Open source code worth $600m contributed to Apache

Read time 3min 20sec

Open source code valued at over $600 million was delivered by volunteer project contributors to the Apache Software Foundation (ASF) in a single 12-month period.

That's according to the Apache Software Foundation's (ASF) annual report for its 2018 fiscal year, which ended on 30 April. The report was released last week.

ASF was established in 1999 and claims to be the world's largest open source foundation with more than 300 freely available, enterprise-wide projects that serve as the backbone for some of the most visible and widely used applications in computing today.

Some 730 individual volunteer members and 6 700 code committers from around the world collaborate via the ASF on a huge range of innovations in areas as diverse as artificial intelligence and deep learning, as well as big data, build management, cloud computing, content management, DevOps, Internet of Things and edge computing, mobile, servers and Web frameworks.

Staggering statistics

Many of the statistics contained in the report are staggering. While there were nine million source code downloads served from Apache mirrors during the year, a total of l3 280 `committers' changed more than 71 million lines of code, and added a total of $624 846 835-worth of code to the various Apache repositories in 222 684 commits.

The highest code contribution by value was by Apache Mynewt, a total of more than $61 million-worth of code.

One of the biggest crises for the ASF during the year was the Equifax data breach that affected 143 million consumers in the US and Canada as a result of a vulnerability in Apache Struts.

The top five Apache repositories by size were OpenOffice, NetBeans, Flex, Hadoop, and Trafodion, while the top repositories by commits were Hadoop, Ambari, Camel, Ignite and Beam.

Probably one of the biggest crises for the ASF during the year was the Equifax data breach that affected 143 million consumers in the US and Canada as a result of a vulnerability in Apache Struts, a popular open source framework for creating enterprise-grade Java Web applications. What deeply concerned the ASF is that Apache Struts had been a top-level ASF project since 2004 and was overseen by a self-selected team of contributors to the project.

As soon as the actual vulnerability had been provisionally identified as CVE-2017-9805, the Apache Struts Project Management Committee issued details on its response process to reported vulnerabilities and also provided recommended security guidelines. Four days later, Equifax issued a statement confirming the source of the vulnerability - and the ASF was quick to hit back. It pointed out this particular vulnerability had been identified - and patched - months before the breach.

Failure to update security

"In conclusion, the Equifax data compromise was due to a failure to install the security updates provided in a timely manner," the ASF stated.

While the annual report noted this debacle as just one negative event among numerous successes, the ASF also took the launch of the report to look ahead by releasing its latest five-year strategic plan.

This reconfirmed the ASF mission to `support the creation and distribution of open source software at no charge under the Apache Licence (through the provision of) project spaces and resources for like-minded communities to flourish, produce and release software under our legal umbrella'.

Part of its reaffirmed mission is also to help open source communities to `understand and practise the Apache Way, a collection of best practices for collaboration and project sustainability' that are documented and clarified on an ongoing basis.

"We welcome new projects via our incubator, where experienced mentors help learn to operate as an Apache community and project," ASF concluded.

See also