TLDR – Keep *only* `dev@logging.a.o` and `security@logging.a.o` in `pom.xml`, and use DOAP to maintain the team list.
I think we shouldn't conflate the subjects of DOAP and `pom.xml` files. The latter spreads across dozens of repositories and branches, and serves a totally different purpose. `pom.xml` of `logging-parent` should not be used as the umbrella truth for the Logging Services project either, since 1) there is a facility dedicated for this purpose (i.e., DOAP), and 2) `logging-parent` is not used by Log4net and Log4cxx. I support your idea of keeping *only* `dev@logging.a.o` and `security@logging.a.o` in `pom.xml` – this would zero the maintenance cost of the `developers` element. Maintainer credits are available in the Git log. If we stick to this setup, we can generate `team-list.adoc` (which automatically generates `team-list.html`) from DOAP. This would make DOAP the one and only source that we need to maintain. On Fri, Mar 21, 2025 at 11:40 AM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > Hi all, > > A user report regarding a broken link on `projects.apache.org`[1] > brought my attention to the amount of out-of-date metadata we publish: > > * Our DOAP file has not been updated in ages. It contained out of date > links. We should probably regenerate it at each release. On > `projects.apache.org` this would give a result like Maven's[2]. > > * Our `<developers>` and `<contributors>` sections in POM files are also > out of date. It contains people that are not active, does **not** > contain people that are active and some affiliations might not be up to > date. > > > To better understand what the `<developers>` option should contain, I > looked at the documentation[3] and asked on Slack[4]. The documentation > says: > > > Developers are presumably members of the project's core development. > Note that, although an organization may have many developers > (programmers) as members, it is not good form to list them all as > developers, but only those who are immediately responsible for the code. > A good rule of thumb is, if the person should not be contacted about the > project, they do not need to be listed here. > > And of course the Maven team contradicts itself, by listing all PMC > Members, Committers and even Emeritus members in their POM file[5]. > > > We have probably two options here: > > 1. My favorite is to break the semantics of `<developer>` an add two > teams in `logging-parent`: an "Apache Logging Services Security Team" > with address `secur...@logging.apache.org` and an "Apache Logging > Services PMC" with this mailing list as address. > > 2. List team members only in `logging-parent` and keep the list > up-to-date. If we go for this option: > > * We should remove inactive members from the POM file. > > * If we add some people there, we should at least add the whole > Project Management Committee. These are the people currently > "immediately responsible for the code" and even Log4cxx and Log4net > developers assume responsibility and vote on Log4j releases. Adding our > few active committers does not hurt either. > > * The list should be somehow ordered, with the people that should > be contacted first at the top. I think the order should be PMC Chair, > PMC Member, Committer. > > * We should not list affiliations, unless our employer explicitly > pays us to work on Log4j and would like to be listed. > > I started a draft PR for option 2[6]. > > What do you think? > > Piotr > > > [1] https://github.com/apache/logging-log4j2/issues/3536 > > [2] https://projects.apache.org/project.html?maven > > [3] https://maven.apache.org/pom.html#Developers > > [4] https://the-asf.slack.com/archives/C7Q9JB404/p1742287422781009 > > [5] https://mvnrepository.com/artifact/org.apache.maven/maven-core/3.9.9 > > [6] https://github.com/apache/logging-parent/pull/351 > >
