Thanks Jarek, Indeed thats a great idea, Looking forward to everyone to meet.
Pavan Regards, On Thu, 23 Oct 2025 at 13:00, Jarek Potiuk <[email protected]> wrote: > Hello here, > > As many of you know, the Apache Airflow project has a long > history and currently counts 74 committers, one of the largest groups in > the ASF. Yet even during my liong tenure in the project, I have only had > the > opportunity to interact with possibly around 50 of you directly - and > with many of those it's a long time ago it happened. > > I understand that some of you may have moved on to new projects, retired > from active development, or are simply taking a well-deserved break. > Whatever the case may be, I want to express my gratitude for your past > contributions to the project and for helping build what we have today. > > With that in mind, It might be a good idea to reconnect with > each of you to hear how you are doing and learn whether > you plan to return to the project in the future. > > We might even organize a casual virtual gathering for all past and present > committers to celebrate the history of the project and reconnect as a > community at some point - especially that with Airflow 3 we - I think > reached a new height in terms of what Airflow is capable of and > celebrating it is a good idea. > > However, I would also like to raise an important administrative topic > concerning security, something that affects not just our project, but > the broader open-source ecosystem - and something we discuss > in the security committee. > > ## Why This Matters > > Recent years have shown an alarming rise in software supply chain > attacks by highly capable threat actors. Their methods vary: > > - The XZ attack demonstrated how long-term trust can be exploited to > gain harmful influence. > > - Recent phishing attacks on NPM packages (such as "debug") targeted > maintainers’ credentials to compromise widely used libraries. > > Inactive maintainer accounts are now a common attack vector because they > often remain privileged but unmonitored. If your Apache account is not > actively used or secured with strong authentication, it increases the > risk of impersonation or misuse. > > Unfortunately, ASF INFRA currently does not offer a way to separate > committer status from technical privileges. This means the only way to > fully removing commit access is to step down as a committer. > > We are working on adding other possibilities, starting with MFA > (Multi-Factor-Authentication) being worked on by Infra - this is > work in-progress (it will be discussed in 2 weeks at infrastructure > roundtable). > But for now, we have no way (for now) to separate the committers and > commit access. Several other PMCs (NiFi. Logging Services that I know > about) had started similar initiatives and discussions recently to > address growing security concerns. > > ## An Honest Question > > I would like to ask each of you to reflect on this question: > > “Is it more likely that an ASF account could be compromised, or that > you will return to active participation in the near future?” especially > when you consider that there is no MFA currently for ASF accounts. > > Only you can answer that. But if you choose to step down to help reduce > risk, I will consider it a valuable and responsible contribution to the > long-term security of the Apache Airflow project. > > While there is no (yet) formal "emeritus" status for the PMC - there is > a formal "emeritus" status for the Foundation. and while merit never > expires, we could potentially quickly add such emeritus status > and keep information about who the emeritus committers are > and recognise them at our "community" page [1] if you decide > to step-down as a committer. That would be a quick way to > make things more secure, without waiting for infrastructure > changes. > > ## What Stepping Down Really Means > > If you choose to step down, your contributions will continue to be > valued and recognized: > > - You could be listed as emeritus on our team page [1]. > - We might propose (and implement) that emeritus members also appear on > projects.apache.org [2] to acknowledge your lasting impact on the > project. > - If you ever wish to return, we might make the process as smooth as > possible. While a PMC vote is required by ASF policy, we might decide > on the policy that anyone who wishes to be reinstated will be accepted > (providing some kind of social verification of their identity). > > However, stepping down does have some technical and procedural effects > we cannot avoid due to ASF policies and repository protections. > > ### If You Step Down as a Committer > > You can still contribute normally via GitHub like any community member, > but some maintainer permissions will change: > > - You can still open pull requests and participate in discussions. > - Your reviews will remain welcome, but: > - Positive reviews will not count toward the required number of > binding approvals. > - Negative reviews will still be taken seriously and considered. > - You will no longer have merge permissions. > - Note: in Airflow even current maintainers cannot push directly to `main` > or `stable` branches due to branch protections, all changes > already go through PR and review, so little > changes in practice for occasional contributors. > > ### If You Step Down as a PMC Member > > Your influence on project decisions will continue, but with non-binding > status: > > - Your +1 votes on releases will be non-binding and will not count > toward the required 3 binding votes. > - Your -1 votes will still carry weight and will be taken into > consideration by the release manager. > - You cannot initiate releases without coordination with an active PMC > member. > - You will lose access to `private@` and `security@` unless you are an > ASF member. > > *Important Note*: > This is currently a personal proposal and question - not a PMC action. > Before taking any action, we will have to discuss it with the PMC > on `private@`. However, as most inactive members > are committers rather than PMC members, I wanted to share my thoughts > openly with both groups at the same time. > > I look forward to hearing from each of you, whether to simply reconnect > or to discuss the future of your involvement in the project. > > I wonder how this message will be perceived by you? Would you be willing > to step-down if you are inactive? Any other comments and suggestions from > those who are active as well? > > And yes I know some of the inactive people might simply not get this > message, > I am well aware of that - I am mostly interested now in hearing from those > who > are still following. > > Best regards, > Jarek > > [1] https://airflow.apache.org/community/ > [2] https://projects.apache.org/committee.html?airflow >
