> On Oct 28, 2025, at 12:34 AM, Christian Grobmeier <[email protected]>
> wrote:
>
>
>
> On Mon, Oct 27, 2025, at 18:42, Matt SIcker wrote:
>> I’m in favor of whatever process makes this project enjoyable to
>> contribute to again.
>
> Enjoyable yes.
> But not for the cost of security.
> This project has grown since we hacked together its prototype.
Allowing the project to enter the Attic is surely more secure than accepting
contributions ever again based on this line of thinking.
>
>> In the past, we embraced the Apache Way of a
>> “do-ocracy” where people just sort of work on what they want to work
>> on, and things work out in the end because this philosophy embraces
>> community over code. Projects that demand perfect code end up dead once
>> the gatekeeper stops caring about the project (see for example qmail).
>
> Agreed, and I oppose the need for "perfect code" to come into a codebase.
> But I want to have "reviewed" code.
>
> Times have changed.
>
> Supply chains are under constant attack.
> We will not suffer from an XZ-like attack, but I do believe we can make
> mistakes.
> Powering half of the Java projects (at least it feels like that), we owe it
> to our community to be careful what we add to the codebase.
>
> Do-ocracy is fine; one can still do things.
> But scale of software has changed, we should accept reviews by others.
> Of course, reviews must be productive and should not lead to gatekeeping.
> So, we'll need to discuss the rules of a review, not abandon the review.
>
>
