This was extracted (@ 2024-04-17 22:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
A report was expected, but not received
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made four releases in the last quarter: - Struts 6.3.0.2 - Security fix release (2023-12-07) [1][3] - Struts 2.5.33 - Security fix release (2023-12-07) [2][3] The last Struts releases besides the core framework were - Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) - Struts Annotations 1.0.8 - Enhancements in preparation for the next framework release (2022-11-05) Within the last quarter we saw steady development and community activity. We had 68 PRs (compared to 61 in previous reporting quarter) opened and 60 (61) closed in the main project. These numbers again represent a rather busy quarter, given the maturity of the project. Furthermore quite a bunch of new features are in the pipeline, some of which are scheduled for the upcoming 7.0 release. We counted 162 (216) commits by 7 (6) contributors in the report quarter. We released one security bulletin in the last quarter [3], leading to two security fix releases: 2.5.33 and 6.3.0.2. The issue fixed by this releases can lead to RCE. Due to this severeity, it received a fair amount of media coverage. We furthermore announced an EOL date for Struts 2.5, which is now scheduled to no longer receive patches starting in May 2024. [4] We introduced a new notifications@ mailinglist for GitHub notifications to unclutter dev@ traffic. We have no issues that require board assistance at this time. ## PMC changes: - Currently 21 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 - James Chaplin resigned from the PMC on 2023-09-08 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - Kusal Kithul-Godag (kusal) was added as committer on 2023-07-31 ## Mailing list activity: - [dev@struts.apache.org](mailto:dev@struts.apache.org): 34 emails sent to list (302 in previous quarter) - [notifications@struts.apache.org](mailto:dev@struts.apache.org): 584 emails sent to list (0 in previous quarter, new list) - [issues@struts.apache.org](mailto:issues@struts.apache.org): 727 emails sent to list (502 in previous quarter) - [user@struts.apache.org](mailto:user@struts.apache.org): 51 emails sent to list (43 in previous quarter) ## JIRA activity: - 14 JIRA tickets created in the last 3 months (28) - 12 JIRA tickets closed/resolved in the last 3 months (26) [1] https://struts.apache.org/announce-2023.html#a20231207-1 [2] https://struts.apache.org/announce-2023.html#a20231207-2 [3] https://cwiki.apache.org/confluence/display/WW/S2-066 [4] https://struts.apache.org/struts25-eol-announcement
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made four releases in the last quarter: - Struts 6.3.0 - Feature an bug fix release (2023-09-04) [1] - Struts 2.5.32 - Security fix release (2023-10-13) [2][3] - Struts 6.1.2.2 - Security fix release (2023-10-13) [4][3] - Struts 6.3.0.1 - Security fix release (2023-10-13) [5][3] The last Struts releases besides the core framework were - Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) - Struts Annotations 1.0.8 - Enhancements in preparation for the next framework release (2022-11-05) Within the last quarter we saw notably increased development and community activity. We had 61 PRs (compared to 39 in previous reporting quarter) opened and 61 (39) closed in the main project. These numbers reflect both the end of vacation season as well as an energy upswing often seen when adding a new committer. We counted 216 (86) commits by 6 (11) contributors in the report quarter. The project team is happy to announce that Kusal Kithul-Godag (kusal) accepted our invitation to become a Apache Struts committer. It is very hard for a mature project like Struts to attract “fresh blood”, which makes us even more grateful for Kusal joining the team. We released one security bulletin in the last quarter [3], leading to three security fix releases: 2.5.32, 6.1.2.2 and 6.3.0.1. We have no issues that require board assistance at this time. ## PMC changes: - Currently 21 PMC members. - No new PMC members added in the last 3 months, 1 member resigned - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 - James Chaplin resigned from the PMC on 2023-09-08 ## Committer base changes: - Currently 62 committers. - One committer was added in the last 3 months: Kusal Kithul-Godag (kusal) on 2023-07-31 ## Mailing list activity: - dev@struts.apache.org: 302 emails sent to list (153 in previous quarter) - issues@struts.apache.org: 502 emails sent to list (229 in previous quarter) - user@struts.apache.org: 43 emails sent to list (47 in previous quarter) ## JIRA activity - 28 JIRA tickets created in the last 3 months (14) - 26 JIRA tickets closed/resolved in the last 3 months (16) [1] https://struts.apache.org/announce-2023.html#a20230904 [2] https://struts.apache.org/announce-2023.html#a20230913-3 [3] https://cwiki.apache.org/confluence/display/WW/S2-065 [4] https://struts.apache.org/announce-2023.html#a20230913-2 [5] https://struts.apache.org/announce-2023.html#a20230913-1
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made three releases in the last quarter: - Struts 6.2.0 - Feature an bug fix release (2023-07-10) [1] - Struts 6.1.2.1 - Security fix release (2023-06-13) [2] - Struts 2.5.31 - Security fix release (2023-06-13) [3] The last Struts releases besides the core framework were - Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) - Struts Annotations 1.0.8 - Enhancements in preparation for the next framework release (2022-11-05) Within the last quarter we saw reasonable development and community activity. We had 39 PRs (compared to 76 in previous reporting quarter) opened and 39 (76) closed in the main project. These numbers are a slight drop compared to the last quarter, which is not unusual for the main vacation season. We counted 86 (146) commits by 11 (7) contributors in the report quarter. By the time of writing this report, we are holding a vote on inviting one of these contributors for committership. We released two security bulletins in the last quarter [4][5], leading to the two security fix releases 2.5.31 and 6.1.2.1. Based on the board feedback received lately, we adjusted our security fix release process to cast the vote on private@ rather than dev@. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: Mailing list activity was more calm as well: - dev@struts.apache.org: - 153 emails sent to list (239 in previous quarter) - issues@struts.apache.org: - 229 emails sent to list (488 in previous quarter) - user@struts.apache.org: - 47 emails sent to list (56 in previous quarter) ## JIRA activity: - 14 JIRA tickets created in the last 3 months (29) - 16 JIRA tickets closed/resolved in the last 3 months (30) [1] https://struts.apache.org/announce-2023#a20230310 [2] https://struts.apache.org/announce-2023#a20230310 [3] https://struts.apache.org/announce-2023#a20230310 [4] https://cwiki.apache.org/confluence/display/WW/S2-063 [5] https://cwiki.apache.org/confluence/display/WW/S2-064
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 6.1.2 - Security fix release (2023-03-10) [1] The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.8 - Enhancements in preparation for the next framework release (2022-11-05) Within the last quarter we saw steady development and community activity. We had 76 (65 in previous reporting quarter) opened and 76 (64) closed in the main project. These numbers are slightly higher compared to the last quarter, but within a typical variance for the project. We counted 146 (187) commits by 7 (6) contributors in the report quarter. Notably, a new contributor showed up, with 16 high quality PRs since December 2022 that all got accepted. As a result, he is on our watch list for committership candidates. We released no security bulletin in the last quarter. However, we released a security fix release due to issues with Apache Commons File Upload discovered recently. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: Mailing list activity decreased towards more normal levels, as Struts Version 6 becomes more mainstream. - dev@struts.apache.org: - 239 emails sent to list (289 in previous quarter) - issues@struts.apache.org: - 488 emails sent to list (745 in previous quarter) - user@struts.apache.org: - 56 emails sent to list (76 in previous quarter) ## JIRA activity: - 29 JIRA tickets created in the last 3 months (32) - 30 JIRA tickets closed/resolved in the last 3 months (50) [1] https://struts.apache.org/announce-2023#a20230310
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 6.1.1 - Feature and bugfix release (2022-11-28) [1] The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw rather vivid development and community activity, given that activity usually calms down during the Christmas holiday season. This is also reflected in the number of active pull requests, with 65 (61) opened and 64 (70) closed in the main project. These numbers are only slightly lower compared to the last quarter, but significantly higher than in the respective quarter one year ago. The same tendency can be derived from the number of 187 (167) commits by 6 (15) contributors. We released no security bulletin in the last quarter. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: Mailing list activity remained rather high, which is most probably an effect of the introduction of the major revision 6 of the Apache Struts Framework earlier this year. ## JIRA activity: - 32 JIRA tickets created in the last 3 months (36) - 50 JIRA tickets closed/resolved in the last 3 months (172) [1] https://struts.apache.org/announce-2022#a20220915
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 6.0.3 - Feature and bugfix release (2022-09-15) [1] The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) The last quarter was dominated by smoothing edges and corners in the new 6.0.0 major version released in June [2], which resulted in the Struts 6.0.3 patch version released on 2022-09-15 [1]. The overall development and community activity was slightly increased compared to the preceding quarters. We saw 167 (140) commits by 15 (12) contributors in 71 (84) opened and 70 (82) closed PRs. We released no security bulletin in the last quarter. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: Mailing list activity was rather high, especially on dev@ with 161 (92) and user@ with 344 (192) messages. ## JIRA activity: - 36 JIRA tickets created in the last 3 months (28) - 172 JIRA tickets closed/resolved in the last 3 months (68) [1] https://struts.apache.org/announce-2022#a20220915 [2] https://struts.apache.org/announce-2022#a20220606 [3] https://cwiki.apache.org/confluence/display/WW/S2-061 [4] https://cwiki.apache.org/confluence/display/WW/S2-062
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 6.0.0 - Major feature and bugfix release (2022-06-06) [1] The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) The Struts project team is pleased to announce that within the last quarter we managed to get our highly anticipated Struts 6.0.0 major release out the door. Among many enhancements and bugfixes [2], the most notable changes are: * Switch to semantic versioning - the Struts 2 platform was always a totally different product compared to Struts 1, such that "Struts 2" became a product name. This however limited our ability to use proper semantic versioning for our releases, since "2" stayed as fixed first version component, while the major number in terms of semantic versioning was the second version component. With this release the "2" prefix was ditched to now comply with SemVer standards. * Upgrade minimum Java and Servlet platform requirements * Rework the OGNL expression language evaluation system to potentially close a whole class of attack vectors that lead to remote code execution attacks in the past * Add async support for Struts actions Within the last quarter we saw increased development and community activity around our major Struts framework release, with 84 (29) opened and 82 (21) closed PRs by 140 commits from 12 contributors. We released no security bulletin in the last quarter. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: We saw notably increased mailing list activity, especially on dev@ with 161 (92) and user@ with 344 (192) messages. This is not unexpected around a major platform release. ## JIRA activity: - 28 JIRA tickets created in the last 3 months (13) - 68 JIRA tickets closed/resolved in the last 3 months (11) [1] https://struts.apache.org/announce-2022#a20220606 [2] https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.0.0
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made three releases in the last quarter: * Struts 2.5.30 - Security and bug fix release (2022-04-04) * Struts 2.5.29 - Bug fix release (2022-01-22) * Struts 2.5.28.3 - Security fix release related to Log4Shell (2022-01-02) The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw steady development and community activity. There was still unplanned work in the aftermath of the log4j security issues, leading to another fast track security release (2.5.28.3). In addition, we got ahead of planned backlog items. While the GitHub statistics saw a slight decrease with 29 (29) opened and 21 (30) closed PRs, we most notably managed to get a long standing security issue off the table by backporting an OGNL expression language double evaluation issue fix to the current 2.5 mainline. This was a tremendous effort, for which we weren't sure if it could be soundly achieved by our all-volunteer contributor base. Thanks to this effort, we were able to release 2.5.30 [1] along with security announcement S2-062 [2] to address and fix this issue. Again unchanged since the last report, the team is still in preparation for the first release in the new 2.6 mainline, which will include rather big and possibly breaking changes. To make transition for existing users as smooth as possible seems to take more time than originally expected. Additional challenges come from platform transitions like possibly adding support for JEE 9+. We released one security bulletin in the last quarter: * S2-062 - Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution - same as S2-061. (CVE-2022-27479) [2] We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: Mailing list activity was roughly on the same level as last quarter and close to the overall average of the last year. ## JIRA activity: - 13 JIRA tickets created in the last 3 months (18) - 11 JIRA tickets closed/resolved in the last 3 months (23) [1] https://struts.apache.org/announce-2022#a20220404 [2] https://cwiki.apache.org/confluence/display/WW/S2-062
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made four releases in the last quarter: * Struts 2.5.28.2 - Security fix release related to Log4Shell (2021-12-23) * Struts 2.5.28.1 - Security fix release related to Log4Shell (2021-12-17) * Struts 2.5.28 - Bug fix release (2021-12-12) * Struts 2.5.27 - Feature and bug fix release (2021-11-16) The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw notably increased development and community activity, due to both planned and unplanned working items. As for unplanned work, Struts -- like many other projects -- was affected by the Log4J / Log4Shell issues, leading to two fast track security releases. In consultation with the Apache Security Team, we provided the security fix releases as a service for downstream users who might no have an eye on transitive dependencies. The Struts framework itself does not use the Log4J implementation directly. Nevertheless, work on planned items saw a lift as well. This is reflected in pull request statistics, with 29 (17) opened and 30 (18) closed in the main project, as well as in mailing list and issue activity as seen in the numbers below. Unchanged since the last report, the team is still in preparation for the first release in the new 2.6 mainline, which will include rather big and possibly breaking changes. To make transition for existing users as smooth as possible seems to take more time than originally expected. Additional challenges come from platform transitions like possibly adding support for JEE 9+. We released no security bulletins in the last quarter. Regarding Log4J / Log4Shell we released a security announcement to help downstream users to understand possible impacts from a Struts perspective [1]. The last published security bulletin was: * S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. (CVE-2020-17530) We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 161 emails sent to list (89 in previous quarter) - issues@struts.apache.org: - 344 emails sent to list (128 in previous quarter) - user@struts.apache.org: - 16 emails sent to list (14 in previous quarter) ## JIRA activity: - 18 JIRA tickets created in the last 3 months - 23 JIRA tickets closed/resolved in the last 3 months [1] https://struts.apache.org/announce-2021#a20211212-2
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made no releases in the last quarter. The last Struts releases were * Struts 2.5.26 - Bug fix release (2020-12-06) * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw rather low development and community activity, most likely due to the summer holiday season. This is also reflected in the number of active pull requests, with 17 (34) opened and 18 (32) closed in the main project. The team is still in preparation for the first release in the new 2.6 mainline, which will include rather big and possibly breaking changes. To make transition for existing users as smooth as possible seems to take more time than originally expected. Additional challenges come from platform transitions like possibly adding support for JEE 9+ [1]. Again, mailing list traffic slightly decreased in the last quarter. We released no security bulletins in the last quarter. The last published security bulletin was: * S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. (CVE-2020-17530) We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 89 emails sent to list (110 in previous quarter) - issues@struts.apache.org: - 128 emails sent to list (298 in previous quarter) - user@struts.apache.org: - 1314emails sent to list (13 in previous quarter) ## JIRA activity: - 7 JIRA tickets created in the last 3 months - 5 JIRA tickets closed/resolved in the last 3 months [1] https://issues.apache.org/jira/browse/WW-5141 [2] https://github.com/apache/struts/pull/483 [3] https://github.com/apache/struts/pull/496
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made no releases in the last quarter. The last Struts releases were * Struts 2.5.26 - Bug fix release (2020-12-06) * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw rather vivid development activity. While the number of active pull requests with 34 opened and 32 closed in the main project was less compared to the last quarter, the amount of effective code changes was rather high. Most notably, the effort to restrict the impact of injected untrusted and unvalidated user input regarding double evaluation attacks to an absolute minimum lead to massive code changes. All internal EL usages were reviewed in order to restrict them to the minimum required to keep up guaranteed framework functionality, along with further optimisations [1][2]. In addition, the Struts Examples project received notable overhaul [3]. The team is in preparation for the first release in the new 2.6 mainline, which we hope to see any time soon. Mailing list traffic slightly decreased in the last quarter. We released no security bulletins in the last quarter. The last published security bulletin was: * S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. (CVE-2020-17530) We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 110 emails sent to list (152 in previous quarter) - issues@struts.apache.org: - 298 emails sent to list (366 in previous quarter) - user@struts.apache.org: - 13 emails sent to list (28 in previous quarter) ## JIRA activity: - 13 JIRA tickets created in the last 3 months - 10 JIRA tickets closed/resolved in the last 3 months [1] https://github.com/apache/struts/pull/483 [2] https://github.com/apache/struts/pull/496 [3] https://github.com/apache/struts-examples
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made no releases in the last quarter. The last Struts releases were * Struts 2.5.26 - Bug fix release (2020-12-06) * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw slightly decreased, but reasonable development activity with 40 opened and 41 closed pull requests. Mailing list traffic went back to the overall normal after a notable spike in the last quarter. A notable non-code effort was the establishment of a new Security Impact Level Rating, aiming to better align with proven industry standards [1]. All existing security bulletins were reviewed and updated to match the new impact level rating [2]. Another notable effort is currently underway to restrict the impact of injected untrusted and unvalidated user input regarding double evaluation attacks to an absolute minimum, reviewing all internal EL usages in order to restrict them to the minimum required to keep up guaranteed framework functionality [3] . We released no security bulletins in the last quarter. The last published security bulletin was: * S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. (CVE-2020-17530) We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 146 emails sent to list (212 in previous quarter) - issues@struts.apache.org: - 311 emails sent to list (563 in previous quarter) - user@struts.apache.org: - 28 emails sent to list (30 in previous quarter) ## JIRA activity: - 12 JIRA tickets created in the last 3 months - 23 JIRA tickets closed/resolved in the last 3 months [1] https://cwiki.apache.org/confluence/display/WW/Security+Bulletins#SecurityBulletins-Securityimpactlevels [2] https://struts.apache.org/announce-2021.html#a20210219 [3] https://github.com/apache/struts/pull/483 [4] https://struts.apache.org/security/#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favours convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 2.5.26 - Bug fix release (2020-12-06) The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw increased activity again. This goes both for development related mailing list traffic and development activity, with 58 opened and 55 closed pull requests in the reporting period compared to 17/18 in the previous quarter. The user mailing stays low on traffic. Users are seemingly looking for help mostly on Stack Overflow, rather than the project mailing list. We released one new security bulletins in the last quarter: [1] * S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. (CVE-2020-17530) [2] We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - James Chaplin (jchaplin) was added to the PMC on 2020-11-16 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 212 emails sent to list (129 in previous quarter) - issues@struts.apache.org: - 563 emails sent to list (361 in previous quarter) - user@struts.apache.org: - 30 emails sent to list (43 in previous quarter) ## JIRA activity: - 2 JIRA tickets created in the last 3 months - 3 JIRA tickets closed/resolved in the last 3 months [1] https://struts.apache.org/announce.html#a20201208 [2] https://cwiki.apache.org/confluence/display/WW/S2-061
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 2.5.25 - Feature and bug fix release (2020-09-28) The last Struts releases besides the core framework were * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw a slightly decreased activity. This goes both for mailing list traffic and development activity, with 17 opened and 18 closed pull requests in the reporting period compared to 27/29 in the previous quarter. This happens to be within the limits of usual ups and downs for a mature project like Struts. We released two new security bulletins in the last quarter: [1] * S2-059 - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (CVE-2019-0230) [2] * S2-060 - Access permission override causing a Denial of Service when performing a file upload (CVE-2019-0233) [3] Thanks to the Apache Security team for their support on chasing the issues and updating MITRE information after disclosure. We have no issues that require board assistance at this time. ## PMC changes: - Currently 21 PMC members. - No new PMC members added in the last 3 months - Last PMC addition was Yasser Zamani on Tue Jun 12 2018 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 129 emails sent to list (179 in previous quarter) - issues@struts.apache.org: - 361 emails sent to list (506 in previous quarter) - user@struts.apache.org: - 43 emails sent to list (49 in previous quarter) ## JIRA activity: - 10 JIRA tickets created in the last 3 months - 6 JIRA tickets closed/resolved in the last 3 months [1] https://struts.apache.org/announce.html#a20200813 [2] https://cwiki.apache.org/confluence/display/ww/s2-059 [3] https://cwiki.apache.org/confluence/display/ww/s2-060
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support patterns and technologies such as REST, AJAX and JSON. The Struts team no releases in the last quarter. The last Struts project releases were * Struts 2.5.22 - Feature and bug fix release (2019-11-29) * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) Within the last quarter we saw a significant uplift in activity. This goes both for mailing list traffic and development activity, with 27 opened and 29 closed pull requests in the reporting period. Interesting new features for the Struts framework are discussed or already worked upon. Currently we are voting on Struts Maven Archetypes release 2.5.22. Also a release test build was made for the Struts 2.5.23 candidate, but we seem to face some technical issues which we hope to be able to resolve soon. We have no issues that require board assistance at this time. ## PMC changes: - Currently 21 PMC members. - No new PMC members added in the last 3 months - Last PMC addition was Yasser Zamani on Tue Jun 12 2018 - Stefaan Dutry stepped down from the PMC on 2020-06-07 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Mailing list activity: - dev@struts.apache.org: - 179 emails sent to list (110 in previous quarter) - issues@struts.apache.org: - 506 emails sent to list (124 in previous quarter) - user@struts.apache.org: - 49 emails sent to list (40 in previous quarter) ## JIRA activity: - 15 JIRA tickets created in the last 3 months - 15 JIRA tickets closed/resolved in the last 3 months
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA release in the last quarter: * Struts Master 14 - Apply Apache Parent POM and plugin upgrades (2020-02-05) * Struts Annotations 1.0.7 - Enhancements in preparation for the next framework release (2020-02-23) The last Struts Framework release was * Struts 2.5.22 - Feature and bug fix release (2019-11-29) Within the last quarter we saw reasonable activity given how the pandemic crisis impacted all our personal and professional lives. Mailing list activity has even slightly increased if we leave aside the unusual spike we saw in the previous quarter regarding user@. We have no issues that require board assistance at this time. ## PMC changes: - Currently 22 PMC members. - No new PMC members added in the last 3 months - Last PMC addition was Yasser Zamani on Tue Jun 12 2018 ## Committer base changes: - Currently 60 committers. - No new committers added in the last 3 months - James Chaplin (jchaplin) was added as committer on 2020-01-08 ## Releases: - Last release was 2.5.22 (2019-11-29) ## Mailing list activity: - dev@struts.apache.org: - 120 emails sent to list (97 in previous quarter) - issues@struts.apache.org: - 185 emails sent to list (150 in previous quarter) - user@struts.apache.org: - 39 emails sent to list (115 in previous quarter) ## JIRA activity: - 12 JIRA tickets created in the last 3 months - 4 JIRA tickets closed/resolved in the last 3 months [1] https://struts.apache.org/security/#do-not-use-incoming-values-as-an-input-for-localisation-logic [2] https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable
The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.
The Struts team made one GA release in the last quarter:
* Struts 2.5.22 - Feature and bug fix release (2019-11-29) [1]
Within the last quarter we saw increased development activity with 35
closed pull requests. After the preceding quarter being dominated by
dealing with massive security reports, the team and community were able
to invest more resources in progressing the framework.
The Struts team is pleased to welcome James Chaplin as a new committer.
We have no issues that require board assistance at this time.
## PMC changes:
- Currently 22 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Yasser Zamani on Tue Jun 12 2018
## Committer base changes:
- Currently 60 committers.
- No new committers added in the last 3 months
- James Chaplin (jchaplin) was added as committer on 2020-01-08
## Releases:
- Last release was 2.5.22 (2019-11-29)
## Mailing list activity:
- dev@struts.apache.org:
- 97 emails sent to list (53 in previous quarter)
- issues@struts.apache.org:
- 150 emails sent to list (50 in previous quarter)
- user@struts.apache.org:
- 115 emails sent to list (24 in previous quarter)
## JIRA activity:
- 13 JIRA tickets created in the last 3 months
- 13 JIRA tickets closed/resolved in the last 3 months
[1] https://struts.apache.org/announce.html#a20191129
The Apache Struts MVC framework is a solution stack for creating elegant and
modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.
The Struts team made no GA releases in the last quarter.
Within the last quarter we saw steady development activity with 15 closed pull
requests. Preparations are being made for a new Struts 2.5 feature release,
expected for the next quarter.
After announcing this step more than eleven months ago, we officially declared
End-Of-Life for the Struts 2.3 development line (2019-09-12)[1]. Users are
recommended to upgrade to Struts 2.5, since Struts 2.3 will no longer receive
further security updates.
A lot of effort also went into dealing with a massive security report
submitted by the Black Duck Research Team within the Synopsys Cybersecurity
Research Center, claiming that a number of historic Struts Security Bulletins
and related CVE database entries contained incorrect affected release version
ranges.
We worked hard to investigate and cross-check the report as good as possible,
given the volunteer time at hand. The combined efforts led to Struts Security
Bulletin S2-058 [2][3], referencing 15 historic Struts Security Bulletins and
respective CVE entries that have been updated to reflect corrections in
affected GA version ranges as well as minimum GA versions to contain
appropriate fixes for the issues at hand.
The Struts PMC would like to thank (again) the Apache Security Team and Sally
Khudairi for their excellent support while dealing with the report and its
aftermath.
We have no issues that require board assistance at this time.
## PMC changes:
- Currently 22 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Yasser Zamani on Tue Jun 12 2018
## Committer base changes:
- Currently 59 committers.
- No new committers added in the last 3 months
- Last committer addition was Yasser Zamani at Wed Nov 15 2017
## Releases:
- Last release was 2.5.20 (2019-01-14)
## Mailing list activity:
- dev@struts.apache.org:
- 54 emails sent to list (25 in previous quarter)
- issues@struts.apache.org:
- 50 emails sent to list (145 in previous quarter)
- user@struts.apache.org:
- 24 emails sent to list (42 in previous quarter)
## JIRA activity:
- 5 JIRA tickets created in the last 3 months
- 6 JIRA tickets closed/resolved in the last 3 months
[1] https://struts.apache.org/announce#a20190912
[2] https://struts.apache.org/announce#a20190815
[3] https://cwiki.apache.org/confluence/display/WW/S2-058
The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.
The Struts team made no GA releases in the last quarter.
Within the last quarter we saw somewhat lowered development activity
with 13 closed pull requests. We invited one individual, from which we
continue to receive high quality contributions on GitHub, to become a
Struts committer. So far the candidate did not accept the invitation, to
our regret.
We have no issues that require board assistance at this time.
## PMC changes:
- Currently 22 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Yasser Zamani on Tue Jun 12 2018
## Committer base changes:
- Currently 59 committers.
- No new committers added in the last 3 months
- Last committer addition was Yasser Zamani at Wed Nov 15 2017
## Releases:
- Last release was 2.5.20 (2019-01-14)
## Mailing list activity:
- dev@struts.apache.org:
- 368 subscribers (down -7 in the last 3 months):
- 25 emails sent to list (81 in previous quarter)
- announcements@struts.apache.org:
- 1360 subscribers (up 4 in the last 3 months):
- 0 emails sent to list (2 in previous quarter)
- issues@struts.apache.org:
- 256 subscribers (down -4 in the last 3 months):
- 145 emails sent to list (306 in previous quarter)
- user@struts.apache.org:
- 1478 subscribers (down -20 in the last 3 months):
- 42 emails sent to list (135 in previous quarter)
## JIRA activity:
- 7 JIRA tickets created in the last 3 months
- 7 JIRA tickets closed/resolved in the last 3 months
The Apache Struts MVC framework is a solution stack for creating elegant and
modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.
The Struts team made one GA release in the last quarter:
* Struts 2.5.20 - Feature release, including Java 11 support (2019-01-14)
Within the last quarter we saw steady development activity with over 30 closed
pull requests. We continue to receive high quality contributions as GitHub
pull requests by various individuals. We are currently in the process of
voting on one of these contributors to be added to the committership.
We have no issues that require board assistance at this time.
## PMC changes:
- Currently 22 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Yasser Zamani on Tue Jun 12 2018
## Committer base changes:
- Currently 59 committers.
- No new committers added in the last 3 months
- Last committer addition was Yasser Zamani at Wed Nov 15 2017
## Mailing list activity
- dev@struts.apache.org:
- 375 subscribers (down -4 in the last 3 months):
- 81 emails sent to list (140 in previous quarter)
- announcements@struts.apache.org:
- 1356 subscribers (down -2 in the last 3 months):
- 2 emails sent to list (6 in previous quarter)
- issues@struts.apache.org:
- 260 subscribers (down -4 in the last 3 months):
- 316 emails sent to list (463 in previous quarter)
- user@struts.apache.org:
- 1498 subscribers (down -25 in the last 3 months):
- 136 emails sent to list (82 in previous quarter)
## JIRA activity:
- 28 JIRA tickets created in the last 3 months
- 19 JIRA tickets closed/resolved in the last 3 months
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA releases in the last quarter: * Struts 2.5.18 - Bug fix release (2018-10-15) * Struts 2.3.36 - Bug fix release (2018-08-22) Furthermore, the Struts Team announced End-of-Life for the Struts 2.3.x development line (2018-11-14)[1], effective on 2018-05-11. Struts 2.3.x is guaranteed to receive security updates during the transition period. Within the last quarter we saw increased development activity with over 50 closed pull requests. Work on a new release line 2.6.x has started, with the plan to put 2.5.x in maintenance mode soon and EOL it within a year’s period. Upcoming Struts feature releases will be JDK 11 compatible. Currently we are in the process of releasing Struts 2.5.20 and 2.3.37. Especially notable is the fact that quite a few new contributors are showing up with mostly high quality contributions. We are keeping an eye on these individuals for possible addition to the committership. No committers or PMC members were added in the last quarter. Last committer addition: * 2017-11-14 - Yasser Zamani (yasserzamani) Last PMC addition: * 2018-06-12 - Yasser Zamani (yasserzamani) We have no issues that require board assistance at this time. [1] https://struts.apache.org/struts23-eol-announcement
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made four GA releases in the last quarter: * Struts 2.5.17 - Security fix release (2018-08-22) * Struts 2.3.35 - Security fix release (2018-08-22) * Struts Master 12 - Master settings feature upgrade (2018-08-28) * Struts Master 13 - Master settings upgrade to follow new hash policy (2018-10-04) The last quarter was dominated by preparing two important security fix releases to address a remote execution vulnerability reported to us by Semmle Security [1][2]. The release along with the accompanying security announcement caused a lot of media coverage, for us to deal with in the aftermath -- this has to be seen in the light of the prominent Equifax hack, which was conducted by exploiting a former Struts 2 RCE. Again a big thanks to Sally for helping us with public communication and monitoring media coverage. As far as we know currently, there were no prominent incidents caused by this vulnerability so far. Currently we seem to be back in calm waters, preparing two new feature releases in the 2.5 and 2.3 version line. We also addressed the new hash policy for all upcoming releases. Last month we were contacted by Palo Alto Networks, asking if we see a chance to share early access security vulnerability information. We asked for advice from the Apache Security Team and both agreed that this request is not feasible to comply with, given our current volunteer capabilities. We therefore rejected the request. Contributions are coming in steadily at reasonable numbers. As requested by the last board feedback, we include the current committer and PMC member numbers for reference in this report: Currently 59 committers and 22 PMC members. No committers or PMC members were added in the last quarter. Last committer addition: * 2017-11-14 - Yasser Zamani (yasserzamani) Last PMC addition: * 2018-06-12 - Yasser Zamani (yasserzamani) We have no issues that require board assistance at this time. [1] https://cwiki.apache.org/confluence/display/WW/S2-057 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made no GA releases in the last quarter. The last release was * Struts 2.5.16 - full GA release including bug fixes and feature enhancements (2018-03-16) The last quarter was rather quiet regarding development of new features. Community contributions and general development activities were a little bit lower than in the previous quarters. After various discussions and tries to get around glitches, it looks like we are soon going to announce EOL for the 2.3 development line along with JDK 6 support. No committers were added in the last quarter. Last committer addition: * 2017-11-14 - Yasser Zamani (yasserzamani) In the reporting quarter Yasser Zamani (yasserzamani) accepted our invitation to join the Struts PMC (2018-06-12). We have no issues that require board assistance at this time.
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made one GA releases in the last quarter. * Struts 2.5.16 - full GA release including bug fixes and feature enhancements (2018-03-16) Furthermore we released two security announcements * advise users to upgrade commons-fileupload to version 1.3.3 [1] * a crafted XML request can be used to perform a DoS attack when using the Struts REST plugin [2] In the last quarter we released Struts 2.5.16, with many improvements feature-wise as well as bug fixes. Community contributions and development activities were on a constantly decent level. We had again a few incoming security reports and resulting issues, that we were able to deal with in a timely manner. The issues were again mostly related to 3rd party libraries used by the Struts framework. No committers or PMC members were added in the last quarter. Last committer addition: * 2017-11-14 - Yasser Zamani (yasserzamani) Last PMC addition: * 2017-11-06 - Stefaan Dutry (sdutry) We have no issues that require board assistance at this time. [1] http://struts.apache.org/announce.html#a20180323 [2] http://struts.apache.org/docs/s2-056.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA releases in the last quarter. * Struts 2.5.14 - full GA release including bug fixes and feature enhancements (2017-11-23) * Struts 2.5.14.1 - security fix release (2017-11-30) [1][2] In the last quarter the team was able to focus more on improvements and bug fixes after having to mainly deal with security issues and communications in the previous reporting period. We also noticed increased community contributions, which we regard as a good sign. We had to deal with a few security reports and resulting issues, that we were able to cope with in a timely manner. The issues were mostly related to 3rd party libraries used by the Struts framework. The team chose to move our repositories to GitBox [3] and seems to be very happy with this decision, as it helps to streamline our development efforts. In the last quarter Yasser Zamani (yasserzamani) was added as a new committer (2017-11-14). Stefaan Dutry (sdutry) accepted our invitation to join the Struts PMC (2017-11-06). We have no issues that require board assistance at this time. [1] http://struts.apache.org/docs/s2-054.html [2] http://struts.apache.org/docs/s2-055.html [3] https://gitbox.apache.org/setup/ [4] http://struts.apache.org/docs/s2-049.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA releases in the last quarter. * Struts 2.5.13 - full GA release including bug fixes, feature enhancements and security fixes (2017-09-05) [1][2][3] * Struts 2.3.34 - bug and security fix release (2017-09-07) [1][2][3][4] Furthermore we updated a security announcement that did not imply a new Struts framework releases [5] At the beginning of the reporting period the team could focus on improving the Struts 2.5 release train, leading to many improvements in the Struts 2.5.13 release. Additionally we received vulnerability reports that lead to both integrating security fixes into 2.5.13 and to a 2.3.34 security fix release within the Struts 2.3 release train. Besides DoS vulnerabilities, we had to fix RCE vulnerabilities of critical severity. Dealing with these issues went smoothly in a timely manner. Shortly after the said security relevant releases, US company Equifax reported a massive data breach, potentially executed by exploiting an Apache Struts vulnerability. Additional media coverage seemed to be blaming the Struts project for this incident. Sally Khudairi was contacted by Reuters to comment on this, which Sally extended to the Struts PMC. We started to work closely with Sally, the press team, the security team and board members to establish a communication strategy and to push out an official statement of the Struts PMC [6]. The PMC statement was well received by the public, both in media coverage and in getting the message across that we did a proper job at dealing with framework security issues, while Equifax potentially missed to roll out security updates that were provided already - an assumption that rendered correct after Equifax admitted that a vulnerability fixed by the Struts team in March was used to conduct the exploit in May [7]. We since got a lot of media queries which, coordinated by Sally, were tried to be covered in a timely manner by PMC members. Additionally, the US congress formally requested background to support a hearing with Equifax CEO. While the request was dealt with mainly at board and legal level, the PMC provided input for the questions posed. We like to thank everyone involved in dealing with this massive incident and providing time (lots of) and advice. Especially we’d like to thank Sally Khudairi, who did an amazing and restless job as first responder, coordinator, author and media gateway! No committer or PMC member was added in the last quarter. We are watching a potential committership candidate and we are currently voting on a possible PMC addition. The last committer addition was on 2017-1-30 (Stefaan Dutry). The last PMC addition was on 2016-08-13 (Aleksandr Mashchenko). We have no issues that require board assistance at this time. [1] http://struts.apache.org/docs/s2-050.html [2] http://struts.apache.org/docs/s2-051.html [3] http://struts.apache.org/docs/s2-052.html [4] http://struts.apache.org/docs/s2-053.html [5] http://struts.apache.org/docs/s2-049.html [6] https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax [7] https://blogs.apache.org/foundation/entry/media-alert-the-apache-software
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made one GA releases in the last quarter. * Struts 2.5.12 - full GA release including bug fixes, feature enhancements and security fixes (2017-7-13) [1][2] * Struts 2.3.33 - bug and security fix release (2017-7-13) [2][3] Furthermore we released an additional security announcement that did not imply a new Struts framework releases [4] After a quarter that was dominated by dealing with a critical high impact security issue as reported last time, this quarter allowed us to focus again on improving and bug fixing the framework. Work is focused on the 2.5 development line, with the 2.3 line still receiving security maintenance. The 2.5.12 release includes major new features and improvements. In the last reporting period we were notified by the ASF Trademarks Team about the struts1forever project, which is a community fork to maintain the EOLed Struts 1 framework. While we don’t think there are trademark issues involved, we tried to approach the maintainer both to discuss some possible clarification in the project homepage readme, as well as a Struts 1 security issue reported to us. So far were not able to get in contact with the maintainer, we’ll be chasing this further. We continue to see new contributors popping up. We monitor them closely to identify possible new committers. No committer or PMC member was added in the last quarter. The last committer addition was on 2017-1-30 (Stefaan Dutry). The last PMC addition was on 2016-08-13 (Aleksandr Mashchenko). We have no issues that require board assistance at this time. [1] https://struts.apache.org/docs/s2-047.html [2] https://struts.apache.org/docs/s2-049.html [3] https://struts.apache.org/docs/s2-048.html [4] https://struts.apache.org/docs/s2-046.html [5] https://github.com/kawasima/struts1-forever
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made five GA releases in the last quarter. * Struts 2.5.10 - full GA release including bug fixes and feature enhancements (2017-2-17) * Struts 2.3.32 - maintenance release including critical security bug fix (2017-3-17) * Struts 2.5.10.1 - maintenance release including critical security bug fix (2017-3-17) * Struts Extras 1.0 - supporting module to help users mitigate security risks without the need for a full framework upgrade (2017-3-20) * Struts Extras 1.1 - maintenance and improvements release (2017-3-20) This was a rather busy quarter. In the beginning of February the team pushed out a major GA release with many new features and bug fixes for the 2.5 development line (Struts 2.5.10). Shortly after, our focus had to shift due to a security vulnerability report received by a Chinese reporter. This turned out to be a critical and easily to exploit issue leading to remote code execution (CVE-2017-5638). The team worked closely with the reporter to develop a bug fix for the said problem. In March we released maintenance versions both for the 2.5 and 2.3 development lines to address this issue, along with security announcements [1][2]. Unfortunately once the releases and the announcements were pushed out, the reporter immediately disclosed the PoC for the said issue. While we believe he did this in best intentions, this did not follow our own policy to hold back PoCs for some time to give users a chance to update their deployments. It turned out that the early PoC disclosure lead to a huge impact. First exploits started hours after the release, with many users being affected. In the following days and weeks the issue got a lot of press coverage, and we have been contacted by quite a few users and security researchers in regard to the vulnerability. Unfortunately we had to learn that also a lot of high profile web sites were affected, such as e.g. Canadian tax authorities. We furthermore decided to provide additional help for users who have issues with a full Struts framework upgrade in their deployments by providing an Struts Extra module to act as a drop-in fix for applications staying at older Struts 2 releases. This seemingly helped a lot of users to address the vulnerability rather sooner than later. Also within the last quarter, we were approached by IBM with an offer for a cloud based source code scanning service for Apache Struts. We answered with some questions on how this service is different from existing source scanning services and what’s their take on avoiding false positives. Unfortunately we got no feedback to our questions at all, so we won’t be pursuing this further. In January we were approached by the ASF Trademarks Team, pointing us to the struts1forever project [3] and asking for our view with regards to trademarks. We agreed that this project is a developer focused fork of the long EOLed Struts 1 project to address security issues. It does not seem to harm our trademark and is clearly marked as non-official fork, serving best intentions. As such we don’t see any action required on this topic besides establishing contact with the maintainer and possibly help him to even more clarify the project description (TBD). Stefaan Dutry (sdutry) was added as a new committer (2017-1-30) No new PMC member was added in the last quarter. The last PMC addition was on 2016-08-13 (Aleksandr Mashchenko). We have no issues that require board assistance at this time. [1] https://struts.apache.org/docs/s2-045.html [2] https://struts.apache.org/docs/s2-046.html [3] https://github.com/kawasima/struts1-forever
Within the reporting period we saw reasonable community and development activity. Both the 2.3 and 2.5 branch received further bug fixing and feature enhancement efforts, with a clear focus on the 2.5 branch. Adoption of the new 2.5 release line, being considered as a transition and consolidation branch on our way towards Struts 3, is on the rise and we might discuss dropping support for the 2.3 line later this year. We received a few reports regarding possible security issues, one of which led to a security bulletin and a fix found in Struts 2.5.8 [1]. In addition we received a notice that recent releases have been signed with unresolvable GPG keys. This issue should be resolved for upcoming releases. Based on the feedback we received from board on the last report, we started discussion on possible new committership candidates. We widened a bit the scope of investigation and identified a few contributors that might be valuable additions. The first candidate is now being voted upon. The others are still being monitored closely. No new committer or PMC member was added in the last quarter. The last committership addition was on 2015-10-23 (Aleksandr Mashchenko). The last PMC addition was on 2016-08-13 (Aleksandr Mashchenko). We have no issues that require board assistance at this time. [1] https://struts.apache.org/docs/s2-044.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two releases in the last quarter. * Struts 2.3.30 - full GA release including bug fixes and feature enhancements (2016-07-07) * Struts 2.5.2 - full GA release including bug fixes and feature enhancements (2016-07-07) Within the reporting period we saw reasonable community and development activity. Both the 2.3 and 2.5 branch received further bug fixing and feature enhancement efforts. The new 2.5 release line, being considered as a transition and consolidation branch on our way towards Struts 3, seems to be adopted very well by our user community. Traffic on the user mailing list was slightly more vivid in the last quarter. No new committer was added in the last quarter. The last committership addition was on 2015-10-23 (Aleksandr Mashchenko). In the reporting period Aleksandr Mashchenko (amashchenko) accepted our invitation to join the PMC as a new member, effective 2016-08-13 [1]. We have no issues that require board assistance at this time. [1] https://s.apache.org/struts-amashchenko-pmc
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made six release in the last quarter. * Struts 2.3.20.3 - Struts 2.3 security fix release (2016-04-21) * Struts 2.3.24.3 - Struts 2.3 security fix release (2016-04-21) * Struts 2.3.28.1 - Struts 2.3 security fix release (2016-04-21) * Struts 2.5 - first full GA release new Struts 2.5 development line (2016-05-11) * Struts 2.3.29 - full GA release including bug fixes, feature enhancements and security fixes (2016-06-17) * Struts 2.5.1 - full GA release including bug fixes, feature enhancements and security fixes (2016-06-18) The reporting period marked a rather busy quarter. The team was pleased to successfully prepare and release the first GA version of the new Struts 2.5 development line. Struts 2.5 includes new features, consolidations and dependency upgrades along with dropping support for already deprecated APIs and framework parts and significantly improved performance. It is considered a milestone release towards Struts 3, which is supposed to include major new features as well as breaking changes. We have received a lot of positive feedback on the new development line from the community so far. Besides that, we had to deal with various security issue reports. The valid issues, including some of critical severity, lead to timely security fix releases. The communication and issue management went very well, including valuable advices from the Apache Security Team [1]. Our fellow Struts PMC member Johannes Geppert gave a talk on combining Apache Struts with Angular JS for building modern web applications at ApacheCon NA, Vancouver. No new committer or PMC member was added in the last quarter. The last committership addition was on 2015-10-23 (Aleksandr Mashchenko). The last PMC membership addition was on 2016-02-28 (Greg Huber). We have no issues that require board assistance at this time. [1] https://struts.apache.org/docs/security-bulletins.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two release in the last quarter. * Struts 2.5-BETA-3 - Struts 2.5 beta release (2016-01-22) * Struts 2.3.28 - full GA release including bug fixes, feature enhancements and security fixes (2016-03-22) In the beginning of the reporting period we released Struts 2.5 Beta 3. Struts 2.5 includes new features, consolidations and dependency upgrades along with dropping support for already deprecated APIs and framework parts. It is considered a milestone release towards Struts 3, which is supposed to include major new features as well as breaking changes. In the remainder of the last quarter development focus shifted back to the Struts 2.3 release line, since it became clear that we would need at least one intermediate release in the stable branch including bug fixes and feature enhancements before we can move on towards a possible Struts 2.5 GA release. We released three new security bulletins with the advent of Struts 2.3.28 [1]. No new committer was added in the last quarter. The last committership addition was on 2015-10-23 (Aleksandr Mashchenko). Greg Huber (ghuber) accepted our invitation to join the PMC in the last quarter (2016-02-28). We have no issues that require board assistance at this time. [1] https://struts.apache.org/docs/security-bulletins.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made no releases in the last quarter. Last GA release was * Struts 2.3.24.1 - security fix release (2015-09-15) Given this was the holiday season, we saw rather vivid development and feedback activity within the reporting period. Work on Struts 2.5 keeps moving forward, with a BETA 3 soon to be published. Struts 2.5 includes new features, consolidations and dependency upgrades along with dropping support for already deprecated APIs and framework parts. It is considered a milestone release towards Struts 3, which is supposed to include major new features as well as breaking changes. We have currently three security reports under investigation. Progress on these non-critical issues went rather slow, with Apache Security team having to remind us that these issues are quite long-standing now. Two of these issues seem to be finally fixed now, with announcements and an improved solution to come up with the next Struts 2.3 GA release, expected to arrive very soon. Thanks to Mark Thomas for his very valuable help on analyzing one of these issues and giving advice on how to improve on it. We made progress with the third issue as well. We continue to receive high quality contributions by non-committers via our GitHub mirror and issue tracking. This includes not only drive-by patches, but also, and more importantly, continued involvement by various individuals. We keep monitoring them as they might qualify for committership addition. Aleksandr Mashchenko (amashchenko) was added as new committer effective 2015-10-23. No new PMC members have been added in the last quarter. Last PMC addition was on 2015-05-12. We have no issues that require board assistance at this time.
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA releases in the last quarter: * Struts 2.3.24.1 - security fix release (2015-09-15) * Struts Annotations 1.0.6 - switch processing from APT to Annotation Processor API (2015-09-29) The Struts team made two BETA releases in the last quarter, for the upcoming Struts 2.5 framework line * Struts 2.5-BETA2 - bug fixes, security fixes and improvements over BETA1 (2015-09-28) * Struts 2.5-BETA1 - first public test version including consolidations, deprecations, dependency upgrades and new feature additions (2015-07-17) Within the reporting period we saw vivid development and feedback activity. Work on Struts 2.5 moves forward quickly, with a first GA version probably soon to be released. Struts 2.5 includes new features, consolidations and dependency upgrades along with dropping support for already deprecated APIs and framework parts. It is considered a milestone release towards Struts 3, which is supposed to include major new features as well as breaking changes. We addressed two security issues in the last quarter, one of which lead to a security announcement advising users to switch off debug mode in production environments [1], the other being addressed by Struts 2.3.24.1 security fix release [2]. We continue to see positive effects from our switch to a git-based workflow being mirrored on GitHub, along with accepting external contributions via pull requests combined with properly filed and documented JIRA tickets. There is a significant rise in high quality contributions by non-committers. The PMC is currently in the process of voting on committership invitation for one of these individuals. The Apache Struts project was also represented at ApacheCon EU: core at the beginning of October. PMC member Johannes Geppert gave a talk targeting the upcoming Struts 2.5 release and combining Struts 2 with AngularJS. No new committers or PMC members have been added in the last quarter. Last PMC addition was on 2015-05-12, last committer addition on 2014-01-06. We have no issues that require board assistance at this time. [1] http://struts.apache.org/docs/s2-025.html [2] http://struts.apache.org/docs/s2-026.html
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made two GA releases in the last quarter: * Struts 2.3.21.1 - security fix release (2015-05-06) * Struts 2.3.24 - improvement and bug fix release Within the reporting period we saw a boost in development activity. Work on Struts 2.5 has not only started, but it is also next to completion according to our plans. Struts 2.5 will include new features and drop support for deprecated APIs and framework parts. It is considered a milestone release towards Struts 3, which is supposed to include major new features as well as breaking changes. No new committers have been added in the last quarter. Christoph Nenning (cnenning) joined the PMC as a new member (2015-05-12). Last committer addition was on 2014-01-06.
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made no releases in the last quarter. A release vote for Struts 2.3.22 test build was canceled, a vote for a Struts 2.3.23 release is currently underway. The last GA release was Struts 2.3.20 (2014-12-07) Within the last quarter we saw reasonable development and community activity. Since moving to git based SCM along with our git mirror being available at GitHub, we see an increase in pull requests issued by community members contributing valuable patches to the project. In combination with requiring JIRA tickets for pull request to be accepted as contributions, we seem to a have a lightweight yet solid process in place, enabling both for easy accessible contributions as well as meaningful and documented code reviews and a well guarded patch acceptance workflow. No new committers or PMC members have been added in the last quarter. The PMC voted to invite Christoph Nenning (cnenning) to join the PMC, we are currently awaiting his response. Last PMC member addition was on 2013-05-11, last committer addition on 2014-01-06. We have no issues that require board assistance at this time.
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support technologies such as REST, AJAX and JSON. The Struts team made one release in the last quarter: * Struts 2.3.21 - feature, bug fix and security fix release (2014-12-08) The last quarter was dominated by stabilizing and releasing Struts 2.3.20, which is a major feature and bug fix release with more than 140 issues addressed. It also addresses a security issue known as CVE-2014-7809 / JVN#88408929 [1] We have made no progress in releasing a security fix version of the already EOLed Struts 1 framework. However, a workaround now exists which was developed and is provisioned externally. [2] In the last quarter we released a fully reworked web site, including a brand new Struts logo [1]. The design was kindly provided by SoftwareMill, a polish software development shop our fellow PMC member Łukasz Lenart is working for. Within the reporting period we saw a significant rise in discussion and planning efforts regarding a major new framework development line to be released as Struts 3. No new committers or PMC members have been added in the last quarter. Last PMC member addition was on 2013-05-11, last committer addition on 2014-01-06. We have no issues that require board assistance at this time. [1] http://struts.apache.org/docs/s2-023.html [2] https://github.com/rgielen/struts1filter [3] http://struts.apache.org/
The Apache Struts MVC framework is a solution stack for creating elegant and modern action-based Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON. The Struts team made no releases in the last quarter. Within the last quarter we saw major development activity for the upcoming release of Struts 2, which will be a major feature and bug fix release with more than 140 issues addressed. A test build is available and currently under community review. We haven't made too much progress regarding a possible security fix release for the critical vulnerability in the already EOLed Struts 1 distribution, as reported in the last quarter. We have published a workaround solution as well as a test builds based on a hardened commons-beanutil library, but we are still undecided on whether we can manage to provide a full featured release. We are about to release a fully reworked web site, including a brand new Struts logo [1]. The design was kindly provided by Software Mill, a polish software development shop our fellow PMC member Łukasz Lenart is working for. In August Struts committer Christoph Nenning gave a talk about Struts 2 at JUG Munich, Germany. No new committers or PMC members have been added in the last quarter. Last PMC member addition was on 2013-05-11, last committer addition on 2014-01-06. We have no issues that require board assistance at this time. [1] http://people.apache.org/~lukaszlenart/
The Apache Struts project community provides an action-based Java web application framework. The Struts team made two releases in the last quarter: * Struts 2.3.16.2 - security fix release (2014-04-24) * Struts 2.3.16.3 - security fix release (2014-05-03) The last quarter was dominated by dealing with a major security issue. The root cause for this issue is a widely overseen feature in Java Core API that, in combination with using an expression language or bean manipulation library, might lead to class loader access which in turn allows for RCE attacks in certain server environments. Various web frameworks were and might still be affected. Both Struts 1 and Struts 2 turned out to be affected. For Struts 2 we received a vulnerability report leading to a very timely security fix release followed by another security fix release to close an additional attack vector for the same vulnerability. In favor for these releases the vote on our next scheduled feature release 2.3.17 was dropped. Soon after disclosing the Struts 2 vulnerabilities, we got notified that Struts 1 is affected as well. Despite Struts 1 had its EOL announcement more than one year ago, the Struts PMC felt responsible to help the wide user base still relying on Struts 1. The HP Fortify team was very helpful in analyzing the issue and providing a mitigation path. The issue caused enormous mail traffic, and we did our best to deal both with communications and providing counter measures in an ASAP fashion. While analyzing the issue deeper we found that we should contact both the Tomcat PMC and the Commons PMC to have them review the issue impact and evaluate if Apache Tomcat and commons-beanutils might want to address this as well. Not unexpectedly, the Tomcat PMC decided that the issue should not be addressed at container level but solely on the level of deployed applications. The Commons PMC however decided that the issue at its root cause should be addressed in commons-beanutils. In an admirable cross project effort folks from Commons and Struts PMC, including emeritus members, worked hard to get a solution out the door. We are preparing a security fix release for Struts 1 including the new commons-beautils library fixing the said issue. In the aftermath of the buzz created by this issue and taking into account the industry relevance of the Struts web framework family, Google announced to add Apache Struts to their patch reward program. No new committers or PMC members have been added in the last quarter. We invited Bruce Phillips to join the PMC, but he rejected. Last PMC member addition was on 2013-05-11, last committer addition on 2014-01-06. We have no issues that require board assistance at this time.
Apache Struts is an action-based Java web application framework. The Struts team made one release in the last quarter: * Struts 2.3.16.1 - security fix release (2014-03-02) In the last quarter we had to deal with a security vulnerability in commons-fileupload and a class loader manipulation issue. The issues were fixed in a timely manner, resulting in the release of Struts 2.3.16.1. Currently the team is about to release Struts 2.3.17, which will include a major number of enhancements and bug fixes. Within the reporting period the Struts 2 codebase has been successfully moved to git. The team decided to adopt a git-flow based workflow. In this period we saw slightly increased community activity on the mailing lists and issue tracker, along with increased development activity. No new committers or PMC members have been added in the last quarter. Last PMC member addition was on 2013-05-11, last committer addition on 2014-01-06. The employer our fellow PMC member Łukasz Lenart, the Poland-based company SoftwareMill, was kind enough to donate design resources to the Apache Struts project. We are currently in the process of new logo and unique web site design development. We have no issues that require board assistance at this time.
Apache Struts is an action-based Java web application framework. The Struts team made two releases in the last quarter: * Struts 2.3.15.3 - security fix release (2013-10-15) * Struts 2.3.16 - improvements and bugfixes (2013-12-08) In the last quarter we had to deal with a broken access control security vulnerability. The issue was fixed in a timely manner, resulting in the release of Struts 2.3.15.3 In this period we saw constant community activity on the mailing lists and issue tracker, along with reasonable development activity. In the last quarter we added Greg Huber (ghuber - 2014-01-06) as a new committer. No new PMC members were added in this period. As a notable addendum to the last quarter's report, the Apache Struts web site was relaunched with a cleaned up and modernized design (2013-09-17). In October, the Warsaw JUG organized Warsjawa conference featured a Struts Hackathon lead by our fellow PMC member Łukasz Lenart. We have no issues that require Board assistance at this time.
Apache Struts is an action-based Java web application framework. The Struts team made two releases in the last quarter: * Struts 2.3.15.1 - critical security fix release (2013-07-16) * Struts 2.3.15.2 - security fix release (2013-09-20) In the last quarter we had to deal with various security issues, including a severe code execution vulnerability that led to the release of Struts 2.3.15.1. The said release was prepared with highest priority and published in coordination with a well known company whose products were partly affected by this vulnerability. Nevertheless, we heard a lot of news that many high profile Struts 2 adopters did not update in a timely manner, leading to successful hacking attacks by exploiting the said vulnerability. In coordination with the Apache Security Team we adjusted our vulnerability disclosure procedure to not include detailed information such as proof of concept examples, at least within a reasonable waiting period after the release date. Again all involved Struts developers along with the reporters of said issues did a great job regarding analysis, resolving and releasing in a timely manner. In the last quarter we saw constant community activity on the mailing lists and issue tracker. The development activity was noticeably influenced by resources being busy with security topics, leading to slightly slowed down development on new features. A group of Struts PMC members, most notably Christian Grobmeier, organized an open Struts hackathon in Augsburg, Germany, in cooperation with the local Java User Group. The two-day event started on 2013-09-06 with a mini conference which was overwhelmingly attended. On day two we had a hackathon featuring three Struts PMC member, some Struts adopters and people being just curious about Struts and open source development. All in all the event was huge success. Our fellow PMC member Łukasz Lenart is currently organizing a similar event in Warsaw, Poland, in cooperation with the Warsaw Java User Group. We have no issues that require Board assistance at this time.
Apache Struts is an action-based Java web application framework. The Struts team made five releases in the last quarter: * Struts 2.3.14 - improvements and bugfixes (2013-04-15) * Struts 2.3.14.1 - security fix release (2013-05-23) * Struts 2.3.14.2 - security fix release (2013-05-27) * Struts 2.3.14.3 - security fix release (2013-06-05) * Struts 2.3.15 - improvements and bugfixes (2013-06-24) A series of severe security issues popped up in the last quarter, including one zero-day exploit. All involved Struts developers along with the reporters of said issues did a great job regarding analysis, resolving and releasing in a timely manner. Our security team has received a new vulnerability report of high severity. We have prepared a patch and we are ready to release. We have to coordinate our actions with a company co-reporting the issue, since some of their products are affected. In the last quarter we saw slightly increased community activity on the mailing lists and issue tracker along with again rather high development activity. Within this reporting period we added Christian Grobmeier (grobmeier - 2013-05-11) to the PMC. Bruce Phillips (bphillips - 2013-06-24) was added as a new committer. A group of Struts PMC members is currently preparing an open Struts hackathon in Augsburg, Germany, in cooperation with the local Java User Group [1]. The two-day event will start on 2013-09-06 with currently four Struts PMC members having confirmed their participation. We have no issues that require Board assistance at this time. [1] http://strutsathon.opensource.io/index-en.html
Apache Struts is an action-based Java web application framework. The Struts team made one release in the last quarter: * Struts 2.3.12 - Improvements and bugfixes (2013-03-06) Currently the Struts 2.3.14 GA release vote is running The Struts community has voted to announce the end of life for the Struts 1.x product line. The official announcement [1] and a related press statement [2] were published on 2013-04-05. Sally Khudairi and the Apache marketing team generously helped us to spread the word. The Struts project web site was successfully moved to the new CMS / SvnPubSub infrastructure with the kind help of the infra team. Our security team has received a notification about a possible security vulnerability from folks at Akamai. We are currently investigating this issue. In the last quarter we saw reasonable community activity on the mailing lists along with rather high development activity. Niall Pemberton (niallp) decided to go emeritus on the Struts PMC. No new committers or PMC members were added in this period. We have no issues that require Board assistance at this time. [1] http://struts.apache.org/struts1eol-announcement.html [2] http://struts.apache.org/struts1eol-press.html
Apache Struts is an action-based Java web application framework. The Struts team made two releases in the last quarter: * Struts 2.3.7 - Improvements and bugfixes (2012-11-20) * Struts 2.3.8 - Performance improvements (2012-12-22) The Struts project was represented at ApacheCon EU in November. PMC members Johannes Geppert and René Gielen gave a talk on Struts 2, which seemed to be well received. We are currently in the discussion to switch parts of the development from Subversion to Git. The Struts project web site hasn't yet moved to the new CMS / SvnPubSub infrastructure. We were notified by infra on 2012-12-10 that this migration is now due. The Struts team worked out it's desired migration path and filed a corresponding JIRA issue for infra support on 2012-12-15 [1]. We are now working with infra to proceed on that issue. In the last quarter Martin Cooper (martinc) decided to go emeritus on the Struts PMC. No new committers or PMC members were added in this period. We have no issues that require Board assistance at this time. [1] https://issues.apache.org/jira/browse/INFRA-5659
Apache Struts is an action-based Java web application framework. The Struts team made one release in the last quarter: * Struts 2.3.4.1 - Fast Track Security Fix Release Struts 2.3.4.1 fixes two security issues regarding CSRF protection and DOS attack prevention, see [1] and [2]. The reaction time from issue reporting to fix release was pretty good. Two more possible security issues were reported this quarter. The first one allows for remote code execution in a scenario of not properly sanitized user input. While user input sanitizing is basically a developer issue, we have included a complex prevention patch into our upcoming Struts 2.3.5 feature release which is currently in the process of quality voting. The second reported issue is about possible XSS vulnerabilities, but so far we are not exactly sure if we fully understand the reporter and whether a real issue exists here. The Struts project will be represented at ApacheCon EU in November, where PMC members Johannes Geppert and René Gielen will be giving a talk on Struts 2. Informal Struts community gatherings will be organized on request. In the last quarter no new committers or PMC members were added. We have no issues that require Board assistance at this time. [1] https://cwiki.apache.org/confluence/display/WW/S2-010 [2] https://cwiki.apache.org/confluence/display/WW/S2-011
Apache Struts is an action-based Java web application framework. The Struts team made two releases in the last quarter, both of which addressed feature enhancements and bug fixes: * Struts 2.3.2 * Struts 2.3.4 We have been approached with two minor security issues in the last quarter, one for Struts 2 allowing CSRF attacks when using an undocumented feature and one for Struts 1 allowing to view server side web application files when using an experimental yet released feature. We are in the process of evaluating possible impacts and solutions. In the last quarter we added Johannes Geppert (jogep) to the PMC. No committers were added in this period. We have no issues that require Board assistance at this time. Trademarks and Project Branding (fixed) ---------------------------------------- Trademark Attributions: there are currently no missing attributions the PMC is aware of (all other topics were marked as fixed already previous reports)
(Struts)
Apache Struts is an action-based Java web application framework. The Struts team made one release in the last quarter: * Struts 2.3.1.2 - security fix release With the latest release we closed an important security issue reported by Meder Kydyraliev, Google Security Team [1]. Dealing with the issue and the reporter went very well both in terms of communication and disclosure as well as time to fix. The next regular release, Struts 2.3.2, is just around the corner. The release candidate build is available for community testing and quality voting. In March Sally Khudairi approached us with a media query from ZDNet regarding a Sonatype sponsored study about open source security fix provisioning and adoption. Since Struts 2 was explicitly referenced as an example for the relation between security patch provisioning and actual end user downloads and patch deployments, the PMC decided to craft and forward a general statement on this topic. Parts of the statement were cited in the actual article [2]. In the last quarter no new committers or PMC members were added. We have no issues that require Board assistance at this time. Trademarks and Project Branding: Trademark Attributions: in progress (all other topics were marked as already fixed in previous reports) [1] http://struts.apache.org/2.x/docs/s2-009.html [2] http://s.apache.org/Ct9
Apache Struts is an action-based Java web application framework. The Struts team made two releases in the last quarter: * Struts 2.3.1 - various bug fixes and improvements such as plugin support for Contexts And Dependency Injection (CDI) and Portlet 2.0 * Struts 2.3.1.1 - security fix release In December we announced the end of life for the Struts 2.0.x branch, which for some time was supported in parallel to the Struts 2 trunk releases, due to breaking API changes introduced with Struts 2.1. However, important security fixes did not make it into the Struts 2.0.x branch lately. For that reason we recommended our users to switch all their existing applications to the latest Struts 2 versions. With the latest releases we closed two important security issues reported by JPCERT [1] and Sec Consult [2]. Dealing with both issues and their reporters went very well both in terms of communication and disclosure as well as time to fix. In the last quarter we added Maurizio Cucchiara (mcucchiara) and John Lindal (jafl) to the PMC. Christian Grobmeier (grobmeier) was added as a new committer in this period. We have no issues that require Board assistance at this time. Trademarks and Project Branding (ongoing) ---------------------------------------- Trademark Attributions: ongoing (all other topics were marked as fixed already previous reports) [1] http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000106.html [2] https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Apache Struts is an action-based Java web application framework. In September, the Struts team released Struts 2.2.3.1 as GA, which is a security fix release for Struts 2.2.3 regular release. The security issue fixed by this release, rated with a maximum security rating of "Important", was unfortunately again reported undisclosed via JIRA. Given that, the development team this time did a very good job to both fix the issue and prepare the security fix release ASAP. We updated the "Reporting Security Issues" section of the Struts website to emphasize how important disclosure is for security reports. We have received two more security reports via our security mailing list. JPCERT notified us about a possible remote command execution vulnerability validated against an old version of Struts 2, namely 2.0.14. We believe that the issue is already addressed and fixed in newer releases, which we asked JPCERT to crosscheck. Communication on their side seems to take its time, though. The second issue about a possible XSS attack was reported by a company named SecPod. After investigating we came to the conviction that this is not an issue at all, since it refers to obviously missing user input sanitizing in a small Struts 2 showcase application section intended to demonstrate a particular Struts 2 feature not related to that topic. Our final report to SecPod is currently crafted and will be sent soon. The development community has been quite active to prepare the next regular release of Struts 2, adding various bug fixes and improvements such as plugin support for Contexts And Dependency Injection (CDI), which has been voted on to be moved out of the sandbox and to be included in the project trunk. Meanwhile a prolific discussion is happening about a possible Struts 3 release, supposed to include major refactorings and overhauls. There has been a noticeable increase of community issue reports and contributions of generally high quality, also indicating quite a few new business adopters. In the last quarter we added Philip Luppens (phil) to the PMC and voted Maurizio Cucchiara (mcucchiara) and John Lindal (jafl) to be invited to the PMC (board ack period still ongoing, invitation pending). No committers were added in this period. We have no issues that require Board assistance at this time. --- Trademarks and Project Branding (ongoing) --- Trademark Attributions: ongoing (all other trademark topics were marked as fixed already in last report)
In May, the Struts team released Struts 2.2.3 as GA, which includes both new features, bug fixes and enhancements as well as an important security bug fix for an XSS vulnerability. The said security issue was unfortunately reported via JIRA rather than our security mailing list. The sub-optimal time to fix for this already disclosed issue lead the PMC to a discussion on how to improve our process for dealing with security reports. We are making progress with this discussion, but it is not finished yet. The security team was contacted by Helen Atkins of Veracode to review a static security scan report on Struts 2 before disclosure, created on behalf of an unnamed Veracode client. A few PMC members were provided with accounts to the Veracode platform. The review did not reveal any markable issues so far. The development community has been quite active to prepare the next major release of Struts 2, which is intended to remove deprecated APIs and plugins and to add new functionality such as Portlet 2.0 (JSR 286) support, which has been voted on to be moved out of the sandbox and to be included in the project trunk. No new committers or PMC members have been added in the last quarter. Trademarks and Project Banding (ongoing) ======================================== Project Website Basics: fixed Project Naming and Descriptions: fixed Website Navigation links: fixed Trademark Attributions: ongoing Logos and Graphics: fixed Project Metadata: fixed
WHEREAS, the Board of Directors heretofore appointed Martin Cooper to the office of Vice President, Apache Struts, and WHEREAS, the Board of Directors is in receipt of the resignation of Martin Cooper from the office of Vice President, Apache Struts, and WHEREAS, the Project Management Committee of the Apache Struts project has chosen by vote to recommend René Gielen as the Successor to the post; NOW, THEREFORE, BE IT RESOLVED, that Martin Cooper is relieved and discharged from the duties and responsibilities of the office of Vice President, Apache Struts, and BE IT FURTHER RESOLVED, that René Gielen be and hereby is appointed to the office of Vice President, Apache Struts, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed. This resolution passed unanimously on a roll call vote.
The current Chair, Martin Cooper, has elected to step down. A resolution has been presented for this board meeting wherein the Struts PMC recommends René Gielen as the new Chair. This quarter saw no new Struts releases. A vote for a Struts 2.2.3 release is pending at this time, and roadmap discussions are ongoing. There was no activity on Struts 1 this quarter. Johannes Geppert (jogep) has joined us as a new committer. There have been no changes to the PMC.
In December, the Struts team released Struts 2.2.1.1 as GA, primarily to address a reported XSRF issue. We also released Struts Master 8, a Maven POM update, to pick up changes from the ASF master POM. As part of the Apache Extras initiative, the Struts team has registered several names, viz Struts, Struts 1, Struts 2, S2, WebWork, and XWork. There have been a couple of questions around the contribution of web site translations from the community. We are unaware of any ASF policy around this, and have been addressing the enquiries on a case by case basis. Two new committers joined the team this quarter, namely Maurizio Cucchiara (mcucchiara) and John Lindal (account creation pending). There were no changes to the PMC.
The Struts team released Struts 2.2.1 as GA in August, but otherwise the quarter was a very quiet one, with little other activity within the development community. The Struts zone was deleted as part of the overall infrastructure changes, but the Struts team elected not to replace it with a jail since the zone had not been utilized for some time. We added a new moderator for our security alias, with the goal of improving our responsiveness when such issues appear. Nils-Helge Garli Hegvik (nilsga) elected to go emeritus this quarter. There have been no other changes to the team.
This has been another quiet quarter for Struts. The Struts 2.2.0 release process was canceled due to issues with the artifacts; a vote for a Struts 2.2.1 release is currently underway. We released a new version of our master Maven POM (Struts Master 7). There was no activity on Struts 1 this quarter. Due to the issues with the 2.2.0 build, we do not yet have a release that addresses the reported vulnerability with XWork. We anticipate that the 2.2.1 release should take care of this. The adoption of Nexus for streamlining the release process, noted in the previous report, has been completed. We added Lukasz Lenart (lukaszlenart) to the PMC this quarter, but added no new committers.
This has been a remarkably quiet quarter for the Struts project. No releases were made this quarter. An XSS vulnerability was reported against Struts 2.1.8.1, and the provided patch has been applied. The IP Clearance process for bringing XWork to Struts is now complete, the final Incubator vote having recently concluded. A software grant has been received and recorded by the ASF from Google for a GXP plugin that will become a part of Struts 2. The previously independent Struts instance of JIRA has now been merged into the main ASF JIRA instance. For future Struts releases, the team has elected to use the ASF instance of Nexus to streamline the process. No new committers or PMC members have been added in the last quarter.
Security patch, but no release? How was the patch released?
This last quarter saw only one new release, that of Struts 2.1.8.1 as GA. As one might expect, this is a patch release that resolves issues with our 2.1.8 release. Discussions are underway on the goals of Struts 2.2, and a new JSR 299 / CDI / WebBeans plugin has been created in our sandbox. The IP Clearance process for bringing XWork to Struts is largely complete, pending only the filing of final paperwork, which should be completed shortly. A new Confluence wiki space has been created for the purpose of reorganising the Struts 2 documentation and adding new tutorials. An effort is also under discussion to migrate the Struts 1 documentation from XML in Subversion to a Confluence space. Hen has made forward motion on merging the separate Struts JIRA instance into the main ASF JIRA instance, but apparently has run into problems. No new committers or PMC members have been added in the last quarter.
The Struts community has been busy on several fronts this quarter. We released Struts 2.1.8 as GA, and have a 2.1.8.1 release in the wings to resolve a minor issue with 2.1.8. We also released Struts Annotations 1.0.5. Two more plugins, JSON and Embedded JSP, have been promoted out of the sandbox and into the main repo, while the two that were promoted during the previous quarter, OSGi and OVal, were included in our 2.1.8 release. There is some discussion of a new showcase application to more thoroughly illustrate what Struts 2 is capable of. After much discussion over an extended period of time, we have finally started the IP Clearance process to bring the OpenSymphony XWork project into the ASF as a part of the Struts framework. For some time now, XWork has effectively been little more than a component of Struts 2 that lives outside the ASF, and bringing it here will reflect reality as well as simplify our dependency and release management. We have not added any new committers or PMC members this quarter.
This last quarter has been slow in terms of releases, but development activity on Struts 2 has continued apace. We released Struts Master 5, a formal build artifact, but our expected Struts 2.1.7 release did not make it due to problems identified in the build. Two Struts 2 plugins, OSGi and OVal, were promoted out of our sandbox and into the main repo. There was no activity on Struts 1 this quarter. After some experimentation, Struts 2 has been shown to run on Google's App Engine. Thanks in part to some urging by the Struts community, IBM WebSphere is now available to developers, which will help with our testing and debugging. And git mirrors have been created at the ASF for Struts 1, Struts 2 and the Struts sandbox. During the quarter, we added Lukasz Lenart as a committer, but made no changes to the PMC.
In contrast to the previous quarter's slew of releases, and in part because of it, this quarter saw no new releases. However, work continues on Struts 2.1.7, which we expect to release shortly, as well as on several plugins, and there is discussion of creating a branch so that work on Struts 2.2 can begin. There was almost no activity on Struts 1 this last quarter. Our zone is now hosting several sample applications on both Tomcat and Jetty. Other platforms, and perhaps versions, may be added at a later date. During the quarter, we added Mathias Bogaert as a committer, and Ted Husted elected to go emeritus and departed the PMC.
This has been a rather prolific quarter for releases in the Struts community, with GA releases of Struts 1.3.10, 2.0.12, 2.0.14 and 2.1.6, and of Struts Annotations 1.0.4. In addition to all of the work on the releases themselves, we're now using the ASF Hudson instance for regular builds, and our newest PMC member, Wes Wannemacher, has started an initiative to make better use of our Solaris zone. We've also cleaned out our old releases, at the request of infra. Finally, we added Nils-Helge Garli Hegvik and Wes Wannemacher to the PMC, while David Graham and David Karr elected to go emeritus and departed the PMC.
There have been no new releases this quarter. A Struts 2.0.11.3 release is in the works. Discussions continue on the core of Struts 2 as well as several of the plugins. On the plus side, there is a good deal of interest in the use of OSGi within Struts 2, continuing earlier work on an OSGi plugin; on the negative side, the Dojo plugin is a bit of a thorn in our sides in its current form, and needs to be updated or removed. There has been very little activity on Struts 1. The quarter saw us add Dave Newton to the PMC, while Antonio Petrelli elected to go emeritus and departed the PMC.
This quarter saw Struts 2.1.2 released as Beta, marking our first solid release in the 2.1 family. We also released Struts 2.0.11.2, which addresses a security concern with the Struts 2.0 family. A Struts 2.0.11.3 release is likely, though, due to an issue with one of our dependencies. There were no Struts 1.x releases this quarter. A preliminary Struts 2 roadmap has been drafted, with some initial discussion. However, most of the energy is being put into reaching a GA level release of Struts 2.1, subsequent to which I anticipate that the roadmap discussion will pick up again. A continuing point of discussion has been the future of the Dojo plugin, which has been languishing without updates for some time. There has been some maintenance work on the Struts 1.x code line this quarter, but in general the activity level is low. We added no new committers this quarter. Two further PMC members, Cedric Dumoulin and James Mitchell, declared themselves emeritus and departed the PMC. We are in the process of adding two new PMC members at this time.
This quarter, we released Struts 2.0.11.1 GA, a security release that addresses possible XSS issues. A Struts 2.1 release came closer to reality, and is largely awaiting a release of Struts Annotations 1.0.3, which is in the works. There are also plans for a Struts 1.3.10 release in the near future. In an initiative from a member of the community, in which said member offered to pay a small sum to the person who fixed the most issues in a specified period of time, we had a flurry of issues resolved and patches applied. The winner of the "Closer" award fixed 10 out of the 24 qualifying fixes, and is one of our newest committers, Wes Wannemacher. During the quarter, we added two new committers, Wes Wannemacher and Jeromy Evans. As part of a PMC "clean up", in which we encouraged inactive PMC members to declare themselves emeritus if they did not expect to become active again in the near future, we had eight departures from the PMC, namely Patrick Lightbody, Greg Reddin, Ian Roughley, Jason Carreira, Gary VanMatre, Hubert Rabago, Joe Germuska, and Craig McClanahan.
Work on Struts 2 continues apace. During this last quarter, we released Struts 2.0.11 as GA, and produced a first test build of the Struts 2.1 code line. Struts 1 is garnering less attention these days, but there is still a rivulet of bug fixes and other patches, albeit without any releases this quarter. At ApacheCon in Atlanta, our own Don Brown presented an excellent session entitled "Go Light with Apache Struts 2 and REST", fitting in nicely with a number of other REST-related sessions at the conference. The combined Roller / Struts 2 BOF had fewer attendees than we might have hoped for, but resulted in some productive discussion. Disappointingly, the Struts-related tutorials were canceled due to insufficient sign-ups. During this quarter, we added Musachy Barroso to the PMC, and removed Henri Yandell at his request. No new committers joined us this quarter.
Approved by General Consent.
There has been a lot of activity over the last quarter, especially on Struts 2. We released Struts 2.0.9 as GA, which includes an important security fix, and released Struts 1.3.9 as Beta. Our registry of Struts 2 plugins continues to grow, with 30 distinct plugins now registered, many written by developers outside the project. The number of authors contributing to our official documentation wiki also continues to grow. On the infrastructure side, the Struts security alias, mentioned in last quarter's report, has now been set up, and Planet Struts was the first "PMC Planet" to be created, thanks to Sam Ruby and Ted Husted. Prompted by infrastructure@, we handed back 1.6GB of disk space on people.a.o that we didn't actually need. At ApacheCon US 2007 in Atlanta next month, two tutorials and one session will focus on Struts 2, and we expect at least six Struts committers to be in attendance. A session on Struts 2 will also be presented at OS Summit Asia 2007. During this quarter, we have added three new committers (Matt Raible, Dave Newton, and Brian Pontarelli) and two new PMC members (Henri Yandell and Antonio Petrelli).
Approved by General Consent.
Things have been running smoothly this last quarter, with little of note for the board at this time. We have had one GA release, of Struts 2.0.8, and a test build of Struts 1.3.9 is up for a quality vote at this time. Both Struts 2.1 and Struts 1.4 are under active development. Prompted by a user trying to report a security vulnerability in Struts, we have requested a security@s.a.o alias, which we hope will be set up shortly. (We believe the reported vulnerability had already been resolved.) No new committers or PMC members have been added in the last quarter.
Approved by General Consent.
This quarter, we made up for the absence of releases in the previous quarter, with GA releases of both Struts 1.3.8 and Struts 2.0.6. The latter is particularly notable, since it is the first GA release of the Struts 2 framework, thus marking an important milestone for the project. With a GA release in the wild, we hope to see increased adoption of this new framework, with a corresponding growth in the community. Since the Apache Tiles top-level project was established by the board in December, our Tiles colleagues have completed their move out of Struts and into their own environment. Of course, there continues to be some overlap in the developers and communities, and we are working with our Tiles colleagues to ensure that Tiles integration with Struts remains strong. Thanks to our friends at Atlassian, we now have a hosted Bamboo continuous integration system, providing us with regular reports on the status of our builds. After a spate of build breakages earlier in the quarter, this has helped us identify issues more quickly. In this last quarter, we have added Paul Benedict to our PMC, and added four new committers, namely Philip Luppens, Tom Schneider, Musachy Barroso, and Henri Yandell. Finally, we have added some spiffy new icons to the Struts 2 home page: http://struts.apache.org/2.x/index.html
Justin asked if this indicated some need for build farms within the ASF. It was noted that OSU/OSL may be able to help with this.
Approved by General Consent.
While there have been no new releases in this last quarter, there has been a great deal of development activity. Struts 2 has been improving by leaps and bounds, and we are close to another 2.0.x release; Tiles has gone through significant redesign and cleanup; and Struts 1.x is making steady progress towards another release. In addition to the activity on the code base, and after a great deal of discussion, our Tiles subproject was approved by the board as a new top level project, and is in the process of moving out on its own. This will help further two goals: providing Tiles with the opportunity and environment to prosper beyond the confines of Struts; and refocusing the Struts team on our core frameworks. Subsequent to some discussion and debate elsewhere, the Struts team reorganised our web site to clearly delineate the portions of the site intended for end users versus developers and potential developers. An XSS vulnerability was reported to the Struts PMC in December. The problem has been addressed, and the fix will be included in the upcoming Struts 1.3.6 release. No new committers or PMC members have been added in the last quarter.
Approved by General Consent.
Much of the focus in this quarter has been in driving Struts 2 forward, with help from a growing number of contributors. Struts 2.0.1 was elevated from a development build to a Beta release shortly after ApacheCon, thus marking our first public release in the Struts 2 family. We also have a snazzy new logo that signals the integration of Struts and WebWork into Struts 2! Activity has also increased on Tiles 2 (a.k.a. Standalone Tiles), as this moves towards its first release, and development continues on the Struts 1.3.x line, with the General Availability (GA) release of Struts 1.3.5 in this quarter. The Struts team made the most of ApacheCon US this year. Both a tutorial and a session on Struts 2 were offered, as well as a Struts BOF. We also took advantage of the opportunity to create a press release announcing our Struts 2.0.1 development build, since this is a significant milestone, bringing together two successful web frameworks, together with their respective communities, into a coherent whole. Consistent with the increase in activity, and with the unification of the Struts and WebWork communities, we have added eight people to the PMC this quarter, namely Patrick Lightbody, Jason Carreira, Laurie Harper, Alexandru Popescu, Rene Gielen, Rainer Hermanns, Toby Jee, and Ian Roughley. We have also added three new committers: Antonio Petrelli, Nils-Helge Garli, and David DeWolf.
Approved by General Consent
Since our April 2006 report, our former subproject Shale has graduated to a top-level project. Our WebWork 2 podling also graduated from the incubator and has become the basis of Struts 2. Meanwhile, Struts 1 has released three beta releases - 1.3.2, 1.3.3, and 1.3.4 - and a Struts 1.3.5 test build is available and proceeding toward a release quality vote. A Struts 2.0.0 distribution is expected next month. The new Maven builds are working well, despite the complexity of our distributions. Three new committers have joined the fold: Paul Benedict, Michael Jouravlev, and Bob Lee. Paul and Michael are longtime members of the Struts 1 use community, and helped us provide new features and fixes for the Struts 1.2.9 release. Bob Lee is a longtime member of the WebWork 2 user community and helped us prepare a short list of changes for the Struts 2.0.0 distribution.
Approved by General Consent
The Struts community has been a busy one this last quarter. In terms of releases, we released Struts 1.2.9, primarily to fix a reported vulnerability, and Shale 1.0.2 Alpha. We also made available Struts Action 1.3.1 Test Build, the first completed build in the Struts Action 1.3 line. After voting to accept WebWork 2, we have made progress towards removing external dependencies with non-compatible licenses, and migrating the code base from OpenSymphony to Struts. We have decided to move all of the Struts components to JIRA for issue tracking, and to Maven 2 for our build system. There has been much discussion of splitting the user mailing list into multiple lists, based on sub-project, but no consensus has been reached. On the people front, we added Gary VanMatre to the PMC, and five new committers (Alexandru Popescu, Rene Gielen, Rainer Hermanns, Toby Jee, and Ian Roughley) as part of bringing WebWork 2 into the fold.
Greg expressed concern over the splitting of the user mailing list.
Approved by General Consent.
The last quarter has been an eventful one in the Struts community. In terms of releases, we released Struts 1.2.8, primarily to fix an XSS vulnerability; Struts Scripting 1.0.1 is the first GA release of this component; and Struts Shale 1.0.0 is the first Alpha release of our newest framework. In the wake of the web framework "unification" discussions mentioned in our last board report, the Struts team and the WebWork team have agreed to join forces. There have been numerous interactions between the teams, and the team members, for some time now, and we are confident that the merger will work well. The plan is for WebWork to come to the ASF, and for it to provide the underpinnings for a Struts Action Framework 2.0. We anticipate that the IP clearance process will begin shortly, now that WebWork 2.2 has been released. On the people front, we added Wendy Smoak as a PMC member, and Rich Feit, Patrick Lightbody and Jason Carreira have joined us as committers. Also, a record seven Struts committers managed to be in the same place at the same time at ApacheCon in December, leading to some very fruitful discussions.
Approved by General Consent.
The Struts community continues to make steady progress toward the 1.3.0 release of "Struts Classic" and the 1.0.0 release of "Struts Shale", our offering for JavaServer Faces developers (JSR-127). We've added three new committers: Greg Reddin, Laurie Harper and Sean Schofield. Greg has been working on Standalone Tiles, Laurie has been working with on the Struts Classic release, and Sean is an Apache MyFaces committer who also been working on Struts Shale. We've moved our website and development infrastructure to Maven as our primary build, and the initial draft of our Mavenized website is online at struts.apache.org. Our nightly builds are now running on our Solaris 10 zone on helios. Active development is also taking place on our Standalone Tiles and Struts Ti efforts in the sandbox, including a substantial contribution to Struts Ti from the Beehive PageFlow folks. Members of our community have also been invited to particpate in two Java web framework working groups. One group, "Clarity", would like to create a best-of-breed framework that combines the features of Spring MVC, Struts Classic, Struts Ti, Beehive and WebWork. The "Java Web Alignment Group" has a similar charter, but they are trying to involve a broader range of frameworks. Both groups are still at the "hand waving" stage, and there is nothing concrete to report. The groups are already intermixing, and we hope the consolidation efforts will themselves consolidate. :) The underlying issue is that there is not a clear migration path to JSR-127 from frameworks like Struts Classic. Since many teams have several years of development vested in "classic" frameworks, it may be some time before the new formal standard displaces the entrenched de facto standard. These working groups would like to consolidate the classic frameworks so as to clear the road toward "next generation" web applications. Despite these "interesting times", the Struts community remains united and amicable. Some of us are "scouting ahead" with Strut Shale and Struts Ti, while others trudge along with Struts Classic, but we all share the same path.
Approved by General Consent.
This has been another busy quarter in the Struts community. Progress is being made towards a 1.3 release of Struts "Classic", and work is continuing on Struts Shale. The Tiles component is in the process of being transformed into a Struts-independent package. On the people front, Wendy Smoak has joined us as a committer, and we are in the process of adding Gary VanMatre. We are also in the process of adding Hubert Rabago as a new PMC member, being in the 72 hour waiting period at the time of writing.
This has been a busy quarter in the Struts community. We have completed the refactoring of the Subversion repository into subprojects, and added a new master build system using Maven. Two new subprojects have joined the fold; Struts Shale is an alternative approach to web applications based on JSF, and Struts Flow allows complex workflows to be implemented using JavaScript. Our first proposal for a Struts subproject written in C#, named OverDrive, has been introduced in our sandbox area. On the people front, in addition to the change of PMC chair, one new committer, Hubert Rabago, accepted an invitation to join us, and we welcome back David Geary from emeritus to active status.
Apache Struts Project report approved as submitted by general consent.
WHEREAS, the Board of Directors heretofore appointed Craig R. McClanahan to the office of Vice President, Apache Struts, and WHEREAS, the Board of Directors is in receipt of the resignation of Craig R. McClanahan from the office of Vice President, Apache Struts; NOW, THEREFORE, BE IT RESOLVED, that Craig R. McClanahan is relieved and discharged from the duties and responsibilities of the office of Vice President, Apache Struts, and NOW, THEREFORE, BE IT FURTHER RESOLVED, that Martin Cooper be and hereby is appointed to the office of Vice President, Apache Struts, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed. By Unanimous vote, the above Special Order, 6A: Change the Chair of the Apache Struts Project, was approved.
The last three months have seen renewed interest and vigor about moving Struts forward in technology terms. Now that we have moved our source code repository to Subversion, we are leveraging the new capabilities to reorganize our source code into separately deliverable artifacts (rather than one large "wad-o-stuff"), to be managed as subprojects which can be released on their own schedules. This will enable us to be more responsive to the user community's desire for timely releases, without having to coordinate one monster release. In addition, work is underway to rationalize the build architecture around Maven. Technically, Struts 1.x continues to evolve in a manner that is fundamentally backwards compatible, but which leverages new internal techniques (such as the Chain of Responsibility design pattern) that will make customization and specialization much easier. At the same time, experimental development around a fresh look at web application architectures is also taking place in the form of "Shale", a JSF-based framework, being proposed as an alternative to Struts 1.x.
Apache Struts Project report approve as submitted by general consent.
The Struts community has recently released Struts 1.2.4 as the latest
stable version, focused on cleaning up deprecations from previous versions,
refactoring utility classes to improve separability of the core framework
from view tier dependencies, and incorporating the latest Commons libraries
on which we are dependent.
We recently completed a migration of our source code repository from
CVS to Subversion, and are leveraging its capabilities to refactor the
source code into separately releaseable components. The first such
separate release is likely to be the Struts-Faces integration library
(an adapter between Struts and JavaServer Faces).
The community is busy planning an evolutionary path that focuses on
fundamentally backwards compatible improvements, and a revolutionary
("Struts 2") path that will leverage the industry wide lessons in how
web application frameworks should architected in the four years
since Struts was created. The discussions are proceeding harmoniously
and productively.
Project Report Approved by General Consent.
We have started a reorganization of our repository. The goals of the refactoring are to better support subprojects with their own release cycles and building Struts with Apache Maven. An initial draft of the reorganization is being done under Subversion on a private server, with all discussions taking place on the public DEV list. We will be ready to move the work to an Apache server soon, now that we have a consensus in favor of Subversion and Maven. We completed a draft of Apache Struts bylaws and developer guidelines, which is available at <http://struts.apache.org/bylaws.html>. There was a discussion on the DEV list regarding the "bar" for Committership. The consensus is to keep the bar set fairly high and wait until a contributor has submitted a good number of useful patches directly to Struts. Our latest stable release is still 1.1 (29 June 2003). We issued a 1.2.1 release on 11 July 2004, which is currently catagorized as a beta. We anticipate 1.2.1 (or a 1.2.2) being promoted to GA over the next 30 days.
Approved by General Consent.
We have started a reorganization of our repository. The goals of the refactoring are to better support subprojects with their own release cycles and building Struts with Apache Maven. An initial draft of the reorganization is being done under Subversion on a private server, with all discussions taking place on the public DEV list. We will be ready to move the work to an Apache server soon, now that we have a consensus in favor of Subversion and Maven. We completed a draft of Apache Struts bylaws and developer guidelines, which is available at <http://struts.apache.org/bylaws.html>. There was a discussion on the DEV list regarding the "bar" for Committership. The consensus is to keep the bar set fairly high and wait until a contributor has submitted a good number of useful patches directly to Struts. Our latest stable release is still 1.1 (29 June 2003). We issued a 1.2.1 release on 11 July 2004, which is currently catagorized as a beta. We anticipate 1.2.1 (or a 1.2.2) being promoted to GA over the next 30 days.
-PMC Actions- * Niall Pemberton is elected as a Struts Committer. * Two new subprojects (our first) are approved. One that utilizes BSF so that "Actions" can be scripted rather than expressed as Java code. Another is a port of Cocoon's Control Flow to Struts. Infrastructure details are being addressed. The initial code for both projects were developed by a Struts PMC member, Don Brown, who is filing a code grant to the ASF. Both codebases are ready for release testing. -Significant threads- * Compiling Struts from source and running the Cactus tests continues to be a challenge for some developers. Completing the move to Maven should help. -Releases- * Stable release: 1.1 (29 June 2003). * Next anticipated release: 1.2.1 * Anticipated time-frame (if any): Awaiting stable release of a dependency (Commons Validator). -Roadmap- * Struts 1.x will remain based on Servlet 1.2/JSP 1.1 (evolution). * Struts 1.3.x will introduce the "Struts Chain" request processor. Some packages, like the taglibs, will be released as separate subprojects. * Struts 2.x will be based on Servlet 2.4/JSP 2.0 (revolution). * The Apache Struts repository will be rationalized to accomodate subprojects and Maven once a stable Struts 1.2.x release is available. Subprojects will be the unit of release. Each subproject will be a distinct Maven "artifact". Pending this step, the website and repository remain under jakarta.apache.org. * For more see <http://jakarta.apache.org/struts/status.html>. -Mailing list Subscriptions- * User 1851 * User digest: 874 * Dev: 713 * PMC: 14 -Wiki Posts- * 103 new posts; 175 total (since Apr 8) -CVS Activity- * Timeframe: 38 days, Total Commits: 25 Total Number of Files Changed: 57. -Showstoppers- * A stable 1.1.3 release of the Commons Validator.
Discussion and Approval tabled due to time constraints.
WHEREAS, the Board of Directors deems it to be in the best interests of the Foundation and consistent with the Foundation's purpose to establish a Project Management Committee charged with the creation and maintenance of open-source software related to the Apache Struts framework, for distribution at no charge to the public. NOW, THEREFORE, BE IT RESOLVED, that a Project Management Committee (PMC), to be known as the "Apache Struts PMC", be and hereby is established pursuant to Bylaws of the Foundation; and be it further RESOLVED, that the Apache Struts PMC be and hereby is responsible for the creation and maintenance of software for Apache Struts and for related software components, based on software licensed to the Foundation; and be it further RESOLVED, that the office of "Vice President, Apache Struts" be and hereby is created, the person holding such office to serve at the direction of the Board of Directors as the chair of the Apache Struts PMC, and to have primary responsibility for management of the projects within the scope of responsibility of the Apache Struts PMC; and be it further RESOLVED, that the persons listed immediately below be and hereby are appointed to serve as the initial members of the Apache Struts PMC: Craig R. McClanahan Ted Husted Rob Leland Cedric Dumoulin Martin Cooper Arron Bates James Holmes David M. Karr David Graham James Mitchell Steve Raeburn Don Brown Joe Germuska NOW, THEREFORE, BE IT FURTHER RESOLVED, that Craig R. McClanahan be and hereby is appointed to the office of Vice President, Apache Struts, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed; and be it further RESOLVED, that the initial Apache Struts PMC be and hereby is tasked with the creation of a set of bylaws intended to encourage open development and increased participation of the Apache Struts Project, in the Java language as well as others, and be it further RESOLVED, that the initial Apache Struts PMC be and hereby is tasked with the migration and rationalization of the Jakarta PMC Struts subproject, and be it further RESOLVED, that all responsibility pertaining to the Jakarta Struts sub-project and encumbered upon the Jakarta PMC are hereafter discharged. Approved by Unanimous Vote.