blob: 4a2686b04e99cd96fe8f456bc4f8c2bdabb74014 [file] [log] [blame]
## Description:
The mission of JSPWiki is the creation and maintenance of software related to
Leading open source WikiWiki engine, feature-rich and built around standard
JEE components (Java, servlets, JSP).
## Project Status:
Current project status: Ongoing, with low activity.
Issues for the board: There are no issues requiring board attention.
## Membership Data:
Apache JSPWiki was founded 2013-07-17 (11 years ago)
There are currently 15 committers and 9 PMC members in this project.
The Committer-to-PMC ratio is 5:3.
Community changes, past quarter:
- Arturo Bernal was added to the PMC on 2023-06-21
- Arturo Bernal was added as committer on 2023-06-21
## Project Activity:
Activity this quarter has been mostly around reviewing and merging
contributors' PRs. We also pushed some updates related to the the logic of
inlining / downloading attachments, as a result of discussing our last
vulnerability report.
This report was rejected, but we decided that having this additional
functionality would make JSPWiki more securitly-friendlier.
There's a fork from a contributor with the switch to Jakarta 10, bringing
that to master would be the first step towards JSPWiki 3.
## Community Health:
Work on latest master shows commits from 1 commiter, which contains 3 pull
requests from two different contributors.
No questions unanswered on MLs, although they continue to have little traffic.
Answering a Board comment on previous report:
```
cdutz:
I do see a large number of emails from the security team on the private list
and all activity seems to be merging dependabot version updates. Is the
project activly working on addressing the known issues?
```
Every time we get a vulnerability report we started a separate thread at
private@j.a.o to discuss the issue. We get a weekly "your dependabot alerts for
this week" which highlight that we're using an old version of commons-http,
which has some associated CVEs, althought none of them are explotaible on
JSPWiki. We try to address every security issue and push the appropiate
releases as fast as we can, although JSPWiki being developed on free time(tm),
sometimes is not as fast as we would like.
Other than that, we have a slow development pace, so every push usually comes
with a commit upgrading dependencies, some adviced by dependabot, some not.