Thanks for sharing that information. IAC, whatever the outcome might be, I am down to connect with fellow maintainers and say "hi" at the very least.
Thanks & Regards, Amogh Desai On Fri, Oct 24, 2025 at 3:08 PM Jarek Potiuk <[email protected]> wrote: > > This is a valuable discussion, do you happen to know if any other > Apache projects have an emeritus defined? > > Nifi defined it a month or two ago, but some of the way (involuntary move > after inactivity) seems to go against "merit never expires" ASF rule, and > is being discussed how it is going to work. There is no official "PMC > Emeritus" defined in the ASF as a status - this is something up to PMC to > decide. Since it does not involve any new position - it's mostly the same > as "committer/PMC member" - but someone who willingly decided to step down, > this is really up to PMC to decide. As mentioned - similar discussion is > now run in Logging [1] - together with Piotr Karwasz, my friend from the > ASF we are trying to see if such a proposal / discussion makes sense and > how it will be perceived by the PMCs and community - we are concerned about > security and we want to see what we can do "in PMC" - without changing > anything at the ASF level. > > As mentioned - there is a parallel and much more elaborated and complex > work on that subject run by Infra - and after yesterday's discussion we had > - I do not want to comment or misrepresent the work being done there - so > some of the statements about what is being done in infra/ASF level might be > not entirely accurate, but the whole point here is what we can do on "our > own" as a PMC now. - and whether a) there will be response from the > inactive committers/PMC members, b) how they react c) how others would see > the proposal and generally to hear what you all think about it. More > explanatory and gathering feedback than anything else. > > J > > > [1] https://lists.apache.org/thread/prrkybn46zksxtky4o73cw1j9gnzx6oj > > > On Fri, Oct 24, 2025 at 10:50 AM Amogh Desai <[email protected]> > wrote: > > > This is a valuable discussion, do you happen to know if any other > > Apache projects have an emeritus defined? > > > > IAC, I would be interested to say a virtual hello to fellow committers > > and PMCs, specially the ones before my time and those I haven't yet > > gotten a chance to connect with at Airflow Summit(s). > > > > Thanks & Regards, > > Amogh Desai > > > > > > On Fri, Oct 24, 2025 at 1:35 PM Pavankumar Gopidesu < > > [email protected]> > > wrote: > > > > > Thanks Jarek, > > > > > > Indeed thats a great idea, Looking forward to everyone to meet. > > > > > > Pavan > > > > > > > > > > > > Regards, > > > On Thu, 23 Oct 2025 at 13:00, Jarek Potiuk <[email protected]> wrote: > > > > > > > Hello here, > > > > > > > > As many of you know, the Apache Airflow project has a long > > > > history and currently counts 74 committers, one of the largest groups > > in > > > > the ASF. Yet even during my liong tenure in the project, I have only > > had > > > > the > > > > opportunity to interact with possibly around 50 of you directly - and > > > > with many of those it's a long time ago it happened. > > > > > > > > I understand that some of you may have moved on to new projects, > > retired > > > > from active development, or are simply taking a well-deserved break. > > > > Whatever the case may be, I want to express my gratitude for your > past > > > > contributions to the project and for helping build what we have > today. > > > > > > > > With that in mind, It might be a good idea to reconnect with > > > > each of you to hear how you are doing and learn whether > > > > you plan to return to the project in the future. > > > > > > > > We might even organize a casual virtual gathering for all past and > > > present > > > > committers to celebrate the history of the project and reconnect as a > > > > community at some point - especially that with Airflow 3 we - I think > > > > reached a new height in terms of what Airflow is capable of and > > > > celebrating it is a good idea. > > > > > > > > However, I would also like to raise an important administrative topic > > > > concerning security, something that affects not just our project, but > > > > the broader open-source ecosystem - and something we discuss > > > > in the security committee. > > > > > > > > ## Why This Matters > > > > > > > > Recent years have shown an alarming rise in software supply chain > > > > attacks by highly capable threat actors. Their methods vary: > > > > > > > > - The XZ attack demonstrated how long-term trust can be exploited to > > > > gain harmful influence. > > > > > > > > - Recent phishing attacks on NPM packages (such as "debug") targeted > > > > maintainers’ credentials to compromise widely used libraries. > > > > > > > > Inactive maintainer accounts are now a common attack vector because > > they > > > > often remain privileged but unmonitored. If your Apache account is > not > > > > actively used or secured with strong authentication, it increases the > > > > risk of impersonation or misuse. > > > > > > > > Unfortunately, ASF INFRA currently does not offer a way to separate > > > > committer status from technical privileges. This means the only way > to > > > > fully removing commit access is to step down as a committer. > > > > > > > > We are working on adding other possibilities, starting with MFA > > > > (Multi-Factor-Authentication) being worked on by Infra - this is > > > > work in-progress (it will be discussed in 2 weeks at infrastructure > > > > roundtable). > > > > But for now, we have no way (for now) to separate the committers and > > > > commit access. Several other PMCs (NiFi. Logging Services that I know > > > > about) had started similar initiatives and discussions recently to > > > > address growing security concerns. > > > > > > > > ## An Honest Question > > > > > > > > I would like to ask each of you to reflect on this question: > > > > > > > > “Is it more likely that an ASF account could be compromised, or that > > > > you will return to active participation in the near future?” > especially > > > > when you consider that there is no MFA currently for ASF accounts. > > > > > > > > Only you can answer that. But if you choose to step down to help > reduce > > > > risk, I will consider it a valuable and responsible contribution to > the > > > > long-term security of the Apache Airflow project. > > > > > > > > While there is no (yet) formal "emeritus" status for the PMC - there > is > > > > a formal "emeritus" status for the Foundation. and while merit never > > > > expires, we could potentially quickly add such emeritus status > > > > and keep information about who the emeritus committers are > > > > and recognise them at our "community" page [1] if you decide > > > > to step-down as a committer. That would be a quick way to > > > > make things more secure, without waiting for infrastructure > > > > changes. > > > > > > > > ## What Stepping Down Really Means > > > > > > > > If you choose to step down, your contributions will continue to be > > > > valued and recognized: > > > > > > > > - You could be listed as emeritus on our team page [1]. > > > > - We might propose (and implement) that emeritus members also appear > on > > > > projects.apache.org [2] to acknowledge your lasting impact on the > > > > project. > > > > - If you ever wish to return, we might make the process as smooth as > > > > possible. While a PMC vote is required by ASF policy, we might decide > > > > on the policy that anyone who wishes to be reinstated will be > accepted > > > > (providing some kind of social verification of their identity). > > > > > > > > However, stepping down does have some technical and procedural > effects > > > > we cannot avoid due to ASF policies and repository protections. > > > > > > > > ### If You Step Down as a Committer > > > > > > > > You can still contribute normally via GitHub like any community > member, > > > > but some maintainer permissions will change: > > > > > > > > - You can still open pull requests and participate in discussions. > > > > - Your reviews will remain welcome, but: > > > > - Positive reviews will not count toward the required number of > > > > binding approvals. > > > > - Negative reviews will still be taken seriously and considered. > > > > - You will no longer have merge permissions. > > > > - Note: in Airflow even current maintainers cannot push directly to > > > `main` > > > > or `stable` branches due to branch protections, all changes > > > > already go through PR and review, so little > > > > changes in practice for occasional contributors. > > > > > > > > ### If You Step Down as a PMC Member > > > > > > > > Your influence on project decisions will continue, but with > non-binding > > > > status: > > > > > > > > - Your +1 votes on releases will be non-binding and will not count > > > > toward the required 3 binding votes. > > > > - Your -1 votes will still carry weight and will be taken into > > > > consideration by the release manager. > > > > - You cannot initiate releases without coordination with an active > PMC > > > > member. > > > > - You will lose access to `private@` and `security@` unless you are > an > > > > ASF member. > > > > > > > > *Important Note*: > > > > This is currently a personal proposal and question - not a PMC > action. > > > > Before taking any action, we will have to discuss it with the PMC > > > > on `private@`. However, as most inactive members > > > > are committers rather than PMC members, I wanted to share my thoughts > > > > openly with both groups at the same time. > > > > > > > > I look forward to hearing from each of you, whether to simply > reconnect > > > > or to discuss the future of your involvement in the project. > > > > > > > > I wonder how this message will be perceived by you? Would you be > > willing > > > > to step-down if you are inactive? Any other comments and suggestions > > from > > > > those who are active as well? > > > > > > > > And yes I know some of the inactive people might simply not get this > > > > message, > > > > I am well aware of that - I am mostly interested now in hearing from > > > those > > > > who > > > > are still following. > > > > > > > > Best regards, > > > > Jarek > > > > > > > > [1] https://airflow.apache.org/community/ > > > > [2] https://projects.apache.org/committee.html?airflow > > > > > > > > > >
