Apache Logo
The Apache Way Contribute ASF Sponsors

Formal board meeting minutes from 2010 through present. Please Note: The board typically approves minutes from one meeting during the next board meeting, so minutes will be published roughly one month later than the scheduled date. Other corporate records are published, as is an alternate categorized view of all board meeting minutes.

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | Pre-organization meetings

Struts

18 Jan 2017 [René Gielen / Bertrand]

Within the reporting period we saw reasonable community and development
activity. Both the 2.3 and 2.5 branch received further bug fixing and
feature enhancement efforts, with a clear focus on the 2.5 branch.
Adoption of the new 2.5 release line, being considered as a transition
and consolidation branch on our way towards Struts 3, is on the rise and
we might discuss dropping support for the 2.3 line later this year.

We received a few reports regarding possible security issues, one of
which led to a security bulletin and a fix found in Struts 2.5.8 [1]. In
addition we received a notice that recent releases have been signed with
unresolvable GPG keys. This issue should be resolved for upcoming releases.

Based on the feedback we received from board on the last report, we
started discussion on possible new committership candidates. We widened
a bit the scope of investigation and identified a few contributors that
might be valuable additions. The first candidate is now being
voted upon. The others are still being monitored closely.

No new committer or PMC member was added in the last quarter.
The last committership addition was on 2015-10-23 (Aleksandr Mashchenko).
The last PMC addition was on 2016-08-13 (Aleksandr Mashchenko).

We have no issues that require board assistance at this time.

[1] https://struts.apache.org/docs/s2-044.html

19 Oct 2016 [René Gielen / Jim]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made two releases in the last quarter.
* Struts 2.3.30 - full GA release including bug fixes and feature
enhancements (2016-07-07)
* Struts 2.5.2 - full GA release including bug fixes and feature
enhancements (2016-07-07)

Within the reporting period we saw reasonable community and development
activity. Both the 2.3 and 2.5 branch received further bug fixing and
feature enhancement efforts. The new 2.5 release line, being considered
as a transition and consolidation branch on our way towards Struts 3,
seems to be adopted very well by our user community. Traffic on the user
mailing list was slightly more vivid in the last quarter.

No new committer was added in the last quarter. The last committership
addition was on 2015-10-23 (Aleksandr Mashchenko).
In the reporting period Aleksandr Mashchenko (amashchenko) accepted our
invitation to join the PMC as a new member, effective 2016-08-13 [1].

We have no issues that require board assistance at this time.

[1] https://s.apache.org/struts-amashchenko-pmc

20 Jul 2016 [René Gielen / Jim]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made six release in the last quarter.
* Struts 2.3.20.3 - Struts 2.3 security fix release (2016-04-21)
* Struts 2.3.24.3 - Struts 2.3 security fix release (2016-04-21)
* Struts 2.3.28.1 - Struts 2.3 security fix release (2016-04-21)
* Struts 2.5 - first full GA release new Struts 2.5 development line
(2016-05-11)
* Struts 2.3.29 - full GA release including bug fixes, feature
enhancements and security fixes (2016-06-17)
* Struts 2.5.1 - full GA release including bug fixes, feature
enhancements and security fixes (2016-06-18)

The reporting period marked a rather busy quarter. The team was pleased
to successfully prepare and release the first GA version of the new
Struts 2.5 development line. Struts 2.5 includes new features,
consolidations and dependency upgrades along with dropping support for
already deprecated APIs and framework parts and significantly improved
performance. It is considered a milestone release towards Struts 3,
which is supposed to include major new features as well as breaking
changes. We have received a lot of positive feedback on the new
development line from the community so far.

Besides that, we had to deal with various security issue reports. The
valid issues, including some of critical severity, lead to timely
security fix releases. The communication and issue management went very
well, including valuable advices from the Apache Security Team [1].

Our fellow Struts PMC member Johannes Geppert gave a talk on combining
Apache Struts with Angular JS for building modern web applications at
ApacheCon NA, Vancouver.

No new committer or PMC member was added in the last quarter. The last
committership addition was on 2015-10-23 (Aleksandr Mashchenko). The
last PMC membership addition was on 2016-02-28 (Greg Huber).

We have no issues that require board assistance at this time.

[1] https://struts.apache.org/docs/security-bulletins.html

20 Apr 2016 [René Gielen / Shane]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made two release in the last quarter.
* Struts 2.5-BETA-3 - Struts 2.5 beta release (2016-01-22)
* Struts 2.3.28 - full GA release including bug fixes, feature
enhancements and security fixes (2016-03-22)

In the beginning of the reporting period we released Struts 2.5 Beta 3.
Struts 2.5 includes new features, consolidations and dependency upgrades
along with dropping support for already deprecated APIs and framework
parts. It is considered a milestone release towards Struts 3, which is
supposed to include major new features as well as breaking changes.

In the remainder of the last quarter development focus shifted back to
the Struts 2.3 release line, since it became clear that we would need at
least one intermediate release in the stable branch including bug fixes
and feature enhancements before we can move on towards a possible Struts
2.5 GA release. We released three new security
bulletins with the advent of Struts 2.3.28 [1].

No new committer was added in the last quarter. The last committership
addition was on 2015-10-23 (Aleksandr Mashchenko). Greg Huber (ghuber)
accepted our invitation to join the PMC in the last quarter (2016-02-28).

We have no issues that require board assistance at this time.

[1] https://struts.apache.org/docs/security-bulletins.html

20 Jan 2016 [René Gielen / Sam]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made no releases in the last quarter. Last GA release was
* Struts 2.3.24.1 - security fix release (2015-09-15)

Given this was the holiday season, we saw rather vivid development and
feedback activity within the reporting period. Work on Struts 2.5 keeps
moving forward, with a BETA 3 soon to be published. Struts 2.5 includes
new features, consolidations and dependency upgrades along with dropping
support for already deprecated APIs and framework parts. It is
considered a milestone release towards Struts 3, which is supposed to
include major new features as well as breaking changes.

We have currently three security reports under investigation. Progress
on these non-critical issues went rather slow, with Apache Security team
having to remind us that these issues are quite long-standing now. Two
of these issues seem to be finally fixed now, with announcements and an
improved solution to come up with the next Struts 2.3 GA release,
expected to arrive very soon. Thanks to Mark Thomas for his very
valuable help on analyzing one of these issues and giving advice on how
to improve on it. We made progress with the third issue as well.

We continue to receive high quality contributions by non-committers via
our GitHub mirror and issue tracking. This includes not only drive-by
patches, but also, and more importantly, continued involvement by
various individuals. We keep monitoring them as they might qualify for
committership addition.

Aleksandr Mashchenko (amashchenko) was added as new committer effective
2015-10-23.
No new PMC members have been added in the last quarter. Last PMC
addition was on 2015-05-12.

We have no issues that require board assistance at this time.

21 Oct 2015 [René Gielen / Greg]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made two GA releases in the last quarter:
* Struts 2.3.24.1 - security fix release (2015-09-15)
* Struts Annotations 1.0.6 - switch processing from APT to Annotation
Processor API (2015-09-29)

The Struts team made two BETA releases in the last quarter, for the
upcoming Struts 2.5 framework line
* Struts 2.5-BETA2 - bug fixes, security fixes and improvements over
BETA1 (2015-09-28)
* Struts 2.5-BETA1 - first public test version including consolidations,
deprecations, dependency upgrades and new feature additions (2015-07-17)

Within the reporting period we saw vivid development and feedback
activity. Work on Struts 2.5 moves forward quickly, with a first GA
version probably soon to be released. Struts 2.5 includes new features,
consolidations and dependency upgrades along with dropping support for
already deprecated APIs and framework parts. It is considered a
milestone release towards Struts 3, which is supposed to include major
new features as well as breaking changes.

We addressed two security issues in the last quarter, one of which lead
to a security announcement advising users to  switch off debug mode in
production environments [1], the other being addressed by Struts
2.3.24.1 security fix release [2].

We continue to see positive effects from our switch to a git-based
workflow being mirrored on GitHub, along with accepting external
contributions via pull requests combined with properly filed and
documented JIRA tickets. There is a significant rise in high quality
contributions by non-committers. The PMC is currently in the process of
voting on committership invitation for one of these individuals.

The Apache Struts project was also represented at ApacheCon EU: core at
the beginning of October. PMC member Johannes Geppert gave a talk
targeting the upcoming Struts 2.5 release and combining Struts 2 with
AngularJS.

No new committers or PMC members have been added in the last quarter.
Last PMC addition was on 2015-05-12, last committer addition on 2014-01-06.

We have no issues that require board assistance at this time.

[1] http://struts.apache.org/docs/s2-025.html
[2] http://struts.apache.org/docs/s2-026.html

15 Jul 2015 [Rene Gielen / Greg]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made two GA releases in the last quarter:
* Struts 2.3.21.1 - security fix release (2015-05-06)
* Struts 2.3.24 - improvement and bug fix release

Within the reporting period we saw a boost in development activity. Work
on Struts 2.5 has not only started, but it is also next to completion
according to our plans. Struts 2.5 will include new features and drop
support for deprecated APIs and framework parts. It is considered a
milestone release towards Struts 3, which is supposed to include major
new features as well as breaking changes.

No new committers have been added in the last quarter. Christoph Nenning
(cnenning) joined the PMC as a new member (2015-05-12). Last committer
addition was on 2014-01-06.

22 Apr 2015 [Rene Gielen / Rich]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made no releases in the last quarter. A release vote for
Struts 2.3.22 test build was canceled, a vote for a Struts 2.3.23
release is currently underway.
The last GA release was Struts 2.3.20 (2014-12-07)

Within the last quarter we saw reasonable development and community
activity. Since moving to git based SCM along with our git mirror being
available at GitHub, we see an increase in pull requests issued by
community members contributing valuable patches to the project. In
combination with requiring JIRA tickets for pull request to be accepted
as contributions, we seem to a have a lightweight yet solid process in
place, enabling both for easy accessible contributions as well as
meaningful and documented code reviews and a well guarded patch
acceptance workflow.

No new committers or PMC members have been added in the last quarter.
The PMC voted to invite Christoph Nenning (cnenning) to join the PMC, we
are currently awaiting his response.
Last PMC member addition was on 2013-05-11, last committer addition on
2014-01-06.

We have no issues that require board assistance at this time.

21 Jan 2015 [Rene Gielen / Sam]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support technologies such as REST, AJAX and JSON.

The Struts team made one release in the last quarter:
* Struts 2.3.21 - feature, bug fix and security fix release (2014-12-08)

The last quarter was dominated by stabilizing and releasing Struts
2.3.20, which is a major feature and bug fix release with more than 140
issues addressed. It also addresses a security issue known as
CVE-2014-7809 / JVN#88408929 [1]

We have made no progress in releasing a security fix version of the
already EOLed Struts 1 framework. However, a workaround now exists which
was developed and is provisioned externally. [2]

In the last quarter we released a fully reworked web site, including a
brand new Struts logo [1]. The design was kindly provided by
SoftwareMill, a polish software development shop our fellow PMC member
Łukasz Lenart is working for.

Within the reporting period we saw a significant rise in discussion and
planning efforts regarding a major new framework development line to be
released as Struts 3.

No new committers or PMC members have been added in the last quarter.
Last PMC member addition was on 2013-05-11, last committer addition on
2014-01-06.

We have no issues that require board assistance at this time.

[1] http://struts.apache.org/docs/s2-023.html
[2] https://github.com/rgielen/struts1filter
[3] http://struts.apache.org/

15 Oct 2014 [Rene Gielen / Doug]

The Apache Struts MVC framework is a solution stack for creating elegant
and modern action-based Java web applications. It favors convention over
configuration, is extensible using a plugin architecture, and ships with
plugins to support REST, AJAX and JSON.

The Struts team made no releases in the last quarter.

Within the last quarter we saw major development activity for the
upcoming release of Struts 2, which will be a major feature and bug fix
release with more than 140 issues addressed. A test build is available
and currently under community review.

We haven't made too much progress regarding a possible security fix
release for the critical vulnerability in the already EOLed Struts 1
distribution, as reported in the last quarter. We have published a
workaround solution as well as a test builds based on a hardened
commons-beanutil library, but we are still undecided on whether we can
manage to provide a full featured release.

We are about to release a fully reworked web site, including a brand new
Struts logo [1]. The design  was kindly provided by Software Mill, a
polish software development shop our fellow PMC member Łukasz Lenart is
working for.

In August Struts committer Christoph Nenning gave a talk about Struts 2
at JUG Munich, Germany.

No new committers or PMC members have been added in the last quarter.
Last PMC member addition was on 2013-05-11, last committer addition on
2014-01-06.

We have no issues that require board assistance at this time.

[1] http://people.apache.org/~lukaszlenart/

16 Jul 2014 [Rene Gielen / Bertrand]

The Apache Struts project community provides an action-based Java web
application framework.

The Struts team made two releases in the last quarter:
* Struts 2.3.16.2 - security fix release (2014-04-24)
* Struts 2.3.16.3 - security fix release (2014-05-03)

The last quarter was dominated by dealing with a major security issue.
The root cause for this issue is a widely overseen feature in Java Core
API that, in combination with using an expression language or bean
manipulation library, might lead to class loader access which in turn
allows for RCE attacks in certain server environments. Various web
frameworks were and might still be affected. Both Struts 1 and Struts 2
turned out to be affected.

For Struts 2 we received a vulnerability report leading to a very timely
security fix release followed by another security fix release to close
an additional attack vector for the same vulnerability. In favor for
these releases the vote on our next scheduled feature release 2.3.17 was
dropped.

Soon after disclosing the Struts 2 vulnerabilities, we got notified that
Struts 1 is affected as well. Despite Struts 1 had its EOL announcement
more than one year ago, the Struts PMC felt responsible to help the wide
user base still relying on Struts 1. The HP Fortify team was very
helpful in analyzing the issue and providing a mitigation path. The
issue caused enormous mail traffic, and we did our best to deal both
with communications and providing counter measures in an ASAP fashion.

While analyzing the issue deeper we found that we should contact both
the Tomcat PMC and the Commons PMC to have them review the issue impact
and evaluate if Apache Tomcat and commons-beanutils might want to
address this as well. Not unexpectedly, the Tomcat PMC decided that the
issue should not be addressed at container level but solely on the level
of deployed applications. The Commons PMC however decided that the issue
at its root cause should be addressed in commons-beanutils. In an
admirable cross project effort folks from Commons and Struts PMC,
including emeritus members, worked hard to get a solution out the door.

We are preparing a security fix release for Struts 1 including the new
commons-beautils library fixing the said issue.

In the aftermath of the buzz created by this issue and taking into
account the industry relevance of the Struts web framework family,
Google announced to add Apache Struts to their patch reward program.

No new committers or PMC members have been added in the last quarter. We
invited Bruce Phillips to join the PMC, but he rejected. Last PMC member
addition was on 2013-05-11, last committer addition on 2014-01-06.

We have no issues that require board assistance at this time.

16 Apr 2014 [Rene Gielen / Bertrand]

Apache Struts is an action-based Java web application framework.

The Struts team made one release in the last quarter:
* Struts 2.3.16.1 - security fix release (2014-03-02)

In the last quarter we had to deal with a security vulnerability in
commons-fileupload and a class loader manipulation issue. The issues
were fixed in a timely manner, resulting in the release of  Struts
2.3.16.1. Currently the team is about to release Struts 2.3.17, which
will include a major number of enhancements and bug fixes.

Within the reporting period the Struts 2 codebase has been successfully
moved to git. The team decided to adopt a git-flow based workflow.

In this period we saw slightly increased community activity on the
mailing lists and issue tracker, along with increased development activity.

No new committers or PMC members have been added in the last quarter.
Last PMC member addition was on 2013-05-11, last committer addition on
2014-01-06.

The employer our fellow PMC member Łukasz Lenart, the Poland-based
company SoftwareMill, was kind enough to donate design resources to the
Apache Struts project. We are currently in the process of new logo and
unique web site design development.

We have no issues that require board assistance at this time.

15 Jan 2014 [Rene Gielen / Greg]

Apache Struts is an action-based Java web application framework.

The Struts team made two releases in the last quarter:
* Struts 2.3.15.3 - security fix release (2013-10-15)
* Struts 2.3.16 - improvements and bugfixes (2013-12-08)

In the last quarter we had to deal with a broken access control security
vulnerability. The issue was fixed in a timely manner, resulting in the
release of Struts 2.3.15.3

In this period we saw constant community activity on the mailing lists and
issue tracker, along with reasonable development activity.

In the last quarter we added Greg Huber (ghuber - 2014-01-06) as a new
committer. No new PMC members were added in this period.

As a notable addendum to the last quarter's report, the Apache Struts web site
was relaunched with a cleaned up and modernized design (2013-09-17).

In October, the Warsaw JUG organized Warsjawa conference featured a Struts
Hackathon lead by our fellow PMC member Łukasz Lenart.

We have no issues that require Board assistance at this time.

16 Oct 2013 [Rene Gielen / Bertrand]

Apache Struts is an action-based Java web application framework.

The Struts team made two releases in the last quarter:
* Struts 2.3.15.1 - critical security fix release (2013-07-16)
* Struts 2.3.15.2 - security fix release (2013-09-20)

In the last quarter we had to deal with various security issues, including a
severe code execution vulnerability that led to the release of Struts
2.3.15.1. The said release was prepared with highest priority and published
in coordination with a well known company whose products were partly
affected by this vulnerability. Nevertheless, we heard a lot of news that
many high profile Struts 2 adopters did not update in a timely manner,
leading to successful hacking attacks by exploiting the said vulnerability.
In coordination with the Apache Security Team we adjusted our vulnerability
disclosure procedure to not include detailed information such as proof of
concept examples, at least within a reasonable waiting period after the
release date.

Again all involved Struts developers along with the reporters of said issues
did a great job regarding analysis, resolving and releasing in a timely
manner.

In the last quarter we saw constant community activity on the mailing lists
and issue tracker. The development activity was noticeably influenced by
resources being busy with security topics, leading to slightly slowed down
development on new features.

A group of Struts PMC members, most notably Christian Grobmeier, organized
an open Struts hackathon in Augsburg, Germany, in cooperation with the local
Java User Group. The two-day event started on 2013-09-06 with a mini
conference which was overwhelmingly attended. On day two we had a hackathon
featuring three Struts PMC member, some Struts adopters and people being
just curious about Struts and open source development. All in all the event
was huge success.

Our fellow PMC member Łukasz Lenart is currently organizing a similar event
in Warsaw, Poland, in cooperation with the Warsaw Java User Group.

We have no issues that require Board assistance at this time.

17 Jul 2013 [Rene Gielen / Shane]

Apache Struts is an action-based Java web application framework.

The Struts team made five releases in the last quarter:
* Struts 2.3.14 - improvements and bugfixes (2013-04-15)
* Struts 2.3.14.1 - security fix release (2013-05-23)
* Struts 2.3.14.2 - security fix release (2013-05-27)
* Struts 2.3.14.3 - security fix release (2013-06-05)
* Struts 2.3.15 - improvements and bugfixes (2013-06-24)

A series of severe security issues popped up in the last quarter,
including one zero-day exploit. All involved Struts developers along
with the reporters of said issues did a great job regarding analysis,
resolving and releasing in a timely manner.

Our security team has received a new vulnerability report of high
severity. We have prepared a patch and we are ready to release. We have
to coordinate our actions with a company co-reporting the issue, since
some of their products are affected.

In the last quarter we saw slightly increased community activity on the
mailing lists and issue tracker along with again rather high development
activity.

Within this reporting period we added Christian Grobmeier (grobmeier -
2013-05-11) to the PMC. Bruce Phillips (bphillips - 2013-06-24) was
added as a new committer.

A group of Struts PMC members is currently preparing an open Struts
hackathon in Augsburg, Germany, in cooperation with the local Java User
Group [1]. The two-day event will start on 2013-09-06 with currently
four Struts PMC members having confirmed their participation.

We have no issues that require Board assistance at this time.

[1] http://strutsathon.opensource.io/index-en.html

17 Apr 2013 [Rene Gielen / Rich]

Apache Struts is an action-based Java web application framework.

The Struts team made one release in the last quarter:
* Struts 2.3.12 - Improvements and bugfixes (2013-03-06)
Currently the Struts 2.3.14 GA release vote is running

The Struts community has voted to announce the end of life for the
Struts 1.x product line. The official announcement [1] and a related
press statement [2] were published on 2013-04-05. Sally Khudairi and the
Apache marketing team generously helped us to spread the word.

The Struts project web site was successfully moved to the new CMS /
SvnPubSub infrastructure with the kind help of the infra team.

Our security team has received a notification about a possible security
vulnerability from folks at Akamai. We are currently investigating this
issue.

In the last quarter we saw reasonable community activity on the mailing
lists along with rather high development activity. Niall Pemberton
(niallp) decided to go emeritus on the Struts PMC. No new committers or
PMC members were added in this period.

We have no issues that require Board assistance at this time.

[1] http://struts.apache.org/struts1eol-announcement.html
[2] http://struts.apache.org/struts1eol-press.html

16 Jan 2013 [Rene Gielen / Rich]

Apache Struts is an action-based Java web application framework.

The Struts team made two releases in the last quarter:
* Struts 2.3.7 - Improvements and bugfixes (2012-11-20)
* Struts 2.3.8 - Performance improvements (2012-12-22)

The Struts project was represented at ApacheCon EU in November. PMC
members Johannes Geppert and René Gielen gave a talk on Struts 2, which
seemed to be well received.

We are currently in the discussion to switch parts of the development
from Subversion to Git.

The Struts project web site hasn't yet moved to the new CMS / SvnPubSub
infrastructure. We were notified by infra on 2012-12-10 that this
migration is now due. The Struts team worked out it's desired migration
path and filed a corresponding JIRA issue for infra support on
2012-12-15 [1]. We are now working with infra to proceed on that issue.

In the last quarter Martin Cooper (martinc) decided to go emeritus on
the Struts PMC. No new committers or PMC members were added in this period.

We have no issues that require Board assistance at this time.

[1] https://issues.apache.org/jira/browse/INFRA-5659

17 Oct 2012 [Rene Gielen / Greg]

Apache Struts is an action-based Java web application framework.

The Struts team made one release in the last quarter:
* Struts 2.3.4.1 - Fast Track Security Fix Release

Struts 2.3.4.1 fixes two security issues regarding CSRF protection and
DOS attack prevention, see [1] and [2]. The reaction time from issue
reporting to fix release was pretty good.

Two more possible security issues were reported this quarter. The first
one allows for remote code execution in a scenario of not properly
sanitized user input. While user input sanitizing is basically a
developer issue, we have included a complex prevention patch into our
upcoming Struts 2.3.5 feature release which is currently in the process
of quality voting. The second reported issue is about possible XSS
vulnerabilities, but so far we are not exactly sure if we fully
understand the reporter and whether a real issue exists here.

The Struts project will be represented at ApacheCon EU in November,
where PMC members Johannes Geppert and René Gielen will be giving a talk
on Struts 2. Informal Struts community gatherings will be organized on
request.

In the last quarter no new committers or PMC members were added.

We have no issues that require Board assistance at this time.

[1] https://cwiki.apache.org/confluence/display/WW/S2-010
[2] https://cwiki.apache.org/confluence/display/WW/S2-011

25 Jul 2012 [Rene Gielen / Greg]

Apache Struts is an action-based Java web application framework.

The Struts team made two releases in the last quarter, both of which
addressed feature enhancements and bug fixes:
* Struts 2.3.2
* Struts 2.3.4

We have been approached with two minor security issues in the last
quarter, one for Struts 2 allowing CSRF attacks when using an
undocumented feature and one for Struts 1 allowing to view server side
web application files when using an experimental yet released feature.
We are in the process of evaluating possible impacts and solutions.

In the last quarter we added Johannes Geppert (jogep) to the PMC. No
committers were added in this period.

We have no issues that require Board assistance at this time.

Trademarks and Project Branding (fixed)
----------------------------------------
Trademark Attributions:
there are currently no missing attributions the PMC is aware of

(all other topics were marked as fixed already previous reports)

(Struts)

18 Apr 2012 [Rene Gielen / Roy]

Apache Struts is an action-based Java web application framework.

The Struts team made one release in the last quarter:
* Struts 2.3.1.2 - security fix release

With the latest release we closed an important security issue reported by
Meder Kydyraliev, Google Security Team [1]. Dealing with the issue and the
reporter went very well both in terms of communication and disclosure as
well as time to fix.

The next regular release, Struts 2.3.2, is just around the corner. The
release candidate build is available for community testing and quality
voting.

In March Sally Khudairi approached us with a media query from ZDNet
regarding a Sonatype sponsored study about open source security fix
provisioning and adoption. Since Struts 2 was explicitly referenced as an
example for the relation between security patch provisioning and actual end
user downloads and patch deployments, the PMC decided to craft and forward a
general statement on this topic. Parts of the statement were cited in the
actual article [2].

In the last quarter no new committers or PMC members were added.

We have no issues that require Board assistance at this time.

Trademarks and Project Branding:
Trademark Attributions: in progress
(all other topics were marked as already fixed in previous reports)

[1] http://struts.apache.org/2.x/docs/s2-009.html
[2] http://s.apache.org/Ct9

24 Jan 2012 [Rene Gielen / Sam]

Apache Struts is an action-based Java web application framework.

The Struts team made two releases in the last quarter:
* Struts 2.3.1 - various bug fixes and improvements such as plugin support for
 Contexts And Dependency Injection (CDI) and Portlet 2.0
* Struts 2.3.1.1 - security fix release

In December we announced the end of life for the Struts 2.0.x branch, which
for some time was supported in parallel to the Struts 2 trunk releases, due to
breaking API changes introduced with Struts 2.1. However, important security
fixes did not make it into the Struts 2.0.x branch lately. For that reason we
recommended our users to switch all their existing applications to the latest
Struts 2 versions.

With the latest releases we closed two important security issues reported by
JPCERT [1] and Sec Consult [2]. Dealing with both issues and their reporters
went very well both in terms of communication and disclosure as well as time
to fix.

In the last quarter we added Maurizio Cucchiara (mcucchiara) and John Lindal
(jafl) to the PMC. Christian Grobmeier (grobmeier) was added as a new
committer in this period.

We have no issues that require Board assistance at this time.

Trademarks and Project Branding (ongoing)
----------------------------------------
Trademark Attributions: ongoing
(all other topics were marked as fixed already previous reports)

[1] http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000106.html
[2] https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

26 Oct 2011 [Rene Gielen / Roy]

Apache Struts is an action-based Java web application framework.

In September, the Struts team released Struts 2.2.3.1 as GA, which is a security
fix release for Struts 2.2.3 regular release. The security issue fixed by this
release, rated with a maximum security rating of "Important", was unfortunately
again reported undisclosed via JIRA. Given that, the development team this
time did a very good job to both fix the issue and prepare the security fix
release ASAP. We updated the "Reporting Security Issues" section of the Struts
website to emphasize how important disclosure is for security reports.

We have received two more security reports via our security mailing list. JPCERT
notified us about a possible remote command execution vulnerability validated
against an old version of Struts 2, namely 2.0.14. We believe that the issue is
already addressed and fixed in newer releases, which we asked JPCERT to
crosscheck. Communication on their side seems to take its time, though. The
second issue about a possible XSS attack was reported by a company named SecPod.
After investigating we came to the conviction that this is not an issue at all,
since it refers to obviously missing user input sanitizing in a small Struts 2
showcase application section intended to demonstrate a particular Struts 2
feature not related to that topic. Our final report to SecPod is currently
crafted and will be sent soon.

The development community has been quite active to prepare the next regular
release of Struts 2, adding various bug fixes and improvements such as plugin
support for Contexts And Dependency Injection (CDI), which has been voted on to
be moved out of the sandbox and to be included in the project trunk. Meanwhile a
prolific discussion is happening about a possible Struts 3 release, supposed to
include major refactorings and overhauls. There has been a noticeable increase
of community issue reports and contributions of generally high quality, also
indicating quite a few new business adopters.

In the last quarter we added Philip Luppens (phil) to the PMC and voted Maurizio
Cucchiara (mcucchiara) and John Lindal (jafl) to be invited to the PMC (board
ack period still ongoing, invitation pending). No committers were added in this
period.

We have no issues that require Board assistance at this time.

--- Trademarks and Project Branding (ongoing) ---
Trademark Attributions: ongoing
(all other trademark topics were marked as fixed already in last report)

20 Jul 2011 [Rene Gielen / Greg]

In May, the Struts team released Struts 2.2.3 as GA, which includes both
new features, bug fixes and enhancements as well as an important
security bug fix for an XSS vulnerability.

The said security issue was unfortunately reported via JIRA rather than
our security mailing list. The sub-optimal time to fix for this already
disclosed issue lead the PMC to a discussion on how to improve our
process for dealing with security reports. We are making progress with
this discussion, but it is not finished yet.

The security team was contacted by Helen Atkins of Veracode to review a
static security scan report on Struts 2 before disclosure, created on
behalf of an unnamed Veracode client. A few PMC members were provided
with accounts to the Veracode platform. The review did not reveal any
markable issues so far.

The development community has been quite active to prepare the next
major release of Struts 2, which is intended to remove deprecated APIs
and plugins and to add new functionality such as Portlet 2.0 (JSR 286)
support, which has been voted on to be moved out of the sandbox and to
be included in the project trunk.

No new committers or PMC members have been added in the last quarter.

Trademarks and Project Banding (ongoing)
========================================
Project Website Basics: fixed
Project Naming and Descriptions: fixed
Website Navigation links: fixed
Trademark Attributions: ongoing
Logos and Graphics: fixed
Project Metadata: fixed

20 Apr 2011

Change the Apache Struts Chair

 WHEREAS, the Board of Directors heretofore appointed Martin
 Cooper to the office of Vice President, Apache Struts, and

 WHEREAS, the Board of Directors is in receipt of the resignation
 of Martin Cooper from the office of Vice President, Apache Struts,
 and

 WHEREAS, the Project Management Committee of the Apache Struts
 project has chosen by vote to recommend René Gielen as the
 Successor to the post;

 NOW, THEREFORE, BE IT RESOLVED, that Martin Cooper is relieved and
 discharged from the duties and responsibilities of the office
 of Vice President, Apache Struts, and

 BE IT FURTHER RESOLVED, that René Gielen be and hereby is
 appointed to the office of Vice President, Apache Struts, to
 serve in accordance with and subject to the direction of the
 Board of Directors and the Bylaws of the Foundation until
 death, resignation, retirement, removal or disqualification, or
 until a successor is appointed.

 This resolution passed unanimously on a roll call vote.

20 Apr 2011 [Martin Cooper / Shane]

The current Chair, Martin Cooper, has elected to step down. A resolution
has been presented for this board meeting wherein the Struts PMC
recommends René Gielen as the new Chair.

This quarter saw no new Struts releases. A vote for a Struts 2.2.3
release is pending at this time, and roadmap discussions are ongoing.
There was no activity on Struts 1 this quarter.

Johannes Geppert (jogep) has joined us as a new committer. There
have been no changes to the PMC.

19 Jan 2011 [Martin Cooper / Noirin]

In December, the Struts team released Struts 2.2.1.1 as GA, primarily
to address a reported XSRF issue. We also released Struts Master 8, a
Maven POM update, to pick up changes from the ASF master POM.

As part of the Apache Extras initiative, the Struts team has
registered several names, viz Struts, Struts 1, Struts 2, S2, WebWork,
and XWork.

There have been a couple of questions around the contribution of web
site translations from the community. We are unaware of any ASF policy
around this, and have been addressing the enquiries on a case by case
basis.

Two new committers joined the team this quarter, namely Maurizio
Cucchiara (mcucchiara) and John Lindal (account creation pending).
There were no changes to the PMC.

20 Oct 2010 [Martin Cooper / Doug]

The Struts team released Struts 2.2.1 as GA in August, but otherwise
the quarter was a very quiet one, with little other activity within
the development community.

The Struts zone was deleted as part of the overall infrastructure
changes, but the Struts team elected not to replace it with a jail
since the zone had not been utilized for some time. We added a new
moderator for our security alias, with the goal of improving our
responsiveness when such issues appear.

Nils-Helge Garli Hegvik (nilsga) elected to go emeritus this quarter.
There have been no other changes to the team.

21 Jul 2010 [Martin Cooper / Noirin]

This has been another quiet quarter for Struts. The Struts 2.2.0 release
process was canceled due to issues with the artifacts; a vote for a
Struts 2.2.1 release is currently underway. We released a new version
of our master Maven POM (Struts Master 7). There was no activity on
Struts 1 this quarter.

Due to the issues with the 2.2.0 build, we do not yet have a release that
addresses the reported vulnerability with XWork. We anticipate that the
2.2.1 release should take care of this.

The adoption of Nexus for streamlining the release process, noted in the
previous report, has been completed.

We added Lukasz Lenart (lukaszlenart) to the PMC this quarter, but added
no new committers.

21 Apr 2010 [Martin Cooper / Brett]

This has been a remarkably quiet quarter for the Struts project. No
releases were made this quarter. An XSS vulnerability was reported
against Struts 2.1.8.1, and the provided patch has been applied.

The IP Clearance process for bringing XWork to Struts is now complete,
the final Incubator vote having recently concluded. A software grant
has been received and recorded by the ASF from Google for a GXP plugin
that will become a part of Struts 2.

The previously independent Struts instance of JIRA has now been merged
into the main ASF JIRA instance. For future Struts releases, the team
has elected to use the ASF instance of Nexus to streamline the process.

No new committers or PMC members have been added in the last quarter.

Security patch, but no release? How was the patch released?

20 Jan 2010 [Martin Cooper / Doug]

This last quarter saw only one new release, that of Struts 2.1.8.1 as GA.
As one might expect, this is a patch release that resolves issues with our
2.1.8 release. Discussions are underway on the goals of Struts 2.2, and a
new JSR 299 / CDI / WebBeans plugin has been created in our sandbox.

The IP Clearance process for bringing XWork to Struts is largely complete,
pending only the filing of final paperwork, which should be completed shortly.

A new Confluence wiki space has been created for the purpose of reorganising
the Struts 2 documentation and adding new tutorials. An effort is also under
discussion to migrate the Struts 1 documentation from XML in Subversion to a
Confluence space. Hen has made forward motion on merging the separate Struts
JIRA instance into the main ASF JIRA instance, but apparently has run into
problems.

No new committers or PMC members have been added in the last quarter.

21 Oct 2009 [Martin Cooper / Geir]

The Struts community has been busy on several fronts this quarter. We released
Struts 2.1.8 as GA, and have a 2.1.8.1 release in the wings to resolve a minor
issue with 2.1.8. We also released Struts Annotations 1.0.5. Two more plugins,
JSON and Embedded JSP, have been promoted out of the sandbox and into the main
repo, while the two that were promoted during the previous quarter, OSGi and
OVal, were included in our 2.1.8 release. There is some discussion of a new
showcase application to more thoroughly illustrate what Struts 2 is capable of.

After much discussion over an extended period of time, we have finally started
the IP Clearance process to bring the OpenSymphony XWork project into the ASF
as a part of the Struts framework. For some time now, XWork has effectively
been little more than a component of Struts 2 that lives outside the ASF, and
bringing it here will reflect reality as well as simplify our dependency and
release management.

We have not added any new committers or PMC members this quarter.

15 Jul 2009 [Martin Cooper / Justin]

This last quarter has been slow in terms of releases, but development
activity on Struts 2 has continued apace. We released Struts Master 5,
a formal build artifact, but our expected Struts 2.1.7 release did not
make it due to problems identified in the build. Two Struts 2 plugins,
OSGi and OVal, were promoted out of our sandbox and into the main repo.
There was no activity on Struts 1 this quarter.

After some experimentation, Struts 2 has been shown to run on Google's
App Engine. Thanks in part to some urging by the Struts community, IBM
WebSphere is now available to developers, which will help with our
testing and debugging. And git mirrors have been created at the ASF
for Struts 1, Struts 2 and the Struts sandbox.

During the quarter, we added Lukasz Lenart as a committer, but made no
changes to the PMC.

15 Apr 2009 [Martin Cooper / J Aaron]

In contrast to the previous quarter's slew of releases, and in part because
of it, this quarter saw no new releases. However, work continues on Struts
2.1.7, which we expect to release shortly, as well as on several plugins,
and there is discussion of creating a branch so that work on Struts 2.2 can
begin. There was almost no activity on Struts 1 this last quarter.

Our zone is now hosting several sample applications on both Tomcat and
Jetty. Other platforms, and perhaps versions, may be added at a later date.

During the quarter, we added Mathias Bogaert as a committer, and Ted Husted
elected to go emeritus and departed the PMC.

21 Jan 2009 [Martin Cooper / Justin]

This has been a rather prolific quarter for releases in the Struts
community, with GA releases of Struts 1.3.10, 2.0.12, 2.0.14 and 2.1.6,
and of Struts Annotations 1.0.4.

In addition to all of the work on the releases themselves, we're now using
the ASF Hudson instance for regular builds, and our newest PMC member, Wes
Wannemacher, has started an initiative to make better use of our Solaris
zone. We've also cleaned out our old releases, at the request of infra.

Finally, we added Nils-Helge Garli Hegvik and Wes Wannemacher to the PMC,
while David Graham and David Karr elected to go emeritus and departed the
PMC.

15 Oct 2008 [Martin Cooper / Justin]

There have been no new releases this quarter. A Struts 2.0.11.3 release is
in the works.

Discussions continue on the core of Struts 2 as well as several of the
plugins. On the plus side, there is a good deal of interest in the use of
OSGi within Struts 2, continuing earlier work on an OSGi plugin; on the
negative side, the Dojo plugin is a bit of a thorn in our sides in its
current form, and needs to be updated or removed. There has been very
little activity on Struts 1.

The quarter saw us add Dave Newton to the PMC, while Antonio Petrelli
elected to go emeritus and departed the PMC.

16 Jul 2008

This quarter saw Struts 2.1.2 released as Beta, marking our first solid
release in the 2.1 family. We also released Struts 2.0.11.2, which
addresses a security concern with the Struts 2.0 family. A Struts 2.0.11.3
release is likely, though, due to an issue with one of our dependencies.
There were no Struts 1.x releases this quarter.

A preliminary Struts 2 roadmap has been drafted, with some initial
discussion. However, most of the energy is being put into reaching a GA
level release of Struts 2.1, subsequent to which I anticipate that the
roadmap discussion will pick up again. A continuing point of discussion
has been the future of the Dojo plugin, which has been languishing without
updates for some time. There has been some maintenance work on the Struts
1.x code line this quarter, but in general the activity level is low.

We added no new committers this quarter. Two further PMC members, Cedric
Dumoulin and James Mitchell, declared themselves emeritus and departed the
PMC. We are in the process of adding two new PMC members at this time.

16 Apr 2008 [Martin Cooper / Geir]

This quarter, we released Struts 2.0.11.1 GA, a security release that
addresses possible XSS issues. A Struts 2.1 release came closer to
reality, and is largely awaiting a release of Struts Annotations 1.0.3,
which is in the works. There are also plans for a Struts 1.3.10 release
in the near future.

In an initiative from a member of the community, in which said member
offered to pay a small sum to the person who fixed the most issues in a
specified period of time, we had a flurry of issues resolved and patches
applied. The winner of the "Closer" award fixed 10 out of the 24 qualifying
fixes, and is one of our newest committers, Wes Wannemacher.

During the quarter, we added two new committers, Wes Wannemacher and Jeromy
Evans. As part of a PMC "clean up", in which we encouraged inactive PMC
members to declare themselves emeritus if they did not expect to become
active again in the near future, we had eight departures from the PMC,
namely Patrick Lightbody, Greg Reddin, Ian Roughley, Jason Carreira, Gary
VanMatre, Hubert Rabago, Joe Germuska, and Craig McClanahan.

16 Jan 2008 [Martin Cooper / Bill]

Work on Struts 2 continues apace. During this last quarter, we released
Struts 2.0.11 as GA, and produced a first test build of the Struts 2.1 code
line. Struts 1 is garnering less attention these days, but there is still a
rivulet of bug fixes and other patches, albeit without any releases this
quarter.

At ApacheCon in Atlanta, our own Don Brown presented an excellent session
entitled "Go Light with Apache Struts 2 and REST", fitting in nicely with a
number of other REST-related sessions at the conference. The combined
Roller / Struts 2 BOF had fewer attendees than we might have hoped for, but
resulted in some productive discussion. Disappointingly, the Struts-related
tutorials were canceled due to insufficient sign-ups.

During this quarter, we added Musachy Barroso to the PMC, and removed Henri
Yandell at his request. No new committers joined us this quarter.

Approved by General Consent.

17 Oct 2007 [Martin Cooper / Justin]

There has been a lot of activity over the last quarter, especially on
Struts 2. We released Struts 2.0.9 as GA, which includes an important
security fix, and released Struts 1.3.9 as Beta. Our registry of Struts 2
plugins continues to grow, with 30 distinct plugins now registered, many
written by developers outside the project. The number of authors
contributing to our official documentation wiki also continues to grow.

On the infrastructure side, the Struts security alias, mentioned in last
quarter's report, has now been set up, and Planet Struts was the first "PMC
Planet" to be created, thanks to Sam Ruby and Ted Husted. Prompted by
infrastructure@, we handed back 1.6GB of disk space on people.a.o that we
didn't actually need.

At ApacheCon US 2007 in Atlanta next month, two tutorials and one session
will focus on Struts 2, and we expect at least six Struts committers to be
in attendance. A session on Struts 2 will also be presented at OS Summit
Asia 2007.

During this quarter, we have added three new committers (Matt Raible, Dave
Newton, and Brian Pontarelli) and two new PMC members (Henri Yandell and
Antonio Petrelli).

Approved by General Consent.

18 Jul 2007 [Martin Cooper / Henning]

Things have been running smoothly this last quarter, with little of
note for the board at this time.

We have had one GA release, of Struts 2.0.8, and a test build of
Struts 1.3.9 is up for a quality vote at this time. Both Struts
2.1 and Struts 1.4 are under active development.

Prompted by a user trying to report a security vulnerability in
Struts, we have requested a security@s.a.o alias, which we hope will
be set up shortly. (We believe the reported vulnerability had already
been resolved.)

No new committers or PMC members have been added in the last quarter.

Approved by General Consent.

25 Apr 2007 [Martin Cooper / Jim]

This quarter, we made up for the absence of releases in the previous
quarter, with GA releases of both Struts 1.3.8 and Struts 2.0.6. The
latter is particularly notable, since it is the first GA release of the
Struts 2 framework, thus marking an important milestone for the project.
With a GA release in the wild, we hope to see increased adoption of this
new framework, with a corresponding growth in the community.

Since the Apache Tiles top-level project was established by the board in
December, our Tiles colleagues have completed their move out of Struts and
into their own environment. Of course, there continues to be some overlap
in the developers and communities, and we are working with our Tiles
colleagues to ensure that Tiles integration with Struts remains strong.

Thanks to our friends at Atlassian, we now have a hosted Bamboo continuous
integration system, providing us with regular reports on the status of our
builds. After a spate of build breakages earlier in the quarter, this has
helped us identify issues more quickly.

In this last quarter, we have added Paul Benedict to our PMC, and added
four new committers, namely Philip Luppens, Tom Schneider, Musachy
Barroso, and Henri Yandell.

Finally, we have added some spiffy new icons to the Struts 2 home page:
http://struts.apache.org/2.x/index.html

Justin asked if this indicated some need for build farms within the ASF. It was noted that OSU/OSL may be able to help with this.

Approved by General Consent.

17 Jan 2007 [Martin Cooper / Cliff]

While there have been no new releases in this last quarter, there has been
a great deal of development activity. Struts 2 has been improving by leaps
and bounds, and we are close to another 2.0.x release; Tiles has gone
through significant redesign and cleanup; and Struts 1.x is making steady
progress towards another release.

In addition to the activity on the code base, and after a great deal of
discussion, our Tiles subproject was approved by the board as a new top
level project, and is in the process of moving out on its own. This will
help further two goals: providing Tiles with the opportunity and
environment to prosper beyond the confines of Struts; and refocusing the
Struts team on our core frameworks.

Subsequent to some discussion and debate elsewhere, the Struts team
reorganised our web site to clearly delineate the portions of the site
intended for end users versus developers and potential developers.

An XSS vulnerability was reported to the Struts PMC in December. The
problem has been addressed, and the fix will be included in the upcoming
Struts 1.3.6 release.

No new committers or PMC members have been added in the last quarter.

Approved by General Consent.

25 Oct 2006 [Martin Cooper / Henri]

Much of the focus in this quarter has been in driving Struts 2 forward, with
help from a growing number of contributors. Struts 2.0.1 was elevated from a
development build to a Beta release shortly after ApacheCon, thus marking our
first public release in the Struts 2 family. We also have a snazzy new logo
that signals the integration of Struts and WebWork into Struts 2!

Activity has also increased on Tiles 2 (a.k.a. Standalone Tiles), as this
moves towards its first release, and development continues on the Struts
1.3.x line, with the General Availability (GA) release of Struts 1.3.5 in
this quarter.

The Struts team made the most of ApacheCon US this year. Both a tutorial and
a session on Struts 2 were offered, as well as a Struts BOF. We also took
advantage of the opportunity to create a press release announcing our Struts
2.0.1 development build, since this is a significant milestone, bringing
together two successful web frameworks, together with their respective
communities, into a coherent whole.

Consistent with the increase in activity, and with the unification of the
Struts and WebWork communities, we have added eight people to the PMC this
quarter, namely Patrick Lightbody, Jason Carreira, Laurie Harper, Alexandru
Popescu, Rene Gielen, Rainer Hermanns, Toby Jee, and Ian Roughley. We have
also added three new committers: Antonio Petrelli, Nils-Helge Garli, and
David DeWolf.

Approved by General Consent

19 Jul 2006 [Martin Cooper / Henri]

Since our April 2006 report, our former subproject Shale has graduated to a
top-level project. Our WebWork 2 podling also graduated from the incubator
and has become the basis of Struts 2. Meanwhile, Struts 1 has released three
beta releases - 1.3.2, 1.3.3, and 1.3.4 - and a Struts 1.3.5 test build is
available and proceeding toward a release quality vote. A Struts 2.0.0
distribution is expected next month. The new Maven builds are working well,
despite the complexity of our distributions.

Three new committers have joined the fold: Paul Benedict, Michael Jouravlev,
and Bob Lee. Paul and Michael are longtime members of the Struts 1 use
community, and helped us provide new features and fixes for the Struts 1.2.9
release. Bob Lee is a longtime member of the WebWork 2 user community and
helped us prepare a short list of changes for the Struts 2.0.0 distribution.

Approved by General Consent

26 Apr 2006 [Martin Cooper / Ben]

The Struts community has been a busy one this last quarter. In terms of
releases, we released Struts 1.2.9, primarily to fix a reported
vulnerability, and Shale 1.0.2 Alpha. We also made available Struts Action
1.3.1 Test Build, the first completed build in the Struts Action 1.3 line.

After voting to accept WebWork 2, we have made progress towards removing
external dependencies with non-compatible licenses, and migrating the code
base from OpenSymphony to Struts.

We have decided to move all of the Struts components to JIRA for issue
tracking, and to Maven 2 for our build system. There has been much
discussion of splitting the user mailing list into multiple lists, based
on sub-project, but no consensus has been reached.

On the people front, we added Gary VanMatre to the PMC, and five new
committers (Alexandru Popescu, Rene Gielen, Rainer Hermanns, Toby Jee, and
Ian Roughley) as part of bringing WebWork 2 into the fold.

Greg expressed concern over the splitting of the user mailing list.

Approved by General Consent.

18 Jan 2006 [Martin Cooper / Justin]

The last quarter has been an eventful one in the Struts community. In
terms of releases, we released Struts 1.2.8, primarily to fix an XSS
vulnerability; Struts Scripting 1.0.1 is the first GA release of this
component; and Struts Shale 1.0.0 is the first Alpha release of our
newest framework.

In the wake of the web framework "unification" discussions mentioned
in our last board report, the Struts team and the WebWork team have
agreed to join forces. There have been numerous interactions between
the teams, and the team members, for some time now, and we are
confident that the merger will work well. The plan is for WebWork to
come to the ASF, and for it to provide the underpinnings for a Struts
Action Framework 2.0. We anticipate that the IP clearance process will
begin shortly, now that WebWork 2.2 has been released.

On the people front, we added Wendy Smoak as a PMC member, and Rich
Feit, Patrick Lightbody and Jason Carreira have joined us as
committers. Also, a record seven Struts committers managed to be in
the same place at the same time at ApacheCon in December, leading to
some very fruitful discussions.

Approved by General Consent.

26 Oct 2005 [Martin Cooper / Justin]

The Struts community continues to make steady progress toward the 1.3.0
release of "Struts Classic" and the 1.0.0 release of "Struts Shale", our
offering for JavaServer Faces developers (JSR-127). We've added three
new committers: Greg Reddin, Laurie Harper and Sean Schofield. Greg has
been working on Standalone Tiles, Laurie has been working with on the
Struts Classic release, and Sean is an Apache MyFaces committer who also
been working on Struts Shale. We've moved our website and development
infrastructure to Maven as our primary build, and the initial draft of
our Mavenized website is online at struts.apache.org. Our nightly builds
are now running on our Solaris 10 zone on helios. Active development is
also taking place on our Standalone Tiles and Struts Ti efforts in the
sandbox, including a substantial contribution to Struts Ti from the
Beehive PageFlow folks.

Members of our community have also been invited to particpate in two
Java web framework working groups. One group, "Clarity", would like to
create a best-of-breed framework that combines the features of Spring
MVC, Struts Classic, Struts Ti, Beehive and WebWork. The "Java Web
Alignment Group" has a similar charter, but they are trying to involve a
broader range of frameworks. Both groups are still at the "hand waving"
stage, and there is nothing concrete to report. The groups are already
intermixing, and we hope the consolidation efforts will themselves
consolidate. :)

The underlying issue is that there is not a clear migration path to
JSR-127 from frameworks like Struts Classic. Since many teams have
several years of development vested in "classic" frameworks, it may be
some time before the new formal standard displaces the entrenched de
facto standard. These working groups would like to consolidate the
classic frameworks so as to clear the road toward "next generation" web
applications.

Despite these "interesting times", the Struts community remains united
and amicable. Some of us are "scouting ahead" with Strut Shale and
Struts Ti, while others trudge along with Struts Classic, but we all
share the same path.

Approved by General Consent.

28 Jul 2005 [Martin Cooper]

This has been another busy quarter in the Struts community. Progress is
being made towards a 1.3 release of Struts "Classic", and work is
continuing on Struts Shale. The Tiles component is in the process of being
transformed into a Struts-independent package.

On the people front, Wendy Smoak has joined us as a committer, and we are
in the process of adding Gary VanMatre. We are also in the process of
adding Hubert Rabago as a new PMC member, being in the 72 hour waiting
period at the time of writing.

27 Apr 2005 [Martin Cooper]

This has been a busy quarter in the Struts community. We have completed
the refactoring of the Subversion repository into subprojects, and added a
new master build system using Maven. Two new subprojects have joined the
fold; Struts Shale is an alternative approach to web applications based on
JSF, and Struts Flow allows complex workflows to be implemented using
JavaScript. Our first proposal for a Struts subproject written in C#,
named OverDrive, has been introduced in our sandbox area.

On the people front, in addition to the change of PMC chair, one new
committer, Hubert Rabago, accepted an invitation to join us, and we
welcome back David Geary from emeritus to active status.

Apache Struts Project report approved as submitted by general consent.

23 Feb 2005

Change the Chair of the Apache Struts Project

 WHEREAS, the Board of Directors heretofore appointed Craig R.
 McClanahan to the office of Vice President, Apache Struts, and

 WHEREAS, the Board of Directors is in receipt of the resignation of
 Craig R. McClanahan from the office of Vice President, Apache Struts;

 NOW, THEREFORE, BE IT RESOLVED, that Craig R. McClanahan is relieved
 and discharged from the duties and responsibilities of the office of
 Vice President, Apache Struts, and

 NOW, THEREFORE, BE IT FURTHER RESOLVED, that Martin Cooper be and
 hereby is appointed to the office of Vice President, Apache Struts, to
 serve in accordance with and  subject to the direction of the Board of
 Directors and the Bylaws of the Foundation until death, resignation,
 retirement, removal or disqualification, or until a successor is
 appointed.

 By Unanimous vote, the above Special Order, 6A: Change the Chair
 of the Apache Struts Project, was approved.

19 Jan 2005 [Craig R. McClanahan]

The last three months have seen renewed interest and vigor about
moving Struts forward in technology terms.  Now that we have moved
our source code repository to Subversion, we are leveraging the new
capabilities to reorganize our source code into separately deliverable
artifacts (rather than one large "wad-o-stuff"), to be managed
as subprojects which can be released on their own schedules.  This
will enable us to be more responsive to the user community's desire
for timely releases, without having to coordinate one monster release.
In addition, work is underway to rationalize the build architecture
around Maven.

Technically, Struts 1.x  continues to evolve in a manner that is
fundamentally backwards compatible, but which leverages new internal
techniques (such as the Chain of Responsibility design pattern) that
will make customization and specialization much easier.  At the same time,
experimental development around a fresh look at web application
architectures is also taking place in the form of "Shale", a
JSF-based framework, being proposed as an alternative to Struts 1.x.

Apache Struts Project report approve as submitted by general consent.

20 Oct 2004 [Craig McClanahan]

The Struts community has recently released Struts 1.2.4 as the latest
stable version, focused on cleaning up deprecations from previous versions,
refactoring utility classes to improve separability of the core framework
from view tier dependencies, and incorporating the latest Commons libraries
on which we are dependent.

We recently completed a migration of our source code repository from
CVS to Subversion, and are leveraging its capabilities to refactor the
source code into separately releaseable components.  The first such
separate release is likely to be the Struts-Faces integration library
(an adapter between Struts and JavaServer Faces).

The community is busy planning an evolutionary path that focuses on
fundamentally backwards compatible improvements, and a revolutionary
("Struts 2") path that will leverage the industry wide lessons in how
web application frameworks should architected in the four years
since Struts was created.  The discussions are proceeding harmoniously
and productively.

Project Report Approved by General Consent.

18 Aug 2004 [Craig McClanahan]

We have started a reorganization of our repository. The goals of the refactoring
are to better support subprojects  with their own release cycles and building
Struts with Apache Maven.

An initial draft of the reorganization is being done under Subversion on a
private server, with all discussions taking place on the public DEV list. We will
be ready to move the work to an Apache server soon, now that we have a
consensus in favor of Subversion and Maven.

We completed a draft of Apache Struts bylaws and developer guidelines, which
is available at <http://struts.apache.org/bylaws.html>.

There was a discussion on the DEV list regarding the "bar" for Committership.
The consensus is to keep the bar set fairly high and wait until a contributor has
submitted a good number of useful patches directly to Struts.

Our latest stable release is still 1.1 (29 June 2003). We issued a 1.2.1 release
on 11 July 2004, which is currently catagorized as a beta. We anticipate 1.2.1
(or a 1.2.2) being promoted to GA over the next 30 days.

Approved by General Consent.

21 Jul 2004 [Craig McClanahan]

We have started a reorganization of our repository. The goals of the refactoring
are to better support subprojects  with their own release cycles and building
Struts with Apache Maven.

An initial draft of the reorganization is being done under Subversion on a
private server, with all discussions taking place on the public DEV list. We will
be ready to move the work to an Apache server soon, now that we have a
consensus in favor of Subversion and Maven.

We completed a draft of Apache Struts bylaws and developer guidelines, which
is available at <http://struts.apache.org/bylaws.html>.

There was a discussion on the DEV list regarding the "bar" for Committership.
The consensus is to keep the bar set fairly high and wait until a contributor has
submitted a good number of useful patches directly to Struts.

Our latest stable release is still 1.1 (29 June 2003). We issued a 1.2.1 release
on 11 July 2004, which is currently catagorized as a beta. We anticipate 1.2.1
(or a 1.2.2) being promoted to GA over the next 30 days.

23 Jun 2004

-PMC Actions-

* Niall Pemberton is elected as a Struts Committer.

* Two new subprojects (our first) are approved. One that utilizes BSF
 so that "Actions" can be scripted rather than expressed as Java
 code. Another is a port of Cocoon's Control Flow to
 Struts. Infrastructure details are being addressed. The initial code
 for both projects were developed by a Struts PMC member, Don Brown,
 who is filing a code grant to the ASF. Both codebases are ready for
 release testing.

-Significant threads-

* Compiling Struts from source and running the Cactus tests continues
 to be a challenge for some developers. Completing the move to Maven
 should help.

-Releases-

* Stable release: 1.1 (29 June 2003).

* Next anticipated release: 1.2.1

* Anticipated time-frame (if any): Awaiting stable release of a
 dependency (Commons Validator).

-Roadmap-

* Struts 1.x will remain based on Servlet 1.2/JSP 1.1 (evolution).

* Struts 1.3.x will introduce the "Struts Chain" request
 processor. Some packages, like the taglibs, will be released as
 separate subprojects.

* Struts 2.x will be based on Servlet 2.4/JSP 2.0 (revolution).

* The Apache Struts repository will be rationalized to accomodate
 subprojects and Maven once a stable Struts 1.2.x release is available.
 Subprojects will be the unit of release. Each subproject will be a
 distinct Maven "artifact". Pending this step, the website and
 repository remain under jakarta.apache.org.

* For more see <http://jakarta.apache.org/struts/status.html>.

-Mailing list Subscriptions-

* User 1851
* User digest: 874
* Dev: 713
* PMC: 14

-Wiki Posts-

* 103 new posts; 175 total (since Apr 8)

-CVS Activity-

* Timeframe: 38 days, Total Commits: 25 Total Number of Files Changed: 57.

-Showstoppers-

* A stable 1.1.3 release of the Commons Validator.

26 May 2004 [Craig McClanahan]

Discussion and Approval tabled due to time constraints.

17 Mar 2004

Establish Apache Struts PMC

  WHEREAS, the Board of Directors deems it to be in the best
  interests of the Foundation and consistent with the
  Foundation's purpose to establish a Project Management
  Committee charged with the creation and maintenance of
  open-source software related to the Apache Struts framework,
  for distribution at no charge to the public.

  NOW, THEREFORE, BE IT RESOLVED, that a Project Management
  Committee (PMC), to be known as the "Apache Struts PMC", be and
  hereby is established pursuant to Bylaws of the Foundation; and
  be it further

  RESOLVED, that the Apache Struts PMC be and hereby is
  responsible for the creation and maintenance of software for
  Apache Struts and for related software components, based on
  software licensed to the Foundation; and be it further

  RESOLVED, that the office of "Vice President, Apache Struts" be
  and hereby is created, the person holding such office to serve
  at the direction of the Board of Directors as the chair of the
  Apache Struts PMC, and to have primary responsibility for
  management of the projects within the scope of responsibility
  of the Apache Struts PMC; and be it further

  RESOLVED, that the persons listed immediately below be and
  hereby are appointed to serve as the initial members of the
  Apache Struts PMC:

   Craig R. McClanahan
   Ted Husted
   Rob Leland
   Cedric Dumoulin
   Martin Cooper
   Arron Bates
   James Holmes
   David M. Karr
   David Graham
   James Mitchell
   Steve Raeburn
   Don Brown
   Joe Germuska

  NOW, THEREFORE, BE IT FURTHER RESOLVED, that Craig
  R. McClanahan be and hereby is appointed to the office of Vice
  President, Apache Struts, to serve in accordance with and
  subject to the direction of the Board of Directors and the
  Bylaws of the Foundation until death, resignation, retirement,
  removal or disqualification, or until a successor is appointed;
  and be it further

  RESOLVED, that the initial Apache Struts PMC be and hereby is
  tasked with the creation of a set of bylaws intended to
  encourage open development and increased participation of
  the Apache Struts Project, in the Java language as well as
  others, and be it further

  RESOLVED, that the initial Apache Struts PMC be and hereby is
  tasked with the migration and rationalization of the Jakarta
  PMC Struts subproject, and be it further

  RESOLVED, that all responsibility pertaining to the Jakarta
  Struts sub-project and encumbered upon the Jakarta PMC are
  hereafter discharged.

 Approved by Unanimous Vote.