Securing the Fundamentals: Our Support for Log4j

Log4j is as one of the most widely-used logging libraries, integral to the functionality of nearly every Java-based software application. Its significance cannot be overstated, as it forms the backbone of logging mechanisms for countless digital systems worldwide. In December 2021, Log4j faced global scrutiny due to security vulnerabilities, a revelation that not only exposed potential risks but also served as a catalyst for the creation of the Sovereign Tech Fund.

Three maintainers prepared to focus on this open source project—two are leaving full-time positions to do so—are Christian Grobmeier, Piotr Karwasz, and Volkan Yazıcı, all members of the Apache Logging Services team and project management committee (PMC), the group that governs the Log4j project. Until now, the core maintainers, including prominent developers like Christian Grobmeier, had not received substantial financial support for their critical open source work.

More about STF and Log4j

The Log4j case epitomizes the neglect often faced by essential components of our digital infrastructure. Despite widespread attention and concerns about vulnerabilities, it marks the first time that a key contributor, Christian Grobmeier, has received financial backing for his dedication to critical open source projects.

This underscores the transformative impact that Sovereign Tech Fund's engagement makes in security for essential open source software components and the maintenance of our shared digital infrastructure.

Since the Log4j team has been at work for a few months already, the first milestones are already making an impact on Log4j’s long-term viability.

1. The team has started to implement a release pipeline: infrastructure, to release software automatically, faster, and more reliably.
2. They have started to modernize the code base and dependencies, so everything is properly maintained and up to date.
3. Finally, they have enabled a “Software Bill of Materials” (SBOM) and a “Vulnerability Disclosure Report” (VDR).

Both are new standards for understanding the software supply chain better, helping enterprises and users to understand if they are affected by published security vulnerabilities. At the Apache Software Foundation, the Log4j (logging) team is now among the first to implement this at this scale, allowing others to replicate.

The Sovereign Tech Fund has commissioned this dedicated team of three developers for a comprehensive project improving Log4j, spanning from September 2023 through the end of 2024. This project involves 30 milestones, encompassing structural enhancements, security initiatives, maintenance, and documentation. The milestones and deliverables are recognized as addressing common pain points by the rest of the PMC. The team expects PMC consensus for the delivery of these features in the form of releases.

The Sovereign Tech Fund's commitment totals to €596,160 for this crucial project, reflecting our dedication to enhancing the security, reliability, and long-term sustainability of Log4j. The Sovereign Tech Fund is funded by the German Federal Ministry for Economic Affairs and Climate Action (BMWK).