For a change I'm ahead of the submission deadline (Wednesday 13th May), so draft board report for review below, let me know if you have anything to add/amend/remove.
----- 8< ----- ## Description: The mission of HTTP Server is the creation and maintenance of software related to Apache Web Server (httpd) ## Project Status: Current project status: Ongoing, moderate activity Issues for the board: None ## Membership Data: Apache HTTP Server was founded 1995-02-27 (31 years ago) There are currently 126 committers and 55 PMC members in this project. The Committer-to-PMC ratio is roughly 2:1. Community changes, past quarter: - Vincent Deffontaines was added to the PMC on 2026-04-10 - No new committers. Last addition was Emmanuel Dreyfus on 2022-11-05. ## Project Activity: Like other high profile open source projects, we have seen an extraordinary surge in the number of security vulnerabilities being reported since February when the project last reported to the Board - unsurprisingly driven by LLM analysis. As in my previous report, it remains true that the majority of the incoming reports are true positives (i.e. valid vulnerabilities), though it's likely we're rejecting a somewhat higher percentage of the reports than previously. With several individuals reporting issue counts into double-digits, plus gaining access to some bulk analysis via the Alpha-Omega project, the backlog of (potential) vulnerabilities to process is growing faster than we can handle. Our security workflow and our people are struggling to cope. Only a small number of committers are active doing e-mail response, triage and patch review. Without a ticketing system, reports are likely to be missed, and our (labour intensive) workflow for handling fixes requires significant effort to address any single report. We're experimenting with using AI/LLM-based agent tools to handle incoming reports, and there is some streamlining we can do to the workflow. If there is good news in this report, it is that most of the LLM-reported issues are rated Low or Moderate severity. The project released 2.4.67 on May 4th, addressing eleven vulnerabilities - 1 rated Important severity, 2 rated Moderate and 8 rated Low. This is probably a record CVE count for any single release. The PMC voted to archive/retire the "libapreq2" library, which we took over from the Perl PMC but has had little interest/development from committers in recent years. Existing committer Vincent Deffontaines joined the PMC, and Giannis Christodoulou has also accepted an invite for both commit access and PMC membership. ## Community Health: Mailing lists and Bugzilla were very busy this quarter, which is partly due to the release activity. Rich Bowen has done an incredible job working through the entire backlog of documentation bugs, with a swathe of updates across both the web site and the httpd manual. Significantly more Bugzilla bugs closed in a quarter than were opened, which I can't remember being true at any time during my tenure as Chair.
