Thank you Volkan, I definitely TL;DR on that one ;-) Gary
On Fri, Oct 24, 2025, 10:54 Volkan Yazıcı <[email protected]> wrote: > We privately discussed this with Piotr and I share his concerns. Instead of > expecting inactive (i.e., who hasn't participated in Logging Services by > any means in the last 1 year) committers & PMC members to read this lengthy > email, I suggest sending them a direct (shorter) email, and, along with our > rationale, asking if they can step down. > > On Thu, Oct 23, 2025 at 12:14 PM Piotr P. Karwasz < > [email protected]> > wrote: > > > Hi all, > > > > As many of you know, the Apache Logging Services project has a long > > history and currently counts 47 committers, one of the largest groups in > > the ASF. Yet during my time in the project, I have only had the > > opportunity to interact with around 20 of you directly. > > > > I understand that some of you may have moved on to new projects, retired > > from active development, or are simply taking a well-deserved break. > > Whatever the case may be, I want to express my gratitude for your past > > contributions to the project and for helping build what we have today. > > > > With that in mind, I would like to: > > > > - Reconnect with each of you to hear how you are doing and learn whether > > you plan to return to the project in the future. > > > > - Organize a casual virtual gathering for all past and present > > committers to celebrate the history of the project and reconnect as a > > community. > > > > However, I would also like to raise an important administrative topic > > concerning security, something that affects not just our project, but > > the broader open-source ecosystem. > > > > ## Why This Matters > > > > Recent years have shown an alarming rise in software supply chain > > attacks by highly capable threat actors. Their methods vary: > > > > - The XZ attack demonstrated how long-term trust can be exploited to > > gain harmful influence. > > > > - Recent phishing attacks on NPM packages (such as "debug") targeted > > maintainers’ credentials to compromise widely used libraries. > > > > Inactive maintainer accounts are now a common attack vector because they > > often remain privileged but unmonitored. If your Apache account is not > > actively used or secured with strong authentication, it increases the > > risk of impersonation or misuse. > > > > Unfortunately, ASF INFRA currently does not offer a way to separate > > committer status from technical privileges. This means the only way to > > fully remove commit access is to step down as a committer or PMC member. > > > > ## An Honest Question > > > > I would like to ask each of you to reflect on this question: > > > > “Is it more likely that your ASF account could be compromised, or that > > you will return to active participation in the near future?” > > > > Only you can answer that. But if you choose to step down to help reduce > > risk, I will consider it a valuable and responsible contribution to the > > long-term security of the Apache Logging Services project and the Java > > ecosystem. > > > > ## What Stepping Down Really Means > > > > If you choose to step down, your contributions will continue to be > > valued and recognized: > > > > - You will be listed as emeritus on our team page [1]. > > - I will propose that emeritus members also appear on > > projects.apache.org [2] to acknowledge your lasting impact on the > > project. > > - If you ever wish to return, we will make the process as smooth as > > possible. While a PMC vote is required by ASF policy, I will gladly > > support reinstatement for anyone who shows renewed engagement with the > > project. > > > > However, stepping down does have some technical and procedural effects > > we cannot avoid due to ASF policies and repository protections. > > > > ### If You Step Down as a Committer > > > > You can still contribute normally via GitHub like any community member, > > but some maintainer permissions will change: > > > > - You can still open pull requests and participate in discussions. > > - Your reviews will remain welcome, but: > > - Positive reviews will not count toward the required number of > > binding approvals. > > - Negative reviews will still be taken seriously and considered. > > - You will no longer have merge permissions. > > - Note: in Log4j even current maintainers cannot push directly to `main` > > or `2.x`, all changes already go through PR and review, so little > > changes in practice for occasional contributors. > > > > ### If You Step Down as a PMC Member > > > > Your influence on project decisions will continue, but with non-binding > > status: > > > > - Your +1 votes on releases will be non-binding and will not count > > toward the required 3 binding votes. > > - Your -1 votes will still carry weight and will be taken into > > consideration by the release manager. > > - You cannot initiate releases without coordination with an active PMC > > member. > > - You will lose access to `private@` and `security@` unless you are an > > ASF member. > > > > *Important Note*: > > This is currently a personal proposal. Before taking any action, I will > > discuss it with the PMC on `private@`. However, as most inactive members > > are committers rather than PMC members, I wanted to share my thoughts > > openly with both groups at the same time. > > > > I look forward to hearing from each of you, whether to simply reconnect > > or to discuss the future of your involvement in the project. > > > > Best regards, > > Piotr > > > > [1] https://logging.apache.org/team-list.html > > [2] https://projects.apache.org/committee.html?logging > > >
