ASF 2025 Year in Review: Building for Resilience and Growth

As 2025 comes to a close, The ASF reflects on a year defined by steady progress across a wide range of efforts that support our mission and communities. From advancing open source security and policy standards, to strengthening project incubation, modernizing Foundation tooling, and sustaining our work through generous support, this recap showcases some of the key highlights for The ASF this year. While each section reflects a distinct area of focus, together they illustrate a shared commitment to building resilient, trusted, and community-led open source software for the public good.

Open Source Public Policy & SBOM 

By: Dirk-Willem van Gulik, VP Public Policy and Piotr P. Karwasz, Security Team Member

2025 closed with meaningful progress for open source software security and supply chain transparency, particularly around SBOM and vulnerability standards that directly impact the Apache Software Foundation and its communities. Three key ECMA standards were ratified and advanced toward international adoption, strengthening the global policy and compliance landscape.

• CycloneDX 1.7 (ECMA-424, 2nd edition) was approved, introducing standardized cryptographic algorithm naming, improved license expressions, and a new isExternal property to better distinguish included versus non-included dependencies—helping clarify long-standing ambiguity around shaded dependencies in Java. ASF contributors played an active role in shaping these updates. The standard is now being advanced through the ISO/IEC JTC 1 fast-track process. 
• Package-URL (ECMA-427) reached formal ECMA standard status and will also be submitted to ISO/IEC JTC 1. In a major milestone, Package-URL became a first-class identifier in CVE records with the CVE Program’s 5.2.0 format release, further cementing its role in vulnerability management and policy alignment. 
• Common Lifecycle Enumeration (ECMA-428) was ratified, providing a machine-readable way to publish release and end-of-life events. Apache Trusted Releases is expected to be among the early adopters, reinforcing transparent lifecycle communication. 
• The Python Packaging Authority has adopted PEPs that are moving Python community in a good direction – PEP 770 – Improving measurability of Python packages with Software Bill-of-Materials , PEP 751 – A file format to record Python dependencies for installation reproducibility, and PEP 792 – Project status markers in the simple index | peps.python.org are three examples which software supply chain security has been driving—those go hand-in-hand and eventually converge with the industry standards —those defined by ECMA for example.

Beyond standards, VEX adoption continued to mature:

• The VEX Generation Toolset reached full release, with The ASF recognized as a project partner (https://github.com/vex-generation-toolset). OpenRefactory also published a video highlighting the collaboration, which you can watch here: https://www.youtube.com/watch?v=93iEw8LyeIc. 
• Apache Solr continues to maintain its VEX information manually, and the Apache Commons project has begun maintaining VEX documents (e.g., for Commons Text) in its security configuration.

Together, these milestones reflect strong momentum in 2025 toward clearer standards, improved tooling, and deeper open source engagement in global software security policy. 

Incubator & Community Development

By: Justin Mclean, VP Apache Incubator

The Apache Incubator had a strong year in 2025, reflecting continued momentum across the Foundation’s project pipeline and community health efforts. Ten podlings graduated—an increase over last year—including Gravitino, DevLake, HertzBeat, Fory, Wayang, Uniffle, StreamPark, StormCrawler, Teaclave, and Training—underscoring the vitality and diversity of new Apache projects.

Mentor participation and reporting improved notably, supported by clearer onboarding expectations and the launch of new Training Hub resources. These updates strengthened guidance around podling health, governance, and graduation readiness. In parallel, the Incubator leveraged AI to analyze two decades of mailing-list discussions, helping inform new governance guides and training materials grounded in long-term community experience and proven best practices.

A key takeaway from 2025 was the impact of early structure: podlings that established governance and release practices early tended to progress more smoothly through incubation. Several projects completed their first releases within six months, reinforcing a trend toward earlier, more transparent release practices.

Looking ahead, planned efforts include improving mentor onboarding, expanding data-driven podling health metrics, and providing clearer guidance to help podlings adopt consistent governance patterns earlier—further strengthening the Foundation’s project lifecycle in the year to come.

Tooling Initiative

By: Dave Fisher, VP Tooling

​​Over the past year, the ASF has advanced key efforts to modernize how our software is released and governed. This post highlights progress on Apache Trusted Releases (ATR) and the Board Agenda Tool (BAT), along with related security, tooling, and standards work that strengthens release integrity, improves oversight, and supports ASF projects in delivering trusted software at scale.

Secure distribution platform for ASF software releases
To modernise ASF release security practices we built a distribution platform, called Apache Trusted Releases (ATR), with the aim to:

• Standardize the release process to help projects make better, more secure releases.
• Provide details about project releases to everyone.
• Provide proof of reproducible builds, the creation and validation of SBOMs, and to increase co-operation between Foundations on standards.

ASF director review platform

The Board Agenda Tool (BAT) aims to modernize and streamline how the Foundation’s directors review over 100 reports per month from over 200 officers about our projects. This is critical to ensure that our projects continue to produce secure releases following our Release Policies.

Accomplishments

• ATR functional and in alpha test. We are advancing towards beta with an increasing number of users giving test feedback. After this testing phase we plan to move into a production beta. We have received valuable usability feedback guiding us to make further improvements. Users have been grateful for the wide range of features, such as how we allow file upload via six different methods to cater for all needs: Trusted Publishing with GHAs, rsync, browser forms, OpenAPI, CLI, and import from the legacy Subversion repository. Users have also responded well to our automated artifact checkers.

• Trusted Publishing with GitHub OIDC. Projects with reproducible builds at the ASF are allowed to build release candidates on GitHub. We wanted to enable these projects to upload their build output artifacts to ATR using Trusted Publishing, and successfully implemented this. We then went a step further and produced GitHub Actions to make the interface even easier.

• Validator and augmentor for SBOMs compliance and enrichment. We analysed existing SBOMs of ASF projects and often found mistakes and the lack of many potentially useful fields. We wrote a validator after reviewing the state of the art for SBOM validation, and an augmentor that can fix some of these problems. In one real world case we found that our augmentor reduced 2,715 elements missing for NTIA compliance to just 10. We aim to use these tools to help our users improve their generation processes, and also to provide a fallback to projects that want an interim SBOM solution.

• Vote tabulation system. Software can only be released at the ASF after being voted on, and the vote must be counted manually by the release manager. We wrote a tool to assist release managers by tabulating as many votes as possible automatically using heuristics. We then integrated this tool into ATR.

• Reusable tools for ASVS auditing. To ensure that ATR is secure, we set OWASP ASVS compliance as a major security goal. Techniques we developed to prevent infringements of its criteria include editor and pre-commit integrations to check documented conventions,; and to detect infringements after they happen we developed LLM pipelines for human review, type checker integrations, and bespoke AST analysis tools. We aim to eliminate entire classes of bugs, not just individual instances of bugs, as early as possible in the development cycle.

• MFA implementation. We co-operated with the ASF Infrastructure team on a comprehensive MFA solution for the Foundation, configured to cover the many edge cases that are required at the ASF. ASF Infra is now turning our work into the production MFA system to be used at the ASF. The new MFA system will be used for ATR, securing access.

• Specification for universal scannable tokens. Tokens are secret values, but are often leaked accidentally in, for example, server logs or configuration files. There are some existing conventions to make it easier to scan for such tokens, but no universal standard which has considered all of the criteria. We created such a specification along with a FAQ, taking the lead and working with other teams within the ASF. Since this is designed as a universal standard, we hope for it to be adopted beyond the ASF.

• Discovery of vulnerable GitHub account associations. We understood, thanks to work from the Python Software Foundation, that GitHub string UIDs are malleable and subject to account resurrection attacks. We performed an analysis of the thousands of accounts at the ASF looking for subtle clues as to which accounts may be vulnerable. This detective work led to the discovery of 30 such vulnerable accounts, and we then worked with ASF Infra to remediate the issues.

• Secure and misuse-resistant storage access interface. In ATR it is essential that authorisation be conducted pervasively, in depth. We designed a typed storage interface that makes authorisation requirements explicit in code, preventing developers from writing code that accidentally bypasses security checks. The pattern of types that we used for the storage interface was designed to be reusable in our future projects.

• Structured data version of the ASF license policy. The ASF sets complex license policy requirements on its participants. This list was only available as prose in an HTML document, so we painstakingly converted it to a machine readable version using SPDX license expressions where they existed. We are currently working with ASF Legal to integrate the results of our work into the wider Foundation.

• Feedback on the CISA 2025 recommendations. CISA has inherited the task of creating a new version of the NTIA minimum elements guidelines for SBOMs. We have been engaging in security standards work by contacting existing stakeholders and participants, and one of our key contributions was providing feedback to CISA about their new draft version by liaising with ASF Security. Our aim was to create a compelling case for the future shape of this federal security guidance.

• Replacement of a prior tool for directors with the BAT. The BAT project is private. We took over a multi-year effort to replace a prior, difficult-to-use tool, and completed the transition to a much improved solution. As we continue to modernize our tooling we will alter the tool in order to provide the Board of Directors the information they require, which will include the latest information about releases from ATR.

Continued Growth Requires Continued Support

By: Sally Khudairi, VP Sponsor Relations

As we look back on 2025 —our 26th year in operation as a foundation— we are proud to continue to steward billions of dollars worth of essential open source software across hundreds of community-led projects used in every Internet-connected country on the planet.

Our commitment to providing software for the public good is amplified through the financial backing that helps ensure critical Apache software projects continue to be developed equitably in a diverse, trusted, vendor-neutral environment. All ASF software is available to the public at-large at 100% no cost or licensing fees.

The ASF is a US 501(c)(3) not-for-profit charitable organization. Financial donations help offset operational costs for Infrastructure, Legal Affairs, Accounting, Marketing, and more. These services directly benefit 300+ Apache Projects and their all-volunteer communities and help incubate the next generation of Open Source innovations.

Our deepest thanks to those whose generosity helps sustain the ASF. They include:

ASF Sponsors: Sponsorship is the primary method of supporting the ASF, and provides cash support to keep us running on a day-to-day basis. Contributions from ASF Sponsors at all levels —from Bronze to Platinum— are unrestricted and cover the Foundation’s general operating costs that include Infrastructure (roughly 70% of our +$2.5MM annual budget), Marketing and Publicity, Accounting, Fundraising, and Travel Assistance, among other allocations. Learn more at https://apache.org/foundation/sponsorship.html 

Targeted Sponsors: ASF Targeted Sponsors contribute cash or in-kind products and services  for specific activities or programs, such as cloud and CI/CD credits for general Foundation use (benefitting any Project), funding a named Project/community activity, travel expenses to attend ASF official conferences, providing legal services, and more. We rely on this additional level of support every day to supplement our general operations provided by ASF Sponsorship funds. Learn more at https://apache.org/foundation/sponsorship.html#targeted-sponsorship 

Backers of ASF Initiatives: ASF Initiatives are new Foundation-wide projects or programs created to meet the growing global demand for ASF software that benefit the greater open source ecosystem. Launched over the past year, our first Initiative, ASF Tooling, is chartered to harden ASF Projects, underscore the ASF’s security posture, and improve security capabilities to meet the EU’s Cyber Resilience Act (CRA) and US’s CISA recommendations. The efforts and outcomes from the ASF Tooling Initiative help developers, CISOs, and Compliance teams ensure a more reliable ecosystem for all.

As larger-scale projects, ASF Initiatives have incremental budgets to sustain their progressive development across several years. The Tooling Initiative added $500K to the ASF’s annual budget in FY2025, and was made possible by seed funding by Alpha-Omega. Learn more at https://www.apache.org/foundation/initiatives 

Individual Donors: one-time, monthly, or annual contributions in any amount can be made online at any time via bank transfer/ACH, credit card, ACH, PayPal, and *Pay digital payments. The ASF received more than 500 individual donations during 2025; approximately 10% of which took place during the annual #GivingTuesday global fundraising movement. Donations welcome at https://donate.apache.org/ 

Corporate Contributions: corporate end-of-year philanthropic gifts augment our fundraising efforts through annual contributions, employee matching donations, cash donations for volunteer hours, and other programs that benefit nonprofits such as the ASF. Deploying remaining year-end budgets, ad-hoc donations, and structured corporate giving programs (such as those at Bloomberg, IBM, Microsoft, PayPal, and Vanguard, among others) support the ASF whilst offering tax benefits and promoting community involvement. Those organizations wishing to make a one-time or recurring corporate contribution may do so online, with larger gifts coordinated through the Fundraising team. Reach out to us at fundraising(AT)apache(DOT)org to discuss ways to support the ASF that best meet your philanthropic needs.

ASF innovations continue to define industries, shape communities, and launch countless mission-essential businesses whose users rely on Apache Projects in their personal and professional lives every day.

As demand for ASF Projects continues to grow, we need your support more than ever.

Your support keeps our 300+ all-volunteer projects and their communities functioning 24x7x365 across thousands of mailing lists, code repositories, bug tracking systems, Web servers, continuous integration systems, bandwidth, electricity, cooling, administrative staff, and more. We continue to run a very lean organization, and spend less than 10% of our annual budget on overhead.

Donating to the ASF (tax-deductible where permitted by law) is well-suited for organizations seeking to make an impact across the global tech ecosystem. Corporate philanthropists, technology vendors, and user organizations support the ASF not only to alleviate existential necessity but also to meet strategic corporate social responsibility goals.

We are deeply grateful for your support alongside us on this journey. Thank you for your generous consideration!

# # #