Hello here, As many of you know, the Apache Airflow project has a long history and currently counts 74 committers, one of the largest groups in the ASF. Yet even during my liong tenure in the project, I have only had the opportunity to interact with possibly around 50 of you directly - and with many of those it's a long time ago it happened.
I understand that some of you may have moved on to new projects, retired from active development, or are simply taking a well-deserved break. Whatever the case may be, I want to express my gratitude for your past contributions to the project and for helping build what we have today. With that in mind, It might be a good idea to reconnect with each of you to hear how you are doing and learn whether you plan to return to the project in the future. We might even organize a casual virtual gathering for all past and present committers to celebrate the history of the project and reconnect as a community at some point - especially that with Airflow 3 we - I think reached a new height in terms of what Airflow is capable of and celebrating it is a good idea. However, I would also like to raise an important administrative topic concerning security, something that affects not just our project, but the broader open-source ecosystem - and something we discuss in the security committee. ## Why This Matters Recent years have shown an alarming rise in software supply chain attacks by highly capable threat actors. Their methods vary: - The XZ attack demonstrated how long-term trust can be exploited to gain harmful influence. - Recent phishing attacks on NPM packages (such as "debug") targeted maintainers’ credentials to compromise widely used libraries. Inactive maintainer accounts are now a common attack vector because they often remain privileged but unmonitored. If your Apache account is not actively used or secured with strong authentication, it increases the risk of impersonation or misuse. Unfortunately, ASF INFRA currently does not offer a way to separate committer status from technical privileges. This means the only way to fully removing commit access is to step down as a committer. We are working on adding other possibilities, starting with MFA (Multi-Factor-Authentication) being worked on by Infra - this is work in-progress (it will be discussed in 2 weeks at infrastructure roundtable). But for now, we have no way (for now) to separate the committers and commit access. Several other PMCs (NiFi. Logging Services that I know about) had started similar initiatives and discussions recently to address growing security concerns. ## An Honest Question I would like to ask each of you to reflect on this question: “Is it more likely that an ASF account could be compromised, or that you will return to active participation in the near future?” especially when you consider that there is no MFA currently for ASF accounts. Only you can answer that. But if you choose to step down to help reduce risk, I will consider it a valuable and responsible contribution to the long-term security of the Apache Airflow project. While there is no (yet) formal "emeritus" status for the PMC - there is a formal "emeritus" status for the Foundation. and while merit never expires, we could potentially quickly add such emeritus status and keep information about who the emeritus committers are and recognise them at our "community" page [1] if you decide to step-down as a committer. That would be a quick way to make things more secure, without waiting for infrastructure changes. ## What Stepping Down Really Means If you choose to step down, your contributions will continue to be valued and recognized: - You could be listed as emeritus on our team page [1]. - We might propose (and implement) that emeritus members also appear on projects.apache.org [2] to acknowledge your lasting impact on the project. - If you ever wish to return, we might make the process as smooth as possible. While a PMC vote is required by ASF policy, we might decide on the policy that anyone who wishes to be reinstated will be accepted (providing some kind of social verification of their identity). However, stepping down does have some technical and procedural effects we cannot avoid due to ASF policies and repository protections. ### If You Step Down as a Committer You can still contribute normally via GitHub like any community member, but some maintainer permissions will change: - You can still open pull requests and participate in discussions. - Your reviews will remain welcome, but: - Positive reviews will not count toward the required number of binding approvals. - Negative reviews will still be taken seriously and considered. - You will no longer have merge permissions. - Note: in Airflow even current maintainers cannot push directly to `main` or `stable` branches due to branch protections, all changes already go through PR and review, so little changes in practice for occasional contributors. ### If You Step Down as a PMC Member Your influence on project decisions will continue, but with non-binding status: - Your +1 votes on releases will be non-binding and will not count toward the required 3 binding votes. - Your -1 votes will still carry weight and will be taken into consideration by the release manager. - You cannot initiate releases without coordination with an active PMC member. - You will lose access to `private@` and `security@` unless you are an ASF member. *Important Note*: This is currently a personal proposal and question - not a PMC action. Before taking any action, we will have to discuss it with the PMC on `private@`. However, as most inactive members are committers rather than PMC members, I wanted to share my thoughts openly with both groups at the same time. I look forward to hearing from each of you, whether to simply reconnect or to discuss the future of your involvement in the project. I wonder how this message will be perceived by you? Would you be willing to step-down if you are inactive? Any other comments and suggestions from those who are active as well? And yes I know some of the inactive people might simply not get this message, I am well aware of that - I am mostly interested now in hearing from those who are still following. Best regards, Jarek [1] https://airflow.apache.org/community/ [2] https://projects.apache.org/committee.html?airflow
