friday November 2nd, 2007) * Doxia-sitetools 1.0-alpha-10 (Tuesday November 6th, 2007) Shared * Maven Shared IO 1.1 (Saturday November 24th 2007) * Maven Shared File Management 1.2 (Wednesday November 28th, 2007) * Maven Archiver 2.3 (Monday January 7th, 2008) * Maven Common Artifact Filters (Sat January 12th, 2008) * Maven Plugin Testing Harness (Tue, January 1st, 2008) * Maven Test Tools (Tue, January 1st, 2008) * Maven Dependency Analyzer (Tue, January 15th, 2008) * Maven Dependency Tree (Wed, December 19th, 2007) ----------------------------------------- Attachment M: Status report for the Apache Perl Project -- mod_perl 1.0 -- The mod_perl 1.x is a maintenance track designed to work with httpd 1.3.x. No new mod_perl 1.x releases since the last report. --- mod_perl 2.0 -- mod_perl 2.X is designed to work with all httpd 2.X branches. We are currently working through a release candidate which addresses changes in perl 5.10 that cause some bit of trouble with the most recent mod_perl 2.0 release. We expect a release soon. No new mod_perl 2.x releases since the last report. --- Apache-Test -- Apache-Test provides a framework which allows module writers to write test suites than can query a running mod_perl enabled server. It is used by mod_perl, httpd and several third party applications, and includes support for Apache modules written in C, mod_perl, PHP and Parrot. Apache-Test 1.30 was released 26 Nov 2007. 1.30 contained a small number of new features and bug fixes. --- Apache-SizeLimit -- Apache-SizeLimit is a popular component in most mod_perl production environments. It is used to kill off large httpd child processes based on various environmental triggers. No new Apache-SizeLimit releases since the last report. --- Apache-Reload -- Apache-Reload is a popular component in most mod_perl development environments, used to refresh compiled code in the perl interpreter without completely restarting httpd. We have not yet released Apache-Reload. -- Development -- mod_perl continues to be an active and healthy development community - bugs are found, bugs are fixed, development moves forward as usual. -- Users -- The mod_perl users list is, as always, thriving. nothing noteworthy has happened since the last report. -- PMC -- there was a brief discussion over whether mod_perl properly marked the proper incoming data fields (it probably does not) and whether this behavior warrants a CVE report. the conclusion was that while mod_perl may have a bug, it's not mod_perl proper that contains a security vulnerability - the offending code (if there were any) would be written by a user. our BIS notice was sent Fri, 28 Oct 2005 11:27:10 -0400 (see the perl 200511 board report). the source to page http://www.apache.org/licenses/exports/ was modified to add the binary files our project is exporting. ----------------------------------------- Attachment N: Status report for the Apache POI Project OOXML Support ------------- We started work on adding support for Office Open XML (ooxml), the new xml file format introduced with Office 2007. We are mostly concentrating on excel support, but we do have text extractors for all formats. All work is being currently done in a svn branch. We have been collaborating with the openxml4j project, who produce an asl v2 licensed library which works with the zip container of ooxml files. It looks like the licensing questions around the use of the xsds for ooxml are mostly answered, and hopefully we'll be ok to ship them fairly soon. Releases -------- We released 3.0.2 earlier this month. It contains an impressive list of bug fixes compared to 3.0.1, and a fair few small new features We're planning another release in the summer, to fit within our aim of a release every 6 months. This may just be another 3.0.x version, or might include the ooxml support, depending on if it's ready for merging back into trunk by then. Community --------- We added one new committer, Ugo Cei. There are a few contributors who are submitting good patches, who we may well offer committership too in the near future. The lists remain nicely active. We have also have a poi session at ApacheCon EU. ----------------------------------------- Attachment O: Status report for the Apache Roller Project * Apache Roller 4.0 released! Roller 4.0 is a major new release that upgrades Roller to Jave SE 5, Struts 2, Velocity 1.5 and OpenJPA. It's the first release that does not require Hibernate or any other LGPL code to run. It was released on December 5, 2007 and announced on the Roller mailing lists and the project blog. We've made enough bug fixes in the Roller 4.0 branch that it's probable time to start thinking about a bug 4.0.1 bug fix release. Here's the list of issues fixed for 4.0.1. * Roller 4.1 development, now in trunk Roller 4.1 development is underway and since the Roller 4.0 release, we have merged the work into the trunk. The proposal to externalize user management has been implemented, as has the proposal to add a Tag Data API so other apps can get Roller's tag cloud data. * Apache Roller 3.1 completed, 3.1.1 RC6 ready for testing No change in 3.1.1 status since last report. We still have not gotten votes for release. We shipped 3.1 on April 23, 2007. A number of significant problems (including an XSS bug) were found and fixed. We are now testing a fix release known as 3.1.1 RC6, made available October 4, 2007 (announcement here: http://tinyurl.com/ynmrtj). * Some post graduation work still TBD No change in status. JIRA is still hosted externally. Apache Roller graduated back in March and announced graduation and the Apache Roller 3.1 release on April 23, 2007. However, we've still got some work to do. We're still waiting for our JIRA instance to be setup (see https://issues.apache.org/jira/browse/INFRA-813). * Community health Community health is good, but activity has slowed a little during Fall of 2007. Developers and users are active on the mailing lists, reporting bugs, submitting patches and seeking support. A talk on Advanced Apache Roller has been accepted for ApacheCon EU 2008. ----------------------------------------- Attachment P: Status report for the Apache Santuario Project Very little activity this quarter. Mostly relating to the Java library around bug fixes and user queries. No activity on the C++ library front. For crypto policy, work needs to be done to bring both libraries into full compliance. However notification was sent (for both libraries) to the appropriate authorities in 2004, so we should be covered. (Of course this does not obviate the requirement to uplift to full policy compliance.) ----------------------------------------- Attachment Q: Status report for the Apache Shale Project The Shale project has had another slow quarter. The libraries have seemed to stabilize with not may reported issues. There has not been a lot of new development resulting in the community to question the future of the project. There has been talk of Shale merging with MyFaces but we are not sure that would be beneficial long term. Several committers are on both projects so both projects are represented well. The lack of activity by the project members might change in the near future leading to more time to contribute to the project. However, due to the non-commercial backing of the project, we realize the Shale community should be looking for new volunteers to help grow the project. Struts, a similar project, seems to have remained strong by bringing in new volunteers. We are already seeing positive effects of bringing in new member Rahul Akolkar. He has recently joined the Shale PMC and we have benefited from the experiences that he brings from other apache communities. We realize that we are due for a new release but are struggling to gain momentum. We are targeting a new release for the next quarter. ----------------------------------------- Attachment R: Status report for the Apache Synapse Project = Progress on TLP = The Infra team did a fantastic job helping us finish off the TLP move (Thanks Joe et al!), and we got the new website in place, moved SVN and updated the main www.apache.org site. The PR went out with the help of Jim, Sally and the PRC, and was picked up by a number of news sites and blogs. = Notable Happenings = We elected a new committer - Andreas Veithen. Awaiting account setup. We also did a 1.1.1 release including improved clustering support plus numerous other improvements. Unfortunately there was a slight hiccup with the Maven distribution, so we also ended up doing a 1.1.2 release. = Export controls = We have updated the http://www.apache.org/licenses/exports/ page with Apache Synapse information, and informed the US export controls. Our next release will include the cryptography information in the README. ----------------------------------------- Attachment S: Status report for the Apache Turbine Project Status ====== There has been good progress towards resolving the outstanding ECCN issues within the Turbine project. See below for details. The final tasks relating to Turbine becoming a TLP have finally been completed - the mirrored downloads and archived releases have been moved from jakarta to turbine directories. Other than this the Turbine project continues on with a fairly low level of activity. The Turbine project has no board-level issues at this time. ECCN Status and activity ======================== While this issue has been highlighted by Bill for the current round of reports, it has been on our radar for some time now. The following areas had the potential to require ECCN registration due to their use of a "symmetric algorithm employing a key length exceeding 56 bits" and/or because they "were designed to work with strong cryptographic libraries": 1. fulcrum-crypto - used the cryptix library to implement Unix crypt() 2. The Crypto Service in Turbine Core, from which fulcrum-crypto was extracted - also used the cryptix library to implement Unix crypt() 3. fulcrum-yaafi - supports decryption of strongly encrypted configuration files 4. fulcrum-pbe - supports strong encryption/decryption of files In particular, the following actions have taken place: * the cryptix dependency has been removed from fulcrum-crypto and Turbine core's Crypto Service (replaced with org.apache.jetspeed.services.security.ldap.UnixCrypt from the JetSpeed Portal project). * the exposed interfaces and underlying implementation of fulcrum-yaafi and fulcrum-pbe have been modified to ensure that only DES (56 bit key length) can be used (strong encryption was never used but was available through the exposed interfaces). It is our understanding that after our next release of the following components, no aspects of the Apache Turbine project will require ECCN registration: * fulcrum-crypto-1.0.7 - ETA some time in the next few weeks * turbine-2.3.3 - ETA some time in the next month or so * fulcrum-yaafi-1.0.6 - ETA some time in the next few weeks * fulcrum-pbe-1.0.0 - Not yet a released component so no release required in order to comply. Community changes ================= No new committers were voted in since the last board report. No new PMC members were voted in since the last board report. Turbine core project ==================== The Turbine Core trunk and turbine-site modules have been updated to ASL 2.0 - this was long overdue and is in preparation for a future release. The changes to fulcrum-crypto have been backported to the Crypto Service so as to eliminate the ECCN registration requirement for Turbine core. We are working on releasing Turbine 2.3.3 - this has primarily been waiting on the DB Project's Torque 3.3 release which is likely to appear in the next couple of weeks. No beta or final releases were made since the last board report. Fulcrum component project ========================= Mostly ECCN related activity, but progress on migrating from Maven 1.x to Maven 2.x for project builds has commenced. No beta or final releases were made since the last board report. META project ============ No beta or final releases were made since the last board report. ----------------------------------------- Attachment T: Status report for the Apache Velocity Project Velocity remains a mature product. At the moment, development is primarily focused on the tools project. User mailing list traffic remains at 1-2 messages a day with responses generally answered quickly. Nathan Bubna oversaw our involvement in Google's GHOP program in November/December 2007. We had several students make useful contributions to our documentation and logos. Many thanks to the participants and to Google. The Velocity project currently has no board-level issues at this time. ECCN REVIEW As requested, the PMC chair has reviewed the ASF notes on export notification. Since Velocity has no crypto code, and no links or dependencies on such code, these requirements do not apply to our project. COMMUNITY CHANGES We have a new committer, but have not formally announced it as his CLA has not yet been received. No new PMC members were voted in since the last board report. VELOCITY ENGINE Minor activity fixing some bugs. There are several patches received by users in the last couple of weeks that need review. No beta or final releases were made since the last board report. VELOCITY TOOLS Velocity tools has released 2.0-beta1. We hope to release 2.0 by May. VELOCITY TEXEN Texen has been refactored to separate out ant task from main code. The code is ready for a point release in the not too distant future. Texen currently has an unresolved Gump issue. VELOCITY DVSL, VELOCITY ANAKIA, VELOCITY DOCBOOK No activity this past quarter. ----------------------------------------- Attachment U: Status report for the Apache Xalan Project Xalan-C ======= Nothing to report. Xalan-J ======= Xalan-J 2.7.1 was released on November 27, 2007 This release contains: 1) Support for DOM Level 3 serialization 2) Upgrade to Xerces-J 2.9.0 3) Bug fixes The user community has noted that the Xalan-J 2.7.1 distribution contains a back level release of Xerces-J. Xerces-J 2.9.1 became available on September 15, 2007. The level of Apache BCEL is also downlevel at 5.1. Version 5.2 was released in June of 2006. These two will be upgraded in the next release. Although not discussed by the PMC, I am not aware of any cryptographic code in the Apache Xalan distributions. The PMC will visit this issue before the next board meeting. ----------------------------------------- Attachment V: Status report for the Apache Xerces Project ----------------------------------------- Attachment W: Status report for the Apache XML Project General business ============== Nothing much going on in the XML project. We are waiting to see what happens with Apache Attic to see if either Xindice or AxKit might be good candidates. The Export Notification Policy reminder from the board didn't show anything to be done from the XML PMC side. Nothing else requiring board attention at the moment. Xindice ====== Xindice made a 1.2m1 release on December 1st. There has been little activity since then. AxKit ==== Nothing new to report - no activity since last time. ----------------------------------------- Attachment X: Status report for the Apache XML Graphics Project General Comments There are no project-level issues. The project continues to live off a relatively small set of active committers. The PMC chair is a little concerned about the number of active committers in the Batik area. The 1.7 release was basically performed by a single committer. However, oversight is still guaranteed. User activity is steady and support is working. The whole project has now dropped support for Java 1.3 and requires Java 1.4 after the release of Batik 1.7. We're looking towards other projects to find long-term, joint solutions for PDF generation, font and metadata handling (most notably PDFBox and Tika). XML Graphics Commons A redesign of the image loading code in FOP resulted in a new image loading framework in Commons. It is highly extensible and supports loading all sorts of images (bitmap, vector) and converting them to a format supported by the consumer. Besides that, smaller bugfixes happened, as well as a few improvements for the XMP metadata handling code. Batik Version 1.7 was released. An XML editor component with syntax highlighting was donated and integrated. But the release preparations (bugfixing, documentation etc.) dominated the whole last reporting period. Besides that the development front is relatively quiet especially since the release. FOP The most notable changes in the last three months were: improvements and bugfixes for tables, the integration of a new image loading framework, various small improvement with font handling. Besides that the usual bugfix or feature here and there. Things currently underway are improved page layout, GOCA support (Java2D paintings) for AFP output and a processing feedback mechanism. The next release (0.95) is targeted for the end of February or beginning of March. ------------------------------------------------------ End of minutes for the February 20, 2008 board meeting.