Hi all,
As many of you know, the Apache Logging Services project has a long
history and currently counts 47 committers, one of the largest groups in
the ASF. Yet during my time in the project, I have only had the
opportunity to interact with around 20 of you directly.
I understand that some of you may have moved on to new projects, retired
from active development, or are simply taking a well-deserved break.
Whatever the case may be, I want to express my gratitude for your past
contributions to the project and for helping build what we have today.
With that in mind, I would like to:
- Reconnect with each of you to hear how you are doing and learn whether
you plan to return to the project in the future.
- Organize a casual virtual gathering for all past and present
committers to celebrate the history of the project and reconnect as a
community.
However, I would also like to raise an important administrative topic
concerning security, something that affects not just our project, but
the broader open-source ecosystem.
## Why This Matters
Recent years have shown an alarming rise in software supply chain
attacks by highly capable threat actors. Their methods vary:
- The XZ attack demonstrated how long-term trust can be exploited to
gain harmful influence.
- Recent phishing attacks on NPM packages (such as "debug") targeted
maintainers’ credentials to compromise widely used libraries.
Inactive maintainer accounts are now a common attack vector because they
often remain privileged but unmonitored. If your Apache account is not
actively used or secured with strong authentication, it increases the
risk of impersonation or misuse.
Unfortunately, ASF INFRA currently does not offer a way to separate
committer status from technical privileges. This means the only way to
fully remove commit access is to step down as a committer or PMC member.
## An Honest Question
I would like to ask each of you to reflect on this question:
“Is it more likely that your ASF account could be compromised, or that
you will return to active participation in the near future?”
Only you can answer that. But if you choose to step down to help reduce
risk, I will consider it a valuable and responsible contribution to the
long-term security of the Apache Logging Services project and the Java
ecosystem.
## What Stepping Down Really Means
If you choose to step down, your contributions will continue to be
valued and recognized:
- You will be listed as emeritus on our team page [1].
- I will propose that emeritus members also appear on
projects.apache.org [2] to acknowledge your lasting impact on the
project.
- If you ever wish to return, we will make the process as smooth as
possible. While a PMC vote is required by ASF policy, I will gladly
support reinstatement for anyone who shows renewed engagement with the
project.
However, stepping down does have some technical and procedural effects
we cannot avoid due to ASF policies and repository protections.
### If You Step Down as a Committer
You can still contribute normally via GitHub like any community member,
but some maintainer permissions will change:
- You can still open pull requests and participate in discussions.
- Your reviews will remain welcome, but:
- Positive reviews will not count toward the required number of
binding approvals.
- Negative reviews will still be taken seriously and considered.
- You will no longer have merge permissions.
- Note: in Log4j even current maintainers cannot push directly to `main`
or `2.x`, all changes already go through PR and review, so little
changes in practice for occasional contributors.
### If You Step Down as a PMC Member
Your influence on project decisions will continue, but with non-binding
status:
- Your +1 votes on releases will be non-binding and will not count
toward the required 3 binding votes.
- Your -1 votes will still carry weight and will be taken into
consideration by the release manager.
- You cannot initiate releases without coordination with an active PMC
member.
- You will lose access to `private@` and `security@` unless you are an
ASF member.
*Important Note*:
This is currently a personal proposal. Before taking any action, I will
discuss it with the PMC on `private@`. However, as most inactive members
are committers rather than PMC members, I wanted to share my thoughts
openly with both groups at the same time.
I look forward to hearing from each of you, whether to simply reconnect
or to discuss the future of your involvement in the project.
Best regards,
Piotr
[1] https://logging.apache.org/team-list.html
[2] https://projects.apache.org/committee.html?logging
