Securing the Fundamentals: Our Support for Log4j
By Powen Shiah
In Technologies
It is with great excitement that we announce the Sovereign Tech Fund's support of the continued development of Apache Log4j, a cornerstone in the architecture of Java-based software applications.
The Crucial Role of Log4j
Log4j is as one of the most widely-used logging libraries, integral to the functionality of nearly every Java-based software application. Its significance cannot be overstated, as it forms the backbone of logging mechanisms for countless digital systems worldwide. In December 2021, Log4j faced global scrutiny due to security vulnerabilities, a revelation that not only exposed potential risks but also served as a catalyst for the creation of the Sovereign Tech Fund.
Three maintainers prepared to focus on this open source project—two are leaving full-time positions to do so—are Christian Grobmeier, Piotr Karwasz, and Volkan Yazıcı, all members of the Apache Logging Services team and project management committee (PMC), the group that governs the Log4j project. Until now, the core maintainers, including prominent developers like Christian Grobmeier, had not received substantial financial support for their critical open source work.
"I only believed it was true when the funds arrived in my account. With this funding, we are finally able to give Log4j more attention, making it secure for all the people who rely on us."
Addressing Neglect in Digital Infrastructure
The Log4j case epitomizes the neglect often faced by essential components of our digital infrastructure. Despite widespread attention and concerns about vulnerabilities, it marks the first time that a key contributor, Christian Grobmeier, has received financial backing for his dedication to critical open source projects.
This underscores the transformative impact that Sovereign Tech Fund's engagement makes in security for essential open source software components and the maintenance of our shared digital infrastructure.
“Some Log4j maintainers receive limited support from Tidelift or through GitHub Sponsors for their maintenance efforts. The amounts are mostly at a level that convey appreciation. No Log4j developers are funded to an extent which enables them to either work on the project full-time or accomplish the work STF is commissioning.”
Achievements so far
Since the Log4j team has been at work for a few months already, the first milestones are already making an impact on Log4j’s long-term viability.
- The team has started to implement a release pipeline: infrastructure, to release software automatically, faster, and more reliably.
- They have started to modernize the code base and dependencies, so everything is properly maintained and up to date.
- Finally, they have enabled a “Software Bill of Materials” (SBOM) and a “Vulnerability Disclosure Report” (VDR).
Both are new standards for understanding the software supply chain better, helping enterprises and users to understand if they are affected by published security vulnerabilities. At the Apache Software Foundation, the Log4j (logging) team is now among the first to implement this at this scale, allowing others to replicate.
Sovereign Tech Fund's Commitment
The Sovereign Tech Fund has commissioned this dedicated team of three developers for a comprehensive project improving Log4j, spanning from September 2023 through the end of 2024. This project involves 30 milestones, encompassing structural enhancements, security initiatives, maintenance, and documentation. The milestones and deliverables are recognized as addressing common pain points by the rest of the PMC. The team expects PMC consensus for the delivery of these features in the form of releases.
The Sovereign Tech Fund's commitment totals to €596,160 for this crucial project, reflecting our dedication to enhancing the security, reliability, and long-term sustainability of Log4j. The Sovereign Tech Fund is funded by the German Federal Ministry for Economic Affairs and Climate Action (BMWK).
“By focusing on structural improvements, security, and documentation, we’re putting Log4j on firmer footing going forward. It will become easier for new contributors to join the project, and for current maintainers to work more effectively.”
STF invites the global tech community to join us in supporting and recognizing the people doing invisible labor in open source, ensuring the resilience and robustness of the digital infrastructure we rely on daily. Together, we’re strengthening the digital foundations that enable innovation and progress.