On Fri, Oct 24, 2025, at 16:53, Volkan Yazıcı wrote: > We privately discussed this with Piotr and I share his concerns. Instead of > expecting inactive (i.e., who hasn't participated in Logging Services by > any means in the last 1 year) committers & PMC members to read this lengthy > email, I suggest sending them a direct (shorter) email, and, along with our > rationale, asking if they can step down.
I think we did this in the past one or two years, but we should do it regularly. Once a year, we ask the chair whether they still want to continue, and once a year, we ask everyone if they wish to step down. For me, this is just another step to making this project more secure. In short, +1 to what Piotr wrote, and +1 to additionally reaching out to people of whom we didn't hear for a long time. Plus, I'd like to raise the question: What if we have long-term inactive committers who didn't respond at all? I'd like to auto-deactivate the commit bit if a committer didn't respond to any email or had any activity in, let's say, three years or so. I know this is currently not covered by policies. Thanks Piotr+Volkan Christian > > On Thu, Oct 23, 2025 at 12:14 PM Piotr P. Karwasz <[email protected]> > wrote: > >> Hi all, >> >> As many of you know, the Apache Logging Services project has a long >> history and currently counts 47 committers, one of the largest groups in >> the ASF. Yet during my time in the project, I have only had the >> opportunity to interact with around 20 of you directly. >> >> I understand that some of you may have moved on to new projects, retired >> from active development, or are simply taking a well-deserved break. >> Whatever the case may be, I want to express my gratitude for your past >> contributions to the project and for helping build what we have today. >> >> With that in mind, I would like to: >> >> - Reconnect with each of you to hear how you are doing and learn whether >> you plan to return to the project in the future. >> >> - Organize a casual virtual gathering for all past and present >> committers to celebrate the history of the project and reconnect as a >> community. >> >> However, I would also like to raise an important administrative topic >> concerning security, something that affects not just our project, but >> the broader open-source ecosystem. >> >> ## Why This Matters >> >> Recent years have shown an alarming rise in software supply chain >> attacks by highly capable threat actors. Their methods vary: >> >> - The XZ attack demonstrated how long-term trust can be exploited to >> gain harmful influence. >> >> - Recent phishing attacks on NPM packages (such as "debug") targeted >> maintainers’ credentials to compromise widely used libraries. >> >> Inactive maintainer accounts are now a common attack vector because they >> often remain privileged but unmonitored. If your Apache account is not >> actively used or secured with strong authentication, it increases the >> risk of impersonation or misuse. >> >> Unfortunately, ASF INFRA currently does not offer a way to separate >> committer status from technical privileges. This means the only way to >> fully remove commit access is to step down as a committer or PMC member. >> >> ## An Honest Question >> >> I would like to ask each of you to reflect on this question: >> >> “Is it more likely that your ASF account could be compromised, or that >> you will return to active participation in the near future?” >> >> Only you can answer that. But if you choose to step down to help reduce >> risk, I will consider it a valuable and responsible contribution to the >> long-term security of the Apache Logging Services project and the Java >> ecosystem. >> >> ## What Stepping Down Really Means >> >> If you choose to step down, your contributions will continue to be >> valued and recognized: >> >> - You will be listed as emeritus on our team page [1]. >> - I will propose that emeritus members also appear on >> projects.apache.org [2] to acknowledge your lasting impact on the >> project. >> - If you ever wish to return, we will make the process as smooth as >> possible. While a PMC vote is required by ASF policy, I will gladly >> support reinstatement for anyone who shows renewed engagement with the >> project. >> >> However, stepping down does have some technical and procedural effects >> we cannot avoid due to ASF policies and repository protections. >> >> ### If You Step Down as a Committer >> >> You can still contribute normally via GitHub like any community member, >> but some maintainer permissions will change: >> >> - You can still open pull requests and participate in discussions. >> - Your reviews will remain welcome, but: >> - Positive reviews will not count toward the required number of >> binding approvals. >> - Negative reviews will still be taken seriously and considered. >> - You will no longer have merge permissions. >> - Note: in Log4j even current maintainers cannot push directly to `main` >> or `2.x`, all changes already go through PR and review, so little >> changes in practice for occasional contributors. >> >> ### If You Step Down as a PMC Member >> >> Your influence on project decisions will continue, but with non-binding >> status: >> >> - Your +1 votes on releases will be non-binding and will not count >> toward the required 3 binding votes. >> - Your -1 votes will still carry weight and will be taken into >> consideration by the release manager. >> - You cannot initiate releases without coordination with an active PMC >> member. >> - You will lose access to `private@` and `security@` unless you are an >> ASF member. >> >> *Important Note*: >> This is currently a personal proposal. Before taking any action, I will >> discuss it with the PMC on `private@`. However, as most inactive members >> are committers rather than PMC members, I wanted to share my thoughts >> openly with both groups at the same time. >> >> I look forward to hearing from each of you, whether to simply reconnect >> or to discuss the future of your involvement in the project. >> >> Best regards, >> Piotr >> >> [1] https://logging.apache.org/team-list.html >> [2] https://projects.apache.org/committee.html?logging >>
