struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <>
Subject Re: Apple sec breach.. Struts?
Date Fri, 02 Aug 2013 09:14:32 GMT
On Fri, Aug 2, 2013 at 7:01 AM, Jim Macalister <> wrote:
> To get to my point. Struts2 is a great framework and we do use it for
> production systems. I think we should all contribute at least by donating
> directly to the struts2 developers. This will ensure the life of the
> project as well. I suggest that the core developers should be compensated
> for their efforts and i am willing to donate with no contract. I am sure
> this will free the developers from other tasks.
> Please set up a mechanism for us to donate.

Thanks Jim.

Within the ASF we only provide a mechanism to donate to the ASF itself.
All projects will benefit from it. See:

If you would like to support individual developers then currently you
need to contact them
directly or check out their websites if they accept donations.

Also sometimes we run small community events, like the Strutsathon:
At this event, 4 committers of Struts are participating and travel on own cost.
You can of course donate here too to reduce traveling cost or for dinner.


> Regards
> On Wed, Jul 31, 2013 at 5:30 PM, Paul Benedict <> wrote:
>> I'll voice my personal opinion.
>> No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it
>> is the responsibility of all IT shops to do a security vulnerability
>> assessment before first releasing to production and after each update. That
>> is "Security 101" because there are multitude of attack vectors that can be
>> exploited through any inadvertent mistake here and there. Sometimes the
>> mistake will be in your code, sometimes it will be in third party
>> dependencies, but you own the final product so you must take responsibility
>> for the entire product.
>> Did a company like Apple, who sits on billions of cash, do that? I don't
>> know. I hope they did because that would be performing due diligence. They
>> are not poor by any means. I'll hope for the best here.
>> Lastly, it cannot be ignored that Struts is a free product built by
>> volunteers. The work done here is long, arduous, and passionate -- and on a
>> budget of $0. There is no money coming in to fund anything expensive.
>> Unlike some other Apache projects where corporations (like IBM) are funding
>> development, no one is funding Struts. You get the best that volunteers can
>> do without them receiving a dime. The obvious implication is that you, who
>> consume volunteer work for free, must take the product "as is" and do your
>> part of making sure your application is secure.
>> PS: If you find a security vulnerability in Struts, please privately report
>> it to so it can be fixed.
>> Cheers,
>> Paul


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message