Waiting for AOO

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

Eleven months ago, Dennis Hamilton, the chair of the Apache OpenOffice (AOO) project's project management committee at the time, raised the idea of winding the project down. He worried that AOO lacked a critical mass of developers to keep things going, and that no new developers were coming in to help. At the time, various defenders came forward and the project decided to try to get back on track. Nearly a year later, a review of how that has gone is appropriate; it does not appear that the situation has gotten any better.

The project did manage to get the 4.1.3 bug-fix release — its first in nearly one year — out in October, but has not made any releases since. At the time, the plan was to move quickly to release 4.1.4, followed by a 4.2.0 feature release shortly thereafter. The 4.1.4 branch was created on October 11, shortly before the 4.1.3 release. Since then, it has accumulated 24 changesets (which map to about 30 changes in the original SVN repository). There have only been four commits to this branch since early February, at least one of which includes security fixes.

In September, Ariel Constenla-Haile volunteered to be the manager for the 4.1.4 release, but then vanished without a trace in February. In May, Jim Jagielski asserted that he was now the release manager, and said that "we should shoot for a release next week at the latest". Jagielski was last seen on the development mailing list on June 19, though he made a commit to the 4.1.4 branch on August 1. All told, it would appear that the project is having significant trouble putting together a 30-patch minor release.

What about 4.2.0? There are currently 1,174 changesets by about 25 developers that have been merged to the AOO trunk since the 4.1.0 release. Of those, 294 (from a total of ten developers) have been merged since the beginning of September 2016. Three of those developers (Damjan Jovanovic, Matthias Seidel, and Pedro Giffuni) account for 85% of the changes made in that time. Giffuni expressed his disappointment at the lack of progress in March, and has committed no changes since.

In other words, the project does have a bit of feature work stored on its trunk representing development done since the 4.1 release in April 2014, but that work does not appear to have much prospect of finding its way into an official release anytime soon. For all practical purposes, only two developers are doing any sort of regular work on the code.

Last year, the Apache board was evidently concerned about AOO's ability to sustain itself and keep up with responsibilities like security releases. So it is interesting to see how AOO is representing itself to the board. The April report is the latest available as of this writing; with regard to development, the report says:

The arrival of new developers has slowed down more than ever. But there are indeed people willing to dig into the code. But with our low number of developers assignments and mentoring it's slow by itself. Next Steps: Improving the mentoring of newcomers and expanding the capacity to address major issues as part of new releases.

Signs of progress on the "next steps" have been fairly scarce in the intervening months. With regard to security issues:

To make it short: The work on security report is low. Also because not every developer has the time to dig deep into analyzing and fixing. However, we expect to see an increasing analysis and fixing in general in the next months.

Again, if that analysis is happening, it's not evident on the public mailing list.

The LibreOffice project reported in May on its use of Google's OSS-Fuzz to identify (and fix) possible security issues. The LibreOffice code base has moved on significantly since the fork, and the LibreOffice developers have doubtless been quite productive in the introduction of their own security bugs. But it stands to reason that some of those bugs may have also existed in AOO. If so, they are still there. It is also interesting to note that the January board report stated that "there will be at least one security fix in the under-development release 4.1.4". One has to look at the Wayback Machine to see it, though; that text has been removed from the official version on the Apache site.

All of this might be irrelevant except for one other little bit from the report to the Apache board: "As of 2017-Apr-12 we have more than 214,000,000 million [sic] downloads and it is still at a consistent rate with ~100,000 downloads in average per day". That is 100,000 people every day who are downloading the output of a project that clearly lacks the development capacity to get important bug fixes out to users, much less understand and improve the entirety of such a massive body of code.

In the wake of the 2016 discussion, the project deserved another chance to show that it could reinvigorate itself. Nearly one year later, it seems clear that AOO lacks the developer interest needed for it to be a sustainable project. Sooner or later, the Apache board is going to have to face up to that fact.

