Apache Logo
The Apache Way Contribute ASF Sponsors

This was extracted (@ 2017-10-21 03:10) from a list of minutes which have been approved by the Board.
Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | Pre-organization meetings

Shiro

20 Sep 2017 [Les Hazlewood / Rich]

2017 September - Board report for Apache Shiro

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- Last release was 1.4.0 on 05-May-2017
- We encountered a few permission issues during post release
tasks. A different team member lead the release (which is great), we
are working on fixing this for the next release.

Community & Project:

- Mailing list traffic has dipped a little, Stack Overflow has been
becoming the preferred place to ask questions.

- Community pull requests to the Shiro doc site continue to roll in,
now that pages includes an 'Edit in Github' link.

- Feature development is planned to continue against master.

- The 1.4.0 Release has been a step toward modernizing Shiro as well
as retain backwards compatibility

Last committer voted in: Andreas Kohn on 15 Jul 2016
Last PMC Member voted in: Andreas Kohn on 26 Jul 2016

21 Jun 2017 [Les Hazlewood / Ted]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography. We have no issues that require Board
assistance at this time.

Releases:

- Last release was 1.4.0 on 05-May-2017

Community & Project:

- Mailing list traffic has remained the same.
- Community pull requests to the Shiro doc site continue to roll in, now that
pages includes an 'Edit in Github' link.
- Feature development is planned to continue against master.
- The 1.4.0 Release has been a step toward modernizing Shiro as well as retain
backwards compatibility

Last committer voted in: Andreas Kohn on 15 Jul 2016
Last PMC Member voted in: Andreas Kohn on 26 Jul 2016

15 Mar 2017 [Les Hazlewood / Brett]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- None since last report

Community & Project:

- Mailing list traffic has remained the same.

- Community pull requests to the Shiro doc site have increased, now that
 pages includes an 'Edit in Github' link.

- Feature development is planned to continue against master.

- The 1.4.0 Release has been a step toward modernizing Shiro as well as
 retain backwards compatibility

Last committer voted in: Andreas Kohn on 15 Jul 2016
Last PMC Member voted in: Andreas Kohn on 26 Jul 2016

21 Dec 2016 [Les Hazlewood / Marvin]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- 1.4.0-RC2 was released on Wed Nov 09 2016

Community & Project:

- Mailing list traffic has remained the same.

- Most of the 2.x changes have been included in the 1.4.0-RC2 release.
1.4.0 is now on master.  Development will continue on master.

- Feature development is planned to continue against master.

- The 1.4.0 Release has been a step toward modernizing Shiro as well
as retain backwards compatibility.

Last committer voted in: Andreas Kohn on 15 Jul 2016
Last PMC Member voted in: Andreas Kohn on 26 Jul 2016

21 Sep 2016 [Les Hazlewood / Shane]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

 - 1.3.1 was released on Tue Aug 30 2016
 - 1.3.2 was released on Tue Sep 12 2016

Community & Project:

- The 1.3.2 contained fix for CVE-2016-6802

- Mailing list traffic has remained the same.

- New committer/PMC member Andreas Kohn

- The 2.x release has been postponed in favor of a 1.3.x release
  in order to consume various community patch submissions.

- Project is mostly stable and in maintenance/bugfix mode until a 2.0
  release can be made.  Only minor feature development is planned on 1.x.

Last committer voted in: Andreas Kohn on 15 Jul 2016
Last PMC Member voted in: Andreas Kohn on 26 Jul 2016

20 Jul 2016 [Les Hazlewood / Bertrand]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- 1.2.5 was released on Tue May 24 2016
- 1.2.6 was released on Tue Jun 28 2016

Community & Project:

- Mailing list traffic has remained the same, with a slight raise on dev@
 due to the increase number of commits.

- The 2.x release has been postponed in favor of a 1.3.x release
 in order to consume various community patch submissions.

- Release 1.2.5 contained a fix for CVE-2016-4437

- Project is mostly stable and in maintenance/bugfix mode until a 2.0
 release can be made.  Only minor feature development is planned on 1.x.

Last committer voted in: Jerome LELEU on 4 Aug 2015 Last PMC Member voted in:
Brian Demers on 20 May 2013

15 Jun 2016 [Les Hazlewood / Jim]

No report was submitted.

16 Mar 2016 [Les Hazlewood / Brett]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released the 1.2.4 bugfix/point release on July 7th.

Community & Project:

- 2.x work has slowed as of late.  The hope is to resume significant work when
 possible.  Cleanup needs to occur before final release candidates can go out.

- It was a priority since the last board report to move to Git.  This has been
 completed.

- Project is mostly stable and in maintenance/bugfix mode until a 2.0 release
 can be made.  No significant feature development is planned on 1.x.

Last committer voted in: Jérôme LELEU on 4 Aug 2015
Last PMC Member voted in: Brian Demers on 20 May 2013

16 Dec 2015 [Les Hazlewood / David]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released the 1.2.4 bugfix/point release on July 7th.

Community & Project:

- 2.x work has slowed as of late.  The hope is to resume significant work this
 month and into January.  Cleanup needs to occur before final release
 candidates can go out.

- Mostly everyone wants to move the project to ASF Git.  We'll hopefully do
 this before the next board report!

- Project is mostly stable and in maintenance/bugfix mode until a 2.0 release
 can be made.  No significant feature development is planned on 1.x.

Last committer voted in: Jérôme LELEU on 4 Aug 2015
Last PMC Member voted in: Brian Demers on 20 May 2013

16 Sep 2015 [Les Hazlewood / Chris]

Apache Shiro is a powerful and flexible open-source application
security framework that cleanly handles authentication, authorization,
enterprise session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released the 1.2.4 bugfix/point release 2 months ago on July 7th.

Community & Project:

- We have a new committer! Jerome LELEU, a long time community member
and friend of the Shiro community accepted our invitation and became a
committer last month on August 4th, 2015.

- We are still working on 2.x and active discussion has resumed
towards this effort.

- Project is mostly stable and in maintenance/bugfix mode until a 2.0
release can be made.  No significant feature development is planned on
1.x.

Last committer voted in: Jerome LELEU on 4 Aug 2015
Last PMC Member voted in: Brian Demers on 20 May 2013

17 Jun 2015 [Les Hazlewood / Chris]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our previous 1.2.3 bugfix release on
 25 February 2014.  2.0 development work is still in progress, but
 the team has not indicated a concrete release date.  There are
 some backwards incompatible changes that need to be vetted before
 a release is feasible.

Community & Project:

- Mailing list traffic remains steady compared to last quarter.

- Efforts towards a 2.0 distribution remain active on a separate dev branch.

- Project is mostly stable and in maintenance/bugfix mode until a 2.0 release
 can be made.  No significant feature development is planned on 1.x.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

18 Mar 2015 [Les Hazlewood / Greg]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our previous 1.2.3 bugfix release on
 25 February 2014.  A 1.3 release may be possible as an interim
 before 2.0, but development work last quarter has targeted the 2.0
 branch.

Community & Project:

- Mailing list traffic remains steady compared to last quarter.

- Efforts towards a 2.0 distribution remain active on a separate dev branch.
 Changes are ongoing, and we hope to make a 2.0 release soon!

- One of the PMC members, Les Hazlewood, joined the JEE Application Security
 expert group (JSR 375) where hopefully some security ideas from Shiro will
 influence the specification as well as benefit Shiro by ideas discussed in
 the expert group.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

17 Dec 2014 [Les Hazlewood / Bertrand]

Apache Shiro is a powerful and flexible open-source application
security framework that cleanly handles authentication, authorization,
enterprise session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our previous 1.2.3 bugfix release on 25
February 2014.  A 1.3 release may be possible as an interim before
2.0, but development work last quarter has targeted the 2.0 branch.

Community & Project:

- Mailing list traffic remains steady compared to last quarter.

- Efforts towards a 2.0 distribution remain active on a separate dev
branch. Changes are ongoing, and we hope to make a 2.0 release Q1
2015.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

17 Sep 2014 [Les Hazlewood / Ross]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our previous 1.2.3 bugfix release on
 25 February 2014.  A 1.3 release may be on the horizon as an interim
 before 2.0, but most recent development work has targeted the 2.0
 branch.

Community & Project:

- Mailing list traffic remains steady compared to last quarter.

- Efforts towards a 2.0 distribution remain active on a separate dev branch.
 Changes are nearly complete, and we hope to make a 2.0 release this quarter or
 early next.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

18 Jun 2014 [Les Hazlewood / Jim]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our previous 1.2.3 bugfix release last quarter on
 25 February 2014.  A 1.3 release still appears to be on the
 the horizon as an interim before 2.0.

Community & Project:

- Mailing list traffic remains steady compared to last quarter.

- The Shiro plugin for Apache ActiveMQ has been accepted by the ActiveMQ
 project and has been released in their v. 5.10 distribution! This allows
 all aspects of ActiveMQ to be secured by Shiro - a nice addition!

- Efforts towards a 2.0 distribution remain active on a separate dev branch.
 Changes made this past week make it ready for full dev team review and
 discussion.  An actual 2.0 release date has not been planned yet.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

19 Mar 2014 [Les Hazlewood / Sam]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We published a 1.2.3 bugfix release on 25 February 2014, 7 days ago.  A 1.3
 release is still on the horizon as an interim before 2.0.

Community & Project:

- Brian Demers graciously fixed the user-reported CVE-2014-0074 and pushed out
 the 1.2.3 hotfix.

- A new Shiro plugin for Apache ActiveMQ has been contributed to (and accepted
 by) the Apache ActiveMQ team.  This allows all aspects of ActiveMQ to be
 secured by Shiro - a nice addition! The plugin is scheduled to be available
 in the upcoming ActiveMQ 5.10 release.

- Efforts towards a 2.0 distribution have picked up on a new dev branch.  We
 will still likely need a 1.3 interim release, but that has been slow-going
 as of late.  Hopefully we can release 1.3 next month.

- User mailing list continues to be quite active.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

18 Dec 2013 [Les Hazlewood / Bertrand]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our May 30 2013 1.2.2 bugfix release.  A 1.3 release
 is still on the horizon as an interim before 2.0.

Community & Project:

- Brian Demers accepted his nomination to the Shiro PMC.  We're happy to have
 him aboard!

- Efforts towards a 2.0 distribution are slow going, as the last quarter has
 been particularly busy for the entire Shiro team.  The community is
 advocating a few issues that probably should be represented in a 1.3
 interim release, so they don't have to wait for 2.0 (JSF release + bug
 fixes).

- User mailing list has been quite active the last month.  We're grateful for
 a community that helps each other out a lot without as much guidance by the
 core shiro team as might have been necessary earlier in the project's
 history.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

18 Sep 2013 [Les Hazlewood / Chris]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- No new releases since our May 30 2013 1.2.2 bugfix release.  A 1.3 release
 may be on the horizon as an interim before 2.0.

Community & Project:

- Initial efforts towards a 2.0 distribution are still under way.
 It is still quite early, and a new release is probably still at least 6
 months away.

- It might be possible to have a 1.3 interim release before 2.0, adding in
 official JSF support + a few minor bug fixes.

- User mailing list is still active, with questions (more than usual)
 picking up over the last month.

Last PMC Member voted in: Brian Demers on 20 May 2013
Last committer voted in: Jared Bunting on 29 Jul 2012

19 Jun 2013 [Les Hazlewood / Sam]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released a new 1.2.2 bugfix release on May 30th encompassing
 18 bug fixes.

Community & Project:

- We have finally moved over to Apache Infra's svnpubsub mechanism for
 publishing website updates.  This is working really well so far.  We are
 still flushing out the best authoring system to use - we are currently
 using a custom file-based CMS, but recently found Octopress, which looks
 much more feature rich and powerful.

- Initial efforts towards a 2.0 distribution have started in the svn trunk.
 It is still quite early, and a new release is probably at least 6
 months away.

- Outside of the Shiro codebase, there is a significant effort to secure
 Apache ActiveMQ with Shiro located here:
 https://github.com/lhazlewood/activemq/tree/trunk/activemq-shiro
 Once complete, the ActiveMQ development team has indicated they will be
 happy to include it in ActiveMQ's distribution.

- Les presented at the 2013 Cassandra Summit showing how to use Cassandra
 as a distributed data store for clustering Shiro sessions:
 https://github.com/lhazlewood/shiro-cassandra-sample

20 Mar 2013 [Les Hazlewood / Rich]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We have not released anything since our previous 1.2.1 bugfix release.
 However, enough community desire has surfaced for a 1.2.2 patch release
 as well as a 1.3.0 release.  We are making strong efforts this and
 next week to accomplish this.

- After these next 1.2.1 and 1.3.0 releases, we might start targeting a
 2.0 distribution, which would incorporate a lot of desired changes.  We
 have been careful about this because this would very likely introduce
 backwards incompatible changes that we can't do on minor or patch releases
 as we follow the APR versioning guidelines.

Community & Project:

- Les presented Intro to Apache Shiro at ApacheCon this year - it was a good
 experience to see so many Apache folks.

- We still haven't had the time/volunteers to convert over to infra@'s CMS
 system for our public website, even though we're well past the deadline.
 This means that our public website can't be updated with new content until
 this occurs since (as we understand it) the confluence wiki is no longer
 supported.

- The Shiro community remains helpful, with steady month-after-month mailing
 list traffic.  No noticeable changes here.

- Everyone on the Shiro dev team has been quite busy w/ their respective
 full time jobs.  Coupled with the holidays, not much development was
 accomplished last quarter, but efforts are ramping up significantly for
 a 1.2.2 and 1.3.0 release.

19 Dec 2012 [Les Hazlewood / Bertrand]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We have not released anything since our previous 1.2.1 bugfix release.
 Current trunk development is targeted at a 1.3.0 release (time frame
 not yet determined).

Community & Project:

- Les presented 3 presentations on various Apache Shiro topics at this year's
 Rich Web Experience conference in Fort Lauderdale at the end of November.

- We have yet to convert over to infra@'s CMS system for our public website.
 That work will probably be completed over the holidays in time for infra's
 Jan 1 deadline.

- The Shiro community remains helpful, with steady month-after-month mailing
 list traffic.  No noticeable changes here.

- The Shiro site and distribution continues to experience good growth,
 with the site averaging around 10,000 visitors per month and 8,700
 downloads a month from Maven Central (a 25% increase from the last report).

19 Sep 2012 [Les Hazlewood / Greg]

Apache Shiro is a powerful and flexible open-source application
security framework that cleanly handles authentication, authorization,
enterprise session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released a 1.2.1 bugfix release on 28 July 2012.  Current trunk
development is targeted at a 1.3.0 release (time frame not yet
determined).

Community & Project:

- The Shiro community remains helpful, with steady month-after-month
mailing list traffic.  No noticeable changes here.

- The Shiro site and distribution continues to experience good growth,
with the site averaging around 10,000 visitors per month and 7,000
downloads a month from Maven Central, and that number is steadily
increasing each month.

25 Jul 2012 [Les Hazlewood / Ross]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We released Shiro 1.2 last quarter and we are currently planning on
 releasing a 1.2.1 bug fix release hopefully sometime this or next week.

Community & Project:

- Shiro continues to grow, both in the number of downloads and the size of
 its community.  We've received a lot of feedback lately on integration
 with other protocols like OAuth, OpenID and open-source frameworks like
 Scribe (for OAuth).  The development team will continue to work with the
 community to provide the best Java security experience possible.

- We're excited to represent Shiro at OSCON this year with the
 rest of the ASF team.  One of our team members, Les Hazlewood, will be
 at the Apache hackathon helping anyone wishing to use or integrate with
 Shiro.

(Shiro)

20 Jun 2012 [Les Hazlewood / Jim]

No report was submitted.

21 Mar 2012 [Les Hazlewood / Bertrand]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:

- We are very happy to announce that we have released Apache Shiro 1.2 on
 Tuesday, January 24 2012, after our last report.  While 'just' a point
 release, this effort constituted over a year's worth of work.  We are
 very excited for the community to have this release.

Community & Project:

- We are happy to report that Jared Bunting has become our newest PMC member.
 He has been a valuable member of the team overall, and especially helpful
 with Shiro's Guice integration.

- More articles, blog posts, tweets and tutorials are being written about
 Apache Shiro every day.  Google Analytics shows almost 100,000 page views
 and 10,000 unique visitors per month, showing significant continued
 project interest and community growth after leaving the Incubator a little
 over a year ago.

21 Dec 2011 [Les Hazlewood / Greg]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- No new releases.

Community & Project:

- In our last report, we were considering voting on 1.2 as soon as possible.
 Instead, we delayed the vote to allow finishing a number of issues
 related to making password hashing much easier for applications.  That work
 is 95% complete and it is expected that a 1.2 vote will happen within a
 week or two.

- The community continues to grow, with new articles being written by the
 community.  We appreciated and were excited to see an extremely thorough
 article written by Meri covering Shiro cryptography:
 http://meri-stuff.blogspot.com/2011/12/apache-shiro-part-3-cryptography.html

- The mailing lists remain healthy.  Much of the community is awaiting the 1.2
 release, and this has become our highest priority.

21 Sep 2011 [Les Hazlewood / Larry]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- No new releases.

Community & Project:

- The Apache Shiro team is excited to report that we have added
 Jared Bunting as our second new committer after becoming a TLP.  Jared
 has been a great help to the project and he is a welcome addition to the
 team.

- The team has decided to release Shiro 1.2 as soon as possible.  A release
 vote is likely this week.

- Significant effort has gone into improving Shiro's reference manual the last
 three months.  It is much better than before and continues to grow as new
 features are added.  Some talk was discussed about finding a new authoring
 format beyond using Confluence, but no changes have been implemented as of
 yet.

15 Jun 2011 [Les Hazlewood / Jim]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- No releases since our first 1 Nov 2010 1.1.0 release

Community & Project:

This last quarter has been focused more on community building than
coding, with great success.  The Shiro average website visitor traffic
has increased more than half (59%) in only 3 months!  We continue to
grow and help the JVM security community.  Following are
the most important points from the last quarter.

- The Apache Shiro team is excited to report that we have added
 Brian Demers as our first new committer after becoming a TLP.  We're
 excited that our community continues to grow with quality folks like
 Brian.

- There has been minor discussion of creating a 1.2 release soon.  A
 few minor issues need to be resolved, and hopefully this will be done
 before our next board report.

- While Shiro doesn't receive many complaints, the most frequent one has
 been that non-JavaDoc documentation has been lacking.  Significant work
 has gone into improving Shiro's documentation over the last month, and
 we believe this will serve the community much better.

- To improve project publicity, Les Hazlewood wrote an intro article on
 Apache Shiro published on InfoQ: http://www.infoq.com/articles/apache-shiro
 This has contributed to site traffic and community adoption significantly.

16 Mar 2011 [Les Hazlewood / Noirin]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- No releases since our first 1 Nov 2010 1.1.0 release

Community & Project:
 - No new committers or PMC members

 - The project team is discussing the possibility of releasing a
  1.1.1 bug fix point release or moving directly to a 1.2 release.

 - Documentation efforts have increased significantly the last two
  months, with new Authentication and Authorization guides being written
  with many cleanup edits of the existing framework documentation.
  February (last month) represented the highest traffic volume to date
  for the Apache Shiro website (just shy of 10k site visits), indicating
  these edits are paying off.

 - Some new integration efforts by both committers and end-users for
  integrating with third party authentication systems seems to have picked up
  lately, with discussions about supporting OpenId, OAuth, and maybe
  Oracle SSO

 - In the last three months, the community has indicated areas for
  significant improvement in the codebase which will probably make their
  way into a 2.0 release.  There is currently no timeline for 2.0, but
  ideas are being tracked at
  https://cwiki.apache.org/confluence/display/SHIRO/Version+2+Brainstorming.

  Most notable of the improvements are the continued migration to favoring
  architecture that emphasizes OO composition over inheritance, affording
  our end-users an even more pluggable approach to application security.

15 Dec 2010 [Les Hazlewood / Bertrand]

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- No releases since our first 1 Nov 1.1.0 release as a TLP

Community & Project:
- No new committers or PMC members

- Continued user participation on the mailing lists.  This last month
 probably represents the highest user activity with regards to
 opening Jira issues and providing patches, a healthy sign that our
 project continues to grow as a new TLP.

- The development team is discussing as to when our next release might
 be, whether it will be before or after the holidays.  It is not
 currently decided if it will be a 1.1.1 point release or a
 1.2 minor release.

- There has been a lot of discussion in the last month by both users and
 developers as to the best way to support Shiro integration with
 3rd-party (ASF compatible) frameworks and libraries - either include
 the code as 'support modules' within Shiro's codebase, or to have the code
 reside somewhere else, like a 'shiro-extras' project, similar in concept
 to Apache Wicket's 'Wicket Stuff' project.

 The difficulty in deciding is based on 1) the likelihood of the dev
 team supporting an increasing number of integration modules directly at
 the level of quality we wish to maintain and 2) whether or not a
 security framework like Shiro should support frameworks (like
 Wicket and Struts2) that sit 'higher' in the application stack.
 Ideally we'd like the respective web communities to support Shiro since
 we believe it is in their scope to do so, rather than Shiro (a
 security framework) writing integration for multiple
 web frameworks.  This is an ongoing discussion and we've yet to come
 to a decision.

Suggest that apache-extras.org might be a good place to host third-party integrations. Check it out.

17 Nov 2010 [Les Hazlewood / Roy]

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- We are proud to announce that we have made our first release as a
 TLP, Apache Shiro version 1.1.0 on November 1st, 2010.

Community & Project:
 - No new committers or PMC members
 - Community interaction and user list traffic has grown significantly
  since becoming a TLP, with over 400 emails on the user and dev
  mailing lists last month.  This is more than double the average
  monthly traffic we had while in incubation, showing
  continued growth and a healthy community as a TLP.
 - We experienced our first security vulnerability CVE issue.  It wasn't
  handled as appropriately as it should have, with the issue becoming
  public (in a roundabout way) before it should have been made known.
  We dealt with the issue, fixed the source code, and very shortly
  thereafter released version 1.1.0.  This was a bit difficult as this
  CVE issue overlapped with the other issues required for 1.1 and because
  we had not yet released a TLP version, we couldn't simply create a
  point release and just 'get it out the door' quickly.  Instead we
  needed to coordinate the fix in the context of our first TLP
  release, which was a little more challenging.  In any event,
  it was a great learning experience, and we are confident any
  further CVE issues will be handled appropriately.

20 Oct 2010 [Les Hazlewood / Geir]

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

We have no issues that require Board assistance at this time.

Releases:
- In the few weeks since graduating from the Incubator, we haven't yet
 released a new version, although we plan on making our first TLP release
 (version 1.0.1 or 1.1) in the next month.

Community & Project:
 - No new committers or PMC members
 - All project migration issues are complete and http://shiro.apache.org
  is up and running.
 - Community interaction and user list traffic is growing steadily after
  graduating from the Incubator.  Google Analytics reports that our
  web site has received about a 40% average increase in site visitors
  after going TLP.
 - Significant new features are slated for 1.1 later this month, notably
  improved salting support for authentication tokens and a much-improved
  JNDI-based LDAP realm for using LDAP for authentication and authorization

20 Oct 2010

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

Shiro has been incubating since June 2008.

The team is pleased to report the the Apache Software Foundation Board of
Directors has accepted Shiro's Top Level Project graduation proposal during
their Wednesday, September 22nd 2010 board meeting.  Apache Shiro has
officially graduated from the Incubator to become an Apache Top Level
project!

This will be the last Incubator board report made by the Apache Shiro team
to the Apache Incubator PMC. The process to remove Shiro from the reporting
schedule will be complete by the time the Incubator reviews this report.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

22 Sep 2010

Establish Apache Shiro Project

 WHEREAS, the Board of Directors deems it to be in the best
 interests of the Foundation and consistent with the Foundation's
 purpose to establish a Project Management Committee charged with
 the creation and maintenance of open-source software related to
 application security, for distribution at no charge to the
 public.

 NOW, THEREFORE, BE IT RESOLVED, that a Project Management
 Committee (PMC), to be known as the "Apache Shiro Project",
 be and hereby is established pursuant to Bylaws of the
 Foundation; and be it further

 RESOLVED, that the Apache Shiro Project be and hereby is
 responsible for the creation and maintenance of a software
 project related to application security; and be it further

 RESOLVED, that the office of "Vice President, Apache Shiro" be and
 hereby is created, the person holding such office to serve at the
 direction of the Board of Directors as the chair of the Apache
 Shiro Project, and to have primary responsibility for management
 of the projects within the scope of responsibility of
 the Apache Shiro Project; and be it further

 RESOLVED, that the persons listed immediately below be and
 hereby are appointed to serve as the initial members of the
 Apache Shiro Project:

     * Les Hazlewood       (lhazlewood@apache.org)
     * Kalle Korhonen      (kaosko@apache.org)
     * Peter Ledbrook      (pledbrook@apache.org)
     * Jeremy Haile        (jhaile@apache.org)
     * Craig L Russell     (clr@apache.org)

 NOW, THEREFORE, BE IT FURTHER RESOLVED, that Les Hazlewood
 be and hereby is appointed to the office of Vice
 President, Apache Shiro, to serve in accordance with and subject to
 the direction of the Board of Directors and the Bylaws of the
 Foundation until death, resignation, retirement, removal or
 disqualification, or until a successor is appointed; and be it
 further

 RESOLVED, that the Apache Shiro Project be and hereby
 is tasked with the migration and rationalization of the Apache
 Incubator Shiro podling; and be it further

 RESOLVED, that all responsibility pertaining to the Apache
 Incubator Shiro podling encumbered upon the Apache Incubator
 PMC are hereafter discharged.

 This resolution was passed unanimously by roll call vote.
 It was noted that the PMC includes an Apache Member (Craig).

21 Jul 2010

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

Shiro has been incubating since June 2008.

The team is pleased to report the project made its first incubation release,
version 1.0.0-incubating. The release was made following the best practices
of an Apache  release process. The team encountered only minor issues during
the process and  the release vote demonstrated strong support from the
community.

Prior to the release, the team made a concentrated effort to clean up the
codebase, updated the Javadocs and close out any remaining JIRA issues. The
project website  and wiki-based user documentation was greatly improved.

The project also designed new logos and chose a new one for the project in a
community vote that was met with enthusiasm.

Kalle Korhonen was voted in to join the PPMC. Existing PPMC members
identified  a new potential committer and discussed the matter but no vote
was held yet. Some  concern was expressed about the small number of active
committers.

The team feels confident about the mid-term roadmap. Progress is made
towards making a 1.0.1 maintenance release as well as a new 1.1.0 minor
release. The project is  targeting graduation by October.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

21 Apr 2010

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

Shiro has been incubating since June 2008.

The project is just about ready for its first 1.0 release. Cryptography API
and implementation adjustments had to be made prior to the 1.0 release,
delaying the 'code complete' stage before incubator vote by 2 weeks.  That
effort is being finished this week.

As soon as this code is complete, and we resolve 4 outstanding Jira bugs, we
will go immediately initiate the voting process to clear our first 1.0
release (hopefully next week).

The project team is not considering graduation at this point, but after the
first release, the team will decide on a roadmap targeting graduation.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

20 Jan 2010

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

Shiro has been incubating since June 2008.

During the period, the project has made steady progress towards releasing
the first 1.0.0 release as part of Apache incubator. All IP clearance issues
have been resolved and the team has verified there are no known remaining
issues open. Previous issues related to project's name change have been
largely resolved.

Community involvement remains high and many users are eagerly waiting for
the first official release. The team is planning on making the release
during the next period. There's been an on-going effort to clean up the
codebase and prioritize open JIRA issues before the release.

Project's API documentation (javadoc) is in a fairly good state, but the
remaining issue is where and how to automatically publish the javadoc for
general consumption. In addition, a wiki-based documentation effort for
creating a reference guide was launched.

The project team is not considering graduation at this point, but after the
first release, the team will decide on a roadmap targeting graduation.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

Signed off by mentor: Craig L Russell

18 Nov 2009

Shiro is a powerful and flexible open-source application security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

Shiro has been incubating since June 2008.

We are very excited to report we have added Kalle Korhonen as our first new
committer since joining the incubator.  This marks a big project milestone
for us as we continue to grow our community.

There remain a few project infrastructure inconsistencies resulting from
our previous name change as described in this email thread:
http://tinyurl.com/yznnogv

Resolving these inconsistencies are a high priority and should be resolved
as soon as possible.

An issue of how Shiro is configured was the largest issue impeding our first
Apache release.  That issue has been largely resolved and once finalized,
we should be able to focus on our first Apache release.

The project team is not considering graduation at this point, as the code is
not ready for an Apache release. Once IP clearance is complete, we'll
attempt our first incubator release.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

15 Jul 2009

Previously JSecurity/Ki.

Apache Shiro is a powerful and flexible open-source application security
framework that cleanly handles authentication, authorization, enterprise
session management and cryptography.

Apache Shiro has been incubating since June 2008.

* Due to potential naming conflicts with the previously chosen name of 'Ki',
the ASF community at large helped us change our name to 'Shiro'.  This was a
large collaborative effort that really showed the power of the Apache Way
and resulted in a name with which a large majority of people were content.

* Project infrastructure has been switched over to support this name change
and all seems to be running well.  We have yet to properly configure Hudson
for continuous integration builds, but that should be done shortly.  The new
CWIKI space is available here:
http://cwiki.apache.org/confluence/display/SHIRO

* The name change also affords us to start publishing incubator Maven
snapshot builds which will help foster adoption to all Maven end-users
(which there are many).

* We're very happy to report that the the name change and community support
resulting from it have allowed the development team to return focus to
developing the framework and resolving issues rather than spending time on
name-related administrative issues.

The project team is not considering graduation at this point, as the code is
not ready for an Apache release. Once IP clearance is complete, and Maven
snapshots are working, we'll attempt our first incubator release.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/shiro/STATUS

15 Apr 2009

Ki (previously JSecurity) is a powerful and flexible open-source Java
security framework that cleanly handles authentication, authorization,
enterprise session management and cryptography.

Ki has been incubating since June 2008.

The project team voted at the end of February to change the project name
from JSecurity (its previous name prior to entry into the ASF Incubator) to
'Apache Ki' for a number of reasons, which are documented in full detail
here:

http://markmail.org/thread/zcmi4pjv2bbf4574

Project infrastructure is being changed to match this name change, but is
not yet fully complete.  Mailing lists are pending still.

There was a post on the old jsecurity.org website by an individual stating
that they would appreciate if we used a different name other than Ki, posted
here:
http://www.jsecurity.org/node/1081#comment-289.
One of our project members responded and have not received any responses
further.  The project team is now internally debating whether we need to
change the project name yet again.

The old jsecurity.org project website has entered an archival state, clearly
pointing that all users should be redirected to the new Incubator ki
site.  A crontab entry has been created to auto-export the cwiki to here:
http://incubator.apache.org/ki

We're happy to report that development and user list activity has steadily
increased since we started incubation last year, with March (last month)
being the most active month to date.

The project team is not considering graduation at this point,
as the code is not ready for an Apache release. Once IP clearance is
complete, we'll attempt our first incubator release.

One mentor, Emmanuel Lecharny, decided to step down from the project. The
number of mentors is now down to three, which is the quorum. Finding a few
more mentors should be a good idea at this point.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/jsecurity/STATUS

21 Jan 2009

JSecurity is a powerful and flexible open-source Java security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

JSecurity has been incubating since June 2008.

At the end of November, the JSecurity team released a final
external (non-Apache) release: 0.9.0 final.  All modifications
after the release were made under the assumption that the next
release will be an Apache incubating release.

After the November final release, there has been lengthy discussion
for the month and half following about JSecurity's name and whether
or not it should be changed to something else.  3 mentors voted in favor
of chainging the name to something else, 1 voted against, and 1 abstained.
Those voting in favor cited concerns of a few external
(3rd party) products that might cause a name conflict.  Concensus was
not reached, resulting in the vote.  However, it is considered
still an open issue with continued discussion as other IPMC members
are contributing to the discussion.

More recently, the team has debated about how the source tree
should be configured to allow easy modular builds and to clearly
delineate the differnece of JSecurity core versus web support and
3rd party support.  The team came to concensus about an initial
directory organization and the ant build files were modified to
reflect the new structure.  It was also discussed that two build
systems, both Ant+Ivy and Maven, could be used to build the framework,
allowing the one building to choose based on their preference.

Infrastructure migration (noted in our STATUS file) is almost
complete - all that needs to be done is migration of the jsecurity.org
website into our incubator snapshot.  A volunteer is currently
in the process of enabling the existing JSecurity theme in the ASF's
Confluence export mechanism.

Low-hanging fruit to be cleared hopefully by the next board report is
all IP clearance:  the Copyright & Licensing and Distribution Rights
sections of the STATUS file should be able to be completed in their
entirety.

The biggest exit criteria remaining is Team Collaboration.  Although
the team is satisfying all collaboration directives and has a good
community, we need to attract new committers.  Hopefully that will be
a significant difference in the upcoming months and throughout 2009.

Finally, one of our mentors, Alex Karasulu, had to step down and remove
himself as a mentor, citing busy schedules and not enough time to
dedicate (http://markmail.org/message/hkh6pjwjlnmtkrjp).  We are
very grateful for the time he was able to contribute!

The project team is not considering graduation at this point,
as the code is not ready for an Apache release. Once IP clearance is
complete, we'll attempt our first incubator release.

The status is being maintained in SVN
(http://svn.apache.org/repos/asf/incubator/jsecurity/STATUS)

19 Nov 2008

We just have to report that the code base has been imported into the ASF
repository, and as it was a long waited move, it's good to have it announced
in this monthly report !

15 Oct 2008

JSecurity is a powerful and flexible open-source Java security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

JSecurity has been incubating since June 2008.

Last month, a new external release was issued (0.9.0-RC2).
After this, a single bug fix has been implemented and
committed to the external SourceForge SVN repository.
Many other commits have been made, but all were nonfunctional
and were made to round out the project's JavaDoc.

The JavaDoc is already quite good, but not 100%.  The team has
discussed on the development list that it would be a good idea
to get the JavaDoc completed at 100% before releasing 0.9 final,
with 0.9 final being the last external release.  After this point,
we wanted to inject the code source into the Apache repository
as a 'clean slate' initiative.

The idea is that perhaps 0.9.1 would be an Apache release,
allowing that release to focus only on adherence to Apache
policy and not dependent on code or documentation.  Then all
subsequent releases could benefit from the experience of this
'first run', continuing to maintain Apache policy.

The JavaDoc is currently being updated intermittently, as the
development team has the opportunity to update it in their spare
time.  It is certainly desirable to finish this effort soon,
hopefully no more than a week or two. But this time frame is
ultimately dependent upon the number of contributors.

The project team is not considering graduation at this point,
as the code is not ready for an Apache release. The community
is working well, with decisions being made in public.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/jsecurity/STATUS

17 Sep 2008

JSecurity is a powerful and flexible open-source Java security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

JSecurity has been incubating since June 2008.

Since last month, a new external release has been issued (0.9.0-RC2), and
some
bug fixes, and discussion about the configuration format.

The code source should be injected to the Apache repository soon, when the
external 0.9.0 release will be out. It's a matter of days, may be a week,
accordingly to the latest discussion on the mailing list.

JIRA is set up, but it should be used.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/jsecurity/STATUS

20 Aug 2008

JSecurity is a powerful and flexible open-source Java security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

JSecurity has been incubating since June 2008.

The project has been very active, with plenty of discussion around
features, implementation, and strategy, on both user and dev lists.

The code is still at codehaus, with the plan to migrate the code base
with all history to the apache repository once a release has been made.
Once the code is in the apache repository, additional releases of the
org.jsecurity code may be published via codehaus, while the
packages are renamed to org.apache.jsecurity.

Mailing lists have been set up, and most email traffic has been migrated
from the previous lists at codehaus.

The JIRA project is set up and is tracking new issues. Issues will be
migrated from the existing bug tracking system in due time.

The status is being maintained at
http://svn.apache.org/repos/asf/incubator/jsecurity/STATUS

16 Jul 2008

JSecurity is a powerful and flexible open-source Java security framework
that cleanly handles authentication, authorization, enterprise session
management and cryptography.

JSecurity has been incubating since June 2008.

The project has kicked off with some basic infrastructure now in place.

Mailing lists have been set up.

The svn repository is ready for code.

The JIRA project is set up.

The initial committers have sent ICLA's and all accounts have been created.

Discussion is underway as to migration of the existing code into the Apache
repository. There is an existing code base with users that will need to have
releases and maintenance while the project is incubating.

PMC comments:
 * jukka: JSecurity status page is missing