Planet Apache

Syndicate content
Updated: 3 hours 28 min ago

Justin Mason: Links for 2015-02-20

Fri, 2015-02-20 18:58
  • 2015-02-19 GCE outage

    40 minutes of multi-zone network outage for majority of instances. ‘The internal software system which programs GCE’s virtual network for VM egress traffic stopped issuing updated routing information. The cause of this interruption is still under active investigation. Cached route information provided a defense in depth against missing updates, but GCE VM egress traffic started to be dropped as the cached routes expired.’ I wonder if Google Pimms fired the alarms for this ;)

    (tags: google outages gce networking routing pimms multi-az cloud)

  • Listen to a song made from data lost during MP3 conversion

    Ryan McGuire, a PhD student in Composition and Computer Technologies at the University of Virginia Center for Computer Music, has created the project The Ghost In The MP3 [....] For his first trick, McGuire took Suzanne Vega’s ‘Tom’s Diner’ and drained it into a vaporous piece titled ‘moDernisT.” McGuire chose the track he explains on his site because it was famously used as one of the main controls in the listening tests used to develop the MP3 algorithm.

    (tags: mp3 music suzanne-vega compression)

Categories: FLOSS Project Planets

Matt Raible: AppFuse 3.5 Released!

Fri, 2015-02-20 13:24

The AppFuse Team is pleased to announce the release of AppFuse 3.5. This release contains a number of improvements.

  • XML reduced by 8x in projects generated with AppFuse
  • CRUD generation support for Wicket, as well as AppFuse Light archetypes (Spring Security, Spring FreeMarker and Stripes)
  • Upgraded Tapestry to 5.4
  • Integrated Spring IO Platform for dependency management
  • Refactored unit tests to use JUnit 4
  • Renamed maven-warpath-plugin to warpath-maven-plugin
  • Upgraded to jWebUnit 3 for AppFuse Light integration tests
  • Updated all AppFuse Light modules to be up-to-date

For more details on specific changes see the release notes.

What is AppFuse?
AppFuse is a full-stack framework for building web applications on the JVM. It was originally developed to eliminate the ramp-up time when building new web applications. Over the years, it has matured into a very testable and secure system for creating Java-based webapps.

Demos for this release can be viewed at Please see the QuickStart Guide to get started with this release.

If you have questions about AppFuse, please read the FAQ or join the user mailing list. If you find any issues, please report them on the users mailing list. You can also post them to Stack Overflow with the "appfuse" tag.

Thanks to everyone for their help contributing patches, writing documentation and participating on the mailing lists.

We greatly appreciate the help from our sponsors, particularly Atlassian, Contegix, and JetBrains. Atlassian and Contegix are especially awesome: Atlassian has donated licenses to all its products and Contegix has donated an entire server to the AppFuse project.

Categories: FLOSS Project Planets

Colm O hEigeartaigh: New Apache WSS4J and CXF releases

Fri, 2015-02-20 11:37
Apache WSS4J 2.0.3 and 1.6.18 have been released. Both releases contain a number of fixes in relation to validating SAML tokens, as covered earlier. In addition, Apache WSS4J 2.0.3 has unified security error messages to prevent some attacks (see here for more information). Apache CXF 3.0.4 and 2.7.15 have also been released, both of which pick up the recent WSS4J releases.
Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-19

Thu, 2015-02-19 18:58
  • pcp2graphite

    A gateway script, now included in PCP

    (tags: pcp2graphite pcp graphite ops metrics system)

  • Performance Co-Pilot

    System performance metrics framework, plugged by Netflix, open-source for ages

    (tags: open-source pcp performance system metrics ops red-hat netflix)

  • Superfish: A History Of Malware Complaints And International Surveillance – Forbes

    Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006.

    (tags: superfish lenovo privacy surveillance ads java windows mac firefox pups ssl tls ad-injection komodia)

  • The Superfish certificate has been cracked, exposing Lenovo users to attack | The Verge

    The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site. Amazingly stupid.

    (tags: superfish inept ca ssl tls lenovo mitm security)

  • Police have asked Dropcam for video from people’s home cameras — Fusion

    “Like any responsible father, Hugh Morrison had installed cameras in every room in the flat,” is the opening line of Intrusion, a 2012 novel set in the near future. Originally installed so that Hugh and his wife can keep an eye on their kids, the Internet-connected cameras wind up being used later in the novel by police who tap into the feeds to monitor the couple chatting on their couch when they are suspected of anti-societal behavior. As with so many sci-fi scenarios, the novel’s vision was prophetic. People are increasingly putting small Internet-connected cameras into their homes. And law enforcement officials are using the cameras to collect evidence about them.

    (tags: privacy dropcam cameras surveillance law-enforcement)

  • Extracting the SuperFish certificate

    not exactly the most challenging reverse I’ve ever seen ;)

    (tags: reverse-engineering security crypto hacking tls ssl superfish lenovo)

  • The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

    Holy shit. Gemalto totally rooted.

    With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt. [...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.

    (tags: encryption security crypto nsa gchq gemalto smartcards sim-cards privacy surveillance spying)

  • One year of InfluxDB and the road to 1.0

    half of the [Monitorama] attendees were employees and entrepreneurs at monitoring, metrics, DevOps, and server analytics companies. Most of them had a story about how their metrics API was their key intellectual property that took them years to develop. The other half of the attendees were developers at larger organizations that were rolling their own DevOps stack from a collection of open source tools. Almost all of them were creating a “time series database” with a bunch of web services code on top of some other database or just using Graphite. When everyone is repeating the same work, it’s not key intellectual property or a differentiator, it’s a barrier to entry. Not only that, it’s something that is hindering innovation in this space since everyone has to spend their first year or two getting to the point where they can start building something real. It’s like building a web company in 1998. You have to spend millions of dollars and a year building infrastructure, racking servers, and getting everything ready before you could run the application. Monitoring and analytics applications should not be like this.

    (tags: graphite monitoring metrics tsd time-series analytics influxdb open-source)

  • Sysdig Cloud’s JMX Metrics

    Sysdig Cloud users have the ability to view and analyze Java Management Extensions (JMX) metrics out of the box with no additional configuration or setup required.

    (tags: sysdig jmx java jvm)

  • Will the madness never end? Komodia SSL certificates are EVERYWHERE

    I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method. What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.

    (tags: komodia via:jgc ssl lenovo parental-control censorware mitm)

Categories: FLOSS Project Planets

Gianugo Rabellino: Hello from FreeBSD and Azure

Thu, 2015-02-19 16:32

This blog is now running on a set of FreeBSD jails on Azure. Setting it up was relatively easy and smooth, modulo a few bumps on the road that I have documented and will share in upcoming posts.

Why FreeBSD and why jails, you may ask? Everyone and their dog seems to be running Docker containers on Linux these days, so going FreeBSD can legitimately raise a few eyebrows. I wish I had a compelling answer and I could start pontificating about performance, security, scalability and the like but this is not the case: my blog doesn’t get nearly enough traffic to even start discussing scalability and I’m not nearly enough conversant on system internals to provide guidance one way or the other.

Truth is, I just resonate with FreeBSD more than I do with Linux. I cut my UNIX teeth on Linux, but I quickly moved to FreeBSD after my Linux workstation was pwned some 15 years ago. I came to FreeBSD for PF and stayed for make world.

Back when Linux was busy creating amazing things and paying a price in terms of slight yet annoying incompatibilities and quirks, FreeBSD has always been a cornerstone of predictable, solid performance. And usability too: hier is a joy, and knowing that anything that is not part of core goes in /usr/local and that port maintainers will leave configuration files alone (Debian, I’m looking at you and your a-little-too-clever Apache’s sites-available) takes a lot of guesswork away.

Over the years I deployed on Linux a number of times, mostly because I needed JVMs and as there wasn’t just enough choice of FreeBSD VMs out there. I did however make a point of being a pain in the backside of many colleagues at Microsoft until we got FreeBSD on VM Depot. The cherry on the cake was some downtime over the recent holidays which allowed me to learn my way around jails and successfully migrate my aging Linux machine over.

You are now connecting to FreeBSD 10.1, with four different jails running a DNS server, a MariaDB service and a couple of websites running mostly WordPress. A testament to FreeBSD quality is that to set it up I just had to dust some memory shelves and learn a couple of new things: despite not having deployed anything serious in the best part of 10 years, things are pretty much the same as they used to be, and the utmost predictability of what’s going to happen on a FreeBSD system is still very much there.

Please don’t get me wrong: it’s not like I don’t like Linux – I obviously did and still do although with many reservations on systemd. It’s just that one way or the other I keep coming back to FreeBSD: home sweet home.

Categories: FLOSS Project Planets

Matt Raible: Best Practices for using Foundation with AngularJS Revisited

Thu, 2015-02-19 11:49

A couple weeks ago I wrote about using Foundation with AngularJS. Based on research I'd done, I concluded that it was best to use Foundation for Apps for any webapps my client created and Foundation for Sites for any websites (e.g. a WordPress-based intranet).

After doing my initial research, I did some prototyping with Foundation for Apps (F4A). What I discovered is that F4A does not include all the same components as Foundation for Sites (F5). For example, the top-bar and dropdown functionality are missing. I posted my issues to the Foundation Forums.

The response I received:

It should work. You would need to copy over all the Scss and global mixins that you used in top-bar or at least all the output CSS from it. Otherwise there is no reason the components won't fit into the grid.

I was able to import Foundation for Sites into my project by adding it to bower.json:

"dependencies": { "foundation-apps": "~1.0.2", "foundation": "~5.5.1" }

After doing this, I added the new path to Gulpfile.js:

var sassPaths = [ 'client/assets/scss', 'bower_components/foundation/scss', 'bower_components/foundation-apps/scss' ];

After making this change, the top-bar rendered and my dropdowns worked. Since there was no jQuery in the page, I thought this might be a viable option. However, Jason Demitri quickly pointed out it probably wouldn't work with mobile. He was right.

While using F4A, I noticed that its components, and much of its look-n-feel, was different than F5. If you look at its Email App template, you'll see it looks kinda like a mobile app, even in a desktop browser. After trying F4A myself, I decided that F4A wasn't for us. First of all, it doesn't seem to provide a consistent look and feel with a website that's written using F5. Furthermore, F4A only supports IE10+. In the healthcare industry, there's a lot of older browsers out there, so my client needs to support IE9 as a minimum.

For these reasons, I decided to try Angular directives for Foundation. I took a prototype I'd written with F5, removed its JavaScript, added Angular Foundation + Foundation dependencies to bower.json, added references to the respective scripts in index.html and added '' as a dependency in app.js. The experiment worked beautifully and I was quite happy with the results. I shared my findings with the team and we decided Angular Foundation is the best way to integrate Foundation and AngularJS.

F4A is pretty new and I imagine it'll add more of F5's features as it evolves. However, I don't know if the two will ever be so similar that they can live side-by-side and allow a seamless experience for users. If you're interested in mixing F4A and F5, you might want to watch Jason Demitri's foundationUltra. This project combines Angular Foundation, Foundation for Sites, Foundation for Apps and Font Awesome. You can see a demo at

Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-18

Wed, 2015-02-18 18:58
Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-17

Tue, 2015-02-17 18:58
Categories: FLOSS Project Planets

Community Over Code: Even better than Hadoop!

Tue, 2015-02-17 17:44

You know what’s even better than using Hadoop? Using Apache Hadoop!

Even better is Apache Ambari to manage your Apache Cassandra data store through Apache Hive with Apache Pig to make it simpler to write Apache Spark compute flows… Or, if you want it assembled for you, just grab the latest Apache BigTop, which already includes a bunch of Apache Hadoop related packages all together.

How can we do a better job of getting at least a single “Apache Hadoop” into some of the many media stories about Hadoop these days? It’s great that all these vendors are making great technology and projects that power big data, but with all their success and fancy marketing campaigns, you’d think we could get just a tiny bit of credit in the popular press with the actual committers on the core Apache Hadoop project itself. Or any of the other Apache project technologies that these vendors, other software companies – and just about every other company too – rely on every day to help make their websites work.

Would it hurt marketers and journalists and bloggers to throw in just one extra “Apache” before talking about the many free Apache software products that help power more than half the internet?

The ASF and Apache projects give away a tremendous amount of technology every day under our permissive Apache license – always for free. All we ask is respect for our trademarks, and a little bit of credit for the many volunteer communities that build Apache software.

P.S. Apache projects love to get more code, documentation, testing, and other contributions too! And the ASF has a Sponsorship program.

But what we we really want is what every human wants: just a little love. Just an extra Apache here and there makes us feel better.


Categories: FLOSS Project Planets

Matt Raible: How to ReactJS and Tooling is Awesome at HTML5 Denver

Tue, 2015-02-17 13:05
Last night, I had the pleasure of attending the HTML5 Denver Meetup with two talks by Will Klein. I was motivated to attend because React has been on my radar for a while and Will's first talk was titled How to ReactJS. Will's presentation doesn't show the real meat of this talk, which contained lots of live coding. Will started with a static webapp, then converted it to use React bit-by-bit. His live coding was greatly helped by the fact that he had 3-4 co-workers in the room, so there was a sense of pair programming when things didn't work. During the presentation, he mentioned the JavaScript Jabber Podcast on React. I listened to it this morning, and I recommend it if you want to learn about the history of React.

Will's second talk was titled Tooling is Awesome. In this presentation, he showed us how to use npm and webpack. Again, the presentation doesn't capture the vast amount of knowledge demonstrated during the live-cli session. I hadn't heard of webpack before, so I was pumped to learn about it. If you need to complete/translate to JavaScript or CSS from another language, chances are that webpack will work well for you. During this demo, Will converted the previously developed React code to require/export modules, as well to do transpilation using webpack's jsx-loader. He also mentioned Keith Cirkel's How to Use npm as a Build Tool. If you're just getting started with JavaScript development and don't want to learn tools like Grunt or Gulp, this article will help you use npm as your only build tool.

Even though you can't experience the live-coding that happened last night, the code has been posted to GitHub. If you're looking to have talks about developing with React, I'd suggest contacting Will. He delivered great talks on subjects I've been keen to learn more about. Thanks Will!

In other Denver-related tech news, ThingMonk is coming March 3-4 and HTML5 Denver has lightning talks on March 23rd. ThingMonk is "a meeting of the tribes for people building the Internet of Things" and is sure to be a great conference. The Redmonk crew is always fun to hang out with and knows how to create a conference. Did I mention it's at a distillery?! The lightning talks in March are always a great time too. You can really learn a lot in a short period of time and it's a great way to share knowledge about cool technology you've recently used. Heck, you could attend ThingMonk, then create a lightning talk about what you learned for HTML5 Denver!

Categories: FLOSS Project Planets

David Reid: Broccoli

Tue, 2015-02-17 06:54

It’s fair to say that when it comes to the modern world of javascript, I’m something of a luddite. It’s not a world I’ve spent a lot of time with and while looking at options to start projects much of what I read may as well be double dutch. However, I have spent some time and EmberJS is slowly become more familiar and useful. So, now that I’m writing apps, the next step in my learning curve is deploying them. Having read about a few of the tools that are currently in use (this week at least) I chose to try Broccoli. In keeping with my “one step at a time” philosophy I elected to start simple

What follows is what I did after looking at various tutorials, but is largely based on a blog post by Tim Eagan.

The first step was making sure it was installed.

npm install --save-dev broccoli
sudo npm install --global broccoli-cli

Of course this just gets you the tool, so now I needed some plugins to help it do useful stuff. To see what’s available, I looked at Initially I installed what seemed like the basics.

npm install --save-dev broccoli-merge-trees
npm install --save-dev broccoli-uglify-js
npm install --save-dev broccoli-static-compiler
npm install --save-dev broccoli-concat

The broccoli-sass plugin failed to install for me.

Writing the Brocfile.js was the next step. This is just a javascript file and there were many examples to look at to get started. This was my first attempt.

var concatenate = require('broccoli-concat'),
mergeTrees = require('broccoli-merge-trees'),
pickFiles = require('broccoli-static-compiler'),
uglifyJs = require('broccoli-uglify-js'),
app = '.',

appHtml = pickFiles(app, {
srcDir : '/',
files : ['index.html'],
destDir : '/production'

appJs = concatenate(app, {
inputFiles : ['**/*.js'],
outputFile : '/production/app.js'
appJs = uglifyJs(appJs, {
compress: true

module.exports = mergeTrees([appHtml, appJs], {overwrite: true});

After creating the file in the root of my project, I was able to simply run it.

broccoli build 'public'

I now had 2 files, public/production/index.html and public/production/app.js. Tim’s example used the sass plugin to generate css files, but as I wasn’t using that some modification were needed to include the css files I was using.

appHtml = pickFiles(app, {
srcDir : '/',
files : ['index.html', 'css/style.css'],
destDir : '/production'

However, after making the changes and running the command again, it failed as the public directory already existed! Sadly, there is no option presently available to force an overwrite, so I had to manually remove the existing directory and will need to do this each time (a small shell script will simplify this!). This is a little annoying, but not too much effort.

After looking at the plugins available, I installed broccoli-manifest to simplify production of the appcache file, which works very well and automates another job for me.

I also installed the broccoli-uncss plugin to eliminate unused css.


There is a plugin that cures this problem, clear-broccoli-build-target. Installing it and adding to Brocfile.js has fixed the existing directory problem.

Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-16

Mon, 2015-02-16 18:58
Categories: FLOSS Project Planets

Shawn McKinney: Apache Fortress End-to-End Security Tutorial

Mon, 2015-02-16 18:09

The tutorial provides a how-to guide for applying end-to-end security enforcement across a sample Java Web environment using Java EE, Spring and Apache Fortress security.

Requirements covered include authentication, authorization and confidentiality. Both declarative and programmatic enforcement controls will be used.  Authorization granularity ranges from coarse (java EE, spring) to fine (fortress).

To get started, follow the instructions in the README located on github:

More info here: The Anatomy of a Secure Web App

Categories: FLOSS Project Planets

Shawn McKinney: Apache Fortress Ten Minute Guide

Mon, 2015-02-16 17:59

Provides instructions to download source, build, deploy and test the following components:

  1. Apache Directory Server
  2. Apache Studio
  3. Apache Fortress Core
  4. Apache Fortress Realm
  5. Apache Fortress Web
  6. Apache Fortress Rest

Follow the instructions here:


Categories: FLOSS Project Planets

Colm O hEigeartaigh: Unified security error messages in Apache WSS4J and CXF

Mon, 2015-02-16 11:59
When Apache WSS4J encounters a error on processing a secured SOAP message it throws an exception. This could be a configuration error, an invalid Signature, incorrect UsernameToken credentials, etc. The SOAP stack in question, Apache CXF for the purposes of this post, then converts the exception into a SOAP Fault and returns it to the client. However the SOAP stack must take care not to leak information (e.g. internal configuration details) to an attacker. This post looks at some changes that are coming in WSS4J and CXF in this area.

The later releases of Apache CXF 2.7.x map the WSS4J exception message to one of the standard error QNames defined in the SOAP Message Security Profile 1.1 specification. One exception is if a "replay" error occurred, such as if a UsernameToken nonce is re-used. This type of error is commonly seen in testing scenarios, when messages are replayed, and returning the original error aids in figuring out what is going wrong. Apache CXF 3.0.0 -> 3.0.3 extends this functionality a bit by adding a new configuration option:
  • - Whether to return the security error message to the client, and not one of the default error QNames. Default is "false".
However, even returning one of the standard security error QNames can provide an "oracle" for certain types of attacks. For example, Apache WSS4J recently released a security advisory for an attack that works if an attacker can distinguish whether the decryption of an EncryptedKey or EncryptedData structure failed. There are also attacks on data encrypted via a cipher block chaining (CBC) mode, that only require the knowledge about whether the specific decryption failed.

Therefore from Apache WSS4J 2.0.3 onwards (and CXF 3.0.4 onwards) a single error fault message ("A security error was encountered when verifying the message") and code ("", "SecurityError") is returned on a security processing error. It is still possible to set "" to "true" to return the underlying security error to aid in testing etc.
Categories: FLOSS Project Planets

Community Over Code: It’s Groovy to join a Foundation

Sat, 2015-02-14 21:54

The contributors behind the awesome Groovy project are looking for a new home. It’s bad news that the project and some of its core contributors will no longer be sponsored (paid for) by Pivotal, but it’s great that the core contributors are organized and serious about moving their project to an existing Foundation.

As a long time Apache Member (among other things), I have a few suggestions for the Groovy community.

Joining a Foundation is Good

You’ve already taken the most important step: choosing to join an existing Foundation. Although each option comes with some compromises or tradeoffs, I assure you any would be far superior to forming your own new non-profit corporation to be your legal home. Forming a new corporation is a lot of work, requiring a different energy and skill set than most developers have; this would significantly diminish the time that your contributors could spend actually focusing on the code. All three of the proposed options – Apache, Eclipse, and the Conservancy – have long and successful histories of providing all the things a Foundation can provide for open source projects: legal support, infrastructure, community and governance models, and a stable and well-branded place to call home.

Yawn…those things don’t sound particularly exciting, do they? In general, those aspects aren’t very exciting for most developers. But having a legal and stable home is critical if you want to manage your own project’s future, and not have it dictated by a single for-profit company. Or worse, slowly lose your way due to lack of contributors, and eventually, lack of users.

Talk To People

Clearly the Groovy core contributors have already considered a lot of the potential issues related to joining a Foundation, and have agreed on some basic requirements (which look great!). However, your community’s current understanding of how the three Foundations work appears to be mainly based on the available documentation from the Foundations, and not necessarily first-hand experience.

By far the most useful advice I can give is to have enough of your core contributors talk directly to some representatives of each Foundation (as some of you have already been doing). It’s likely that a number of your initial concerns won’t be as hard to deal with as you think, especially if you are clear and open in your communications with Foundation representatives. Make sure you have enough clear and direct information from the Foundation representatives – and your core contributors have time to truly discuss the input together – before making your final decision.

Who owns the Groovy Trademark?

In your planning, be sure not to overlook this essential issue. Who owns the GROOVY trademark? While it may seem obvious to developers and contributors, it may not be clear to the lawyers and marketing VPs of various companies who might be interested in using Groovy or contributing to the project in the future. Is Pivotal (and/or Codehaus, depending on who hosted the past software releases) willing to sign the trademarks over to your new legal home (once you choose one)? While open source code is infinitely forkable, trademarks aren’t. For example, the Apache License may be permissive regarding use of an individual project’s code, but explicitly does not license the project’s trademark(s). Likewise, most of your users know the language as “Groovy.” If Pivotal decided to keep the trademark (which seems unlikely, thankfully), you’d still be perfectly welcome to fork the code, but under a new name. Not Groovy. The apparent notoriety of the recent io.js fork notwithstanding, getting new contributors to a newly branded project is hard.

Who is your core Decision Making Community / Governance?

It’s great that your core contributors are thinking this through, defining the mission of the project community, and weighing the options carefully. This is a time where you’ll need to start developing a more detailed governance model; particularly the required members of the top decision making body. When your project is living without the direct umbrella of a company, you’ll need to have a specific list of the individual people who make governance decisions.

There is a clear difference between the Apache/Eclipse governance models and the Conservancy governance model. Conservancy essentially serves as a legal place to hang your project, with a hands-off approach that allows each project to develop their own self-governance models. Apache and Eclipse have detailed policies mandating how major decisions are made within a project (for example, inviting new committers or making formal software releases). In their models, a Project Management Committee (PMC) made up of individuals casts binding votes according to standard voting rules. Most decisions are still made by consensus of PMC members – probably how Groovy already operates. The details of voting rules really only come into play when the project team can’t reach a happy consensus, or when making formal software releases (in the later case, having clear votes by the policy ensures that the release is an act of the project, not of just an individual).

In addition to the project governance policies, Apache and Eclipse have an overarching board of directors to provide oversight that the core rules really are being followed consistently for every software release.

One slight difference between the Eclipse and Apache governance models is the role of the project leaders. Apache PMC members each have one vote, and all members of the PMC are peers. Technical direction is purely project-driven at both Apache and Eclipse; the board and officers never interfere with technical decisions. At Eclipse, there is a “Project Lead” role for each project, and that individual has greater influence over decision making. There are also Eclipse-wide Planning and Architecture Councils, which work to establish policies and processes for all projects, and the schedule for the annual Eclipse release train.

Infrastructure, Sources, History, And Tooling

Each of these areas requires attention, and I have some initial thoughts:

  • Infrastructure: If you like Conservancy, could you find another company (such as OSUOSL?) to provide the physical hosting for you?
  • Sources: While Apache requires the canonical repo to be on ASF hardware (to ensure the project is master of it’s own fate), there are plenty of ways to mirror to github or elsewhere.
  • History: If you really like Eclipse, then even if you did have to reset history, couldn’t you find some way to host a static version of the previous history somewhere for reference?

These are certainly issues that take effort, but it’s more important to ensure that the core people actually driving your community can find a stable home Foundation to settle in for the future.


For those potentially losing their Pivotal jobs, this is a key question, and one that’s certainly not easy, either on a personal level, or on a project and community level. Be sure you’re all clear on how and why you’re making decisions related to funding. For the Groovy community, this transition is clearly much more than a group of dedicated people doing this as their paid job, who are hoping to find new jobs together; you have built a coherent community that must find a long-term home for your project.

For the overall project, this is an exciting opportunity. With a full community, including both individuals as well as companies (contributing through the actions of their employees), you can have a long-term independent project. Right now, managed within the Pivotal framework, Groovy is at the mercy of Pivotal’s internal business decisions. To succeed as an independent project, you need to have a foundation to own the brand and provide (at least minimal) governance, and you need to draw enough interest from software companies so that they’ll either contribute work, or be interested in hiring your contributors.

Here also your three Foundation choices are very different. Conservancy will provide you with a 501C3 fundraising structure through which you can raise money to pay your contributors to develop code, but there may be limits to how much active fundraising support they can realistically give to you. Eclipse, as a 501C6, has a more corporate-focused funding model. They also seem likely to have more staff to help connect the core project contributors to companies potentially interested in funding more development. Apache is a 501C3, but the governance does not allow direct funding of project development by for-profit companies. Work on Apache projects is either performed by independents, or by employees of various companies; projects that don’t attract any company-sponsored contributors tend to stagnate; however for projects that stay relevant, it results in longer lived and strongly independent projects.

Good luck!

Whichever Foundation you choose, I wish you the best of luck. Open source has come a long way in the past twenty years. Licenses are well understood, and business and individuals everywhere frequently rely on open source projects for everyday things. And now with the long-term success of Apache, Eclipse, Conservancy, and many other non-profit open source Foundations, we are starting to have a decent understanding of some of the great governance and project management models we’ve developed.

This post also appears on Medium. Thanks to @mmilinkov for minor updates re: Eclipse.

Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-13

Fri, 2015-02-13 18:58
  • Slack’s coming to Dublin

    Butterfield insists that Slack improves on the basic messaging functionality offered by its predecessors. The company plans to expand from 100 employees to 250 this year, open an office in Dublin, and launch a version that supports large companies with multiple teams.

    (tags: slack messaging chat dublin ireland jobs tech)

  • yahoo/kafka-manager

    A tool for managing Apache Kafka. It supports the following : Manage multiple clusters; Easy inspection of cluster state (topics, brokers, replica distribution, partition distribution); Run preferred replica election; Generate partition assignments (based on current state of cluster); Run reassignment of partition (based on generated assignments)

    (tags: yahoo kafka ops tools)

  • Vaurien, the Chaos TCP Proxy — Vaurien 1.8 documentation

    Vaurien is basically a Chaos Monkey for your TCP connections. Vaurien acts as a proxy between your application and any backend. You can use it in your functional tests or even on a real deployment through the command-line. Vaurien is a TCP proxy that simply reads data sent to it and pass it to a backend, and vice-versa. It has built-in protocols: TCP, HTTP, Redis & Memcache. The TCP protocol is the default one and just sucks data on both sides and pass it along. Having higher-level protocols is mandatory in some cases, when Vaurien needs to read a specific amount of data in the sockets, or when you need to be aware of the kind of response you’re waiting for, and so on. Vaurien also has behaviors. A behavior is a class that’s going to be invoked everytime Vaurien proxies a request. That’s how you can impact the behavior of the proxy. For instance, adding a delay or degrading the response can be implemented in a behavior. Both protocols and behaviors are plugins, allowing you to extend Vaurien by adding new ones. Last (but not least), Vaurien provides a couple of APIs you can use to change the behavior of the proxy live. That’s handy when you are doing functional tests against your server: you can for instance start to add big delays and see how your web application reacts.

    (tags: proxy tcp vaurien chaos-monkey testing functional-testing failures sockets redis memcache http)

  • Embed-able Computers are a Thing. — February 12, 2015

    ‘If it works, a copy of Burgertime for DOS is now in your browser, clickable from my entry. If it doesn’t… well, no Burgertime for you. (Unless you visit the page.) There’s a “share this” link in the new interface for sharing these in-browser emulations in web pages, weblogs and who knows what else.’

    (tags: sharing embeds html javascript emulation msdos burgertime games

  • China’s Internet Censors Now Have Their Own Theme Song, And It Is Glorious – China Real Time Report – WSJ

    According to a report posted Thursday to the website of the state-run China Youth Daily, the Cyberspace Administration of China choral group this week unveiled a new song, “Cyberspace Spirit,” glorifying the cleanliness and clarity of China’s uniquely managed Internet. The song, an orchestral march built around a chorus that proclaims China’s ambition to become an “Internet power,” opens with lyrics describing celestial bodies keeping careful watch over the sky. From there, the lyrics conjure more vivid imagery, comparing the Internet to “a beam of incorruptible sunlight” that unites “the powers of life from all creation.”

    (tags: china great-firewall censorship music songs cyberspace-spirit omgwtfbbq)

Categories: FLOSS Project Planets

Justin Mason: Links for 2015-02-12

Thu, 2015-02-12 18:58
Categories: FLOSS Project Planets

Matt Raible: Converting an Application to JHipster

Thu, 2015-02-12 11:29

I've been intrigued by JHipster ever since I first tried it last September. I'd worked with AngularJS and Spring Boot quite a bit, and I liked the idea that someone had combined them, adding some nifty features along the way. When I spoke about AngularJS earlier this month, I included a few slides on JHipster near the end of the presentation.

This week, I received an email from someone who attended that presentation.

Hey Matt,
We met a few weeks back when you presented at DOSUG. You were talking about JHipster which I had been eyeing for a few months and wanted your quick .02 cents.

I have built a pretty heavy application over the last 6 months that is using mostly the same tech as JHipster.

  • Java
  • Spring
  • JPA
  • AngularJS
  • Compass
  • Grunt

It's ridiculously close for most of the tech stack. So, I was debating rolling it over into a JHipster app to make it a more familiar stack for folks. My concern is that it I will spend months trying to shoehorn it in for not much ROI. Any thoughts on going down this path? What are the biggest issues you've seen in using JHipster? It seems pretty straightforward except for the entity generators. I'm concerned they are totally different than what I am using.

The main difference in what I'm doing compared to JHipster is my almost complete use of groovy instead of old school Java in the app. I would have to be forced into going back to regular java beans... Thoughts?

I replied with the following advice:

JHipster is great for starting a project, but I don't know that it buys you much value after the first few months. I would stick with your current setup and consider JHipster for your next project. I've only prototyped with it, I haven't created any client apps or put anything in production. I have with Spring Boot and AngularJS though, so I like that JHipster combines them for me.

JHipster doesn't generate Scala or Groovy code, but you could still use them in a project as long as you had Maven/Gradle configured properly.

You might try generating a new app with JHipster and examine how they're doing this. At the very least, it can be a good learning tool, even if you're not using it directly.

Java Hipsters: Do you agree with this advice? Have you tried migrating an existing app to JHipster? Are any of you using Scala or Groovy in your JHipster projects?

Categories: FLOSS Project Planets

Matt Raible: Harry Gates Hut Trip in the Roaring Fork Valley

Thu, 2015-02-12 01:22

It's been several years since my last hut trip. When my friend Brad Swanson invited me this year, I jumped at the opportunity. Trish skipped this trip and my good friend Ryan joined in her place. It was Ryan's first hut trip. As a snowboarder, he opted to snowshoe with his snowboard on his back.

Our journey to Harry Gates Hut began early last Friday morning. Our Syncro had just returned from the body shop the night before and was ready to head for the hills. We arrived in Basalt, Colorado (in the Roaring Fork Valley) around 11am and were on the trail at 12:30pm.

From experience, I knew it was going to be a long slog uphill. I rented telemark skis, with NTN boots/bindings, from Confluence Kayaks. We both quickly realized we'd packed too many supplies, as our packs were quite heavy. Nevertheless, we trudged on, one foot in front of the other.

At 6.6 miles and 1900' elevation gain, Brad estimated it'd take us 4-6 hours for the hike in. We thought we were close to finishing the uphill when the sun set around 6pm. Because it was dark, and we only had one headlamp, we were unable to ski the last mile of downhill near the end. We arrived at the hut at 8:00pm, after 7.5 hours of hiking and sweating profusely. We were extremely happy to be finished.

The next day, we woke up, had a delicious pancake breakfast, then hiked to the top of Burnt Mountain. It was a two mile jaunt, straight uphill.

About halfway up, I noticed the other guy's heals looked funny. They had some sort of post that prevented their heal from coming all the way down, making it a lot easier for them to climb. I thought "WTF?", then looked at my own bindings and realized I had the same contraption. I shouted "Hey guys, this is a helluva lot easier - why didn't you tell me about the heal posts?!" They laughed and marveled that this was my third hut trip and no one had ever mentioned climbing posts. I guess that's what happens when you're always at the back of the pack.

The views from the top of Burnt Mountain were spectacular.

The run down wasn't great - we got about six turns in before we ran into flat trees. From there, it was lots of traversing and navigating between trees back to the hut. Our Saturday ski excursion took around 4.5 hours. We hung out at the hut, played cribbage, enjoyed the scenery and went to bed early that night.

Sunday, we hiked out. It took us around two hours to reach the high point in the trail, then 30 minutes to complete the 5-mile downhill stretch.

Looking back, Ryan and I estimated we did about 14 hours of hiking at 10,000 feet over the weekend. While my pack was heavy, it was much easier for me to skin up the mountain than it was for Ryan on snowshoes. Especially when he kept post-holing on the hike up Burnt Mountain. Nevertheless, we survived and created some great memories from the experience.

Thanks to Brad and everyone else for showing us that packing light can make a real difference. To lighten the load on my next hut trip, I plan on bringing nothing but a sleeping bag, some almonds and a couple bananas.

For more pictures from this adventure, see my Harry Gates Hut Trip photos on Flickr.

Categories: FLOSS Project Planets