[dub]

> What kind of brave soul wants to trudge through and maintain log4j in their spare time for zero compensation?

It's not clear to me as an outsider what exactly the Apache foundation is doing for these projects. It feels like Apache is willing to accept code donations from anyone and is willing to attach the foundation's name to code that isn't widely used, actively maintained, or may just be abandonware.

I have soooo much more confidence in CNCF projects. The conditions for graduating as a CNCF project include criteria like that your project must be in use by multiple real companies, have maintainers who are (paid) employees of multiple different companies, and get a professional security audit.

[rectang]

> It feels like Apache is willing to accept code donations from anyone and is willing to attach the foundation's name to code that isn't widely used, actively maintained, or may just be abandonware.

That’s incorrect. Projects need to report quarterly and need a Project Management Committee of at least three people, or they are retired. Retired projects may not make releases.

(Source: past ASF board member, who used to review those reports each month.)

There are a fair number of retired projects, and others that may become retired within the near-to-medium term. The ASF has been around for a while, and every software project has a life cycle. Those are still associated with the ASF brand because Google, whatcha gonna do? An explicit retirement policy overseen by a board is still superior to how the vast majority of open source projects approach end-of-life.

[xorcist]

In theory. Open Office shows that the process of retiring semi-abandoned projects leaves a lot to be desired.

The project has few, if any, volunteers, and there are security problems known to be actively exploited, yet the ASF is not willing to work to find a viable solution.

[dub]

Open Office losing popularity and having a shortage of developers makes some sense to me given all the progress in web-based document editors.

Something I have a harder time understanding is how it came to be that Apache Thrift and Facebook Thrift both exist as competing implementations of the same software originated by the same company.

[xorcist]

The implied point with Open Office was not the users habits shifting, but that there was a fork in name only. The project is still under active development with a diverse set of developers but under the name Libre Office.

Only a skeleton crew of paid developers stayed with Open Office, enough to cut releases regularly but not even to fix the security issues actively exploited. All distributions moved with the developers, but there is a discoverability problem which has led to mostly Windows continuing to install the unmaintained version.

The ASF could have fixed this quickly, either by helping out with the trademark issues, moving with the developers, or at least moving the unmaintained version to the attic and steering new users towards the actively developed version.

But they collectively decided to sit on their hands as users continued to install unmaintained software rather than take the slightest risk of offending one of their members. From an outside perspective, all of this was completely unnecessary.

The Thrift situation is another example where some active stewardship could have made a difference.

[fh973]

Apache is what CNCF will become when marketing budgets move on.

[c7DJTLrn]

>It feels like Apache is willing to accept code donations from anyone and is willing to attach the foundation's name to code that isn't widely used, actively maintained, or may just be abandonware

That's why I'm allergic to Apache software. A lot of it is overengineered, insecure, legacy abandonware.