> This is a valuable discussion, do you happen to know if any other Apache projects have an emeritus defined?
Nifi defined it a month or two ago, but some of the way (involuntary move after inactivity) seems to go against "merit never expires" ASF rule, and is being discussed how it is going to work. There is no official "PMC Emeritus" defined in the ASF as a status - this is something up to PMC to decide. Since it does not involve any new position - it's mostly the same as "committer/PMC member" - but someone who willingly decided to step down, this is really up to PMC to decide. As mentioned - similar discussion is now run in Logging [1] - together with Piotr Karwasz, my friend from the ASF we are trying to see if such a proposal / discussion makes sense and how it will be perceived by the PMCs and community - we are concerned about security and we want to see what we can do "in PMC" - without changing anything at the ASF level. As mentioned - there is a parallel and much more elaborated and complex work on that subject run by Infra - and after yesterday's discussion we had - I do not want to comment or misrepresent the work being done there - so some of the statements about what is being done in infra/ASF level might be not entirely accurate, but the whole point here is what we can do on "our own" as a PMC now. - and whether a) there will be response from the inactive committers/PMC members, b) how they react c) how others would see the proposal and generally to hear what you all think about it. More explanatory and gathering feedback than anything else. J [1] https://lists.apache.org/thread/prrkybn46zksxtky4o73cw1j9gnzx6oj On Fri, Oct 24, 2025 at 10:50 AM Amogh Desai <[email protected]> wrote: > This is a valuable discussion, do you happen to know if any other > Apache projects have an emeritus defined? > > IAC, I would be interested to say a virtual hello to fellow committers > and PMCs, specially the ones before my time and those I haven't yet > gotten a chance to connect with at Airflow Summit(s). > > Thanks & Regards, > Amogh Desai > > > On Fri, Oct 24, 2025 at 1:35 PM Pavankumar Gopidesu < > [email protected]> > wrote: > > > Thanks Jarek, > > > > Indeed thats a great idea, Looking forward to everyone to meet. > > > > Pavan > > > > > > > > Regards, > > On Thu, 23 Oct 2025 at 13:00, Jarek Potiuk <[email protected]> wrote: > > > > > Hello here, > > > > > > As many of you know, the Apache Airflow project has a long > > > history and currently counts 74 committers, one of the largest groups > in > > > the ASF. Yet even during my liong tenure in the project, I have only > had > > > the > > > opportunity to interact with possibly around 50 of you directly - and > > > with many of those it's a long time ago it happened. > > > > > > I understand that some of you may have moved on to new projects, > retired > > > from active development, or are simply taking a well-deserved break. > > > Whatever the case may be, I want to express my gratitude for your past > > > contributions to the project and for helping build what we have today. > > > > > > With that in mind, It might be a good idea to reconnect with > > > each of you to hear how you are doing and learn whether > > > you plan to return to the project in the future. > > > > > > We might even organize a casual virtual gathering for all past and > > present > > > committers to celebrate the history of the project and reconnect as a > > > community at some point - especially that with Airflow 3 we - I think > > > reached a new height in terms of what Airflow is capable of and > > > celebrating it is a good idea. > > > > > > However, I would also like to raise an important administrative topic > > > concerning security, something that affects not just our project, but > > > the broader open-source ecosystem - and something we discuss > > > in the security committee. > > > > > > ## Why This Matters > > > > > > Recent years have shown an alarming rise in software supply chain > > > attacks by highly capable threat actors. Their methods vary: > > > > > > - The XZ attack demonstrated how long-term trust can be exploited to > > > gain harmful influence. > > > > > > - Recent phishing attacks on NPM packages (such as "debug") targeted > > > maintainers’ credentials to compromise widely used libraries. > > > > > > Inactive maintainer accounts are now a common attack vector because > they > > > often remain privileged but unmonitored. If your Apache account is not > > > actively used or secured with strong authentication, it increases the > > > risk of impersonation or misuse. > > > > > > Unfortunately, ASF INFRA currently does not offer a way to separate > > > committer status from technical privileges. This means the only way to > > > fully removing commit access is to step down as a committer. > > > > > > We are working on adding other possibilities, starting with MFA > > > (Multi-Factor-Authentication) being worked on by Infra - this is > > > work in-progress (it will be discussed in 2 weeks at infrastructure > > > roundtable). > > > But for now, we have no way (for now) to separate the committers and > > > commit access. Several other PMCs (NiFi. Logging Services that I know > > > about) had started similar initiatives and discussions recently to > > > address growing security concerns. > > > > > > ## An Honest Question > > > > > > I would like to ask each of you to reflect on this question: > > > > > > “Is it more likely that an ASF account could be compromised, or that > > > you will return to active participation in the near future?” especially > > > when you consider that there is no MFA currently for ASF accounts. > > > > > > Only you can answer that. But if you choose to step down to help reduce > > > risk, I will consider it a valuable and responsible contribution to the > > > long-term security of the Apache Airflow project. > > > > > > While there is no (yet) formal "emeritus" status for the PMC - there is > > > a formal "emeritus" status for the Foundation. and while merit never > > > expires, we could potentially quickly add such emeritus status > > > and keep information about who the emeritus committers are > > > and recognise them at our "community" page [1] if you decide > > > to step-down as a committer. That would be a quick way to > > > make things more secure, without waiting for infrastructure > > > changes. > > > > > > ## What Stepping Down Really Means > > > > > > If you choose to step down, your contributions will continue to be > > > valued and recognized: > > > > > > - You could be listed as emeritus on our team page [1]. > > > - We might propose (and implement) that emeritus members also appear on > > > projects.apache.org [2] to acknowledge your lasting impact on the > > > project. > > > - If you ever wish to return, we might make the process as smooth as > > > possible. While a PMC vote is required by ASF policy, we might decide > > > on the policy that anyone who wishes to be reinstated will be accepted > > > (providing some kind of social verification of their identity). > > > > > > However, stepping down does have some technical and procedural effects > > > we cannot avoid due to ASF policies and repository protections. > > > > > > ### If You Step Down as a Committer > > > > > > You can still contribute normally via GitHub like any community member, > > > but some maintainer permissions will change: > > > > > > - You can still open pull requests and participate in discussions. > > > - Your reviews will remain welcome, but: > > > - Positive reviews will not count toward the required number of > > > binding approvals. > > > - Negative reviews will still be taken seriously and considered. > > > - You will no longer have merge permissions. > > > - Note: in Airflow even current maintainers cannot push directly to > > `main` > > > or `stable` branches due to branch protections, all changes > > > already go through PR and review, so little > > > changes in practice for occasional contributors. > > > > > > ### If You Step Down as a PMC Member > > > > > > Your influence on project decisions will continue, but with non-binding > > > status: > > > > > > - Your +1 votes on releases will be non-binding and will not count > > > toward the required 3 binding votes. > > > - Your -1 votes will still carry weight and will be taken into > > > consideration by the release manager. > > > - You cannot initiate releases without coordination with an active PMC > > > member. > > > - You will lose access to `private@` and `security@` unless you are an > > > ASF member. > > > > > > *Important Note*: > > > This is currently a personal proposal and question - not a PMC action. > > > Before taking any action, we will have to discuss it with the PMC > > > on `private@`. However, as most inactive members > > > are committers rather than PMC members, I wanted to share my thoughts > > > openly with both groups at the same time. > > > > > > I look forward to hearing from each of you, whether to simply reconnect > > > or to discuss the future of your involvement in the project. > > > > > > I wonder how this message will be perceived by you? Would you be > willing > > > to step-down if you are inactive? Any other comments and suggestions > from > > > those who are active as well? > > > > > > And yes I know some of the inactive people might simply not get this > > > message, > > > I am well aware of that - I am mostly interested now in hearing from > > those > > > who > > > are still following. > > > > > > Best regards, > > > Jarek > > > > > > [1] https://airflow.apache.org/community/ > > > [2] https://projects.apache.org/committee.html?airflow > > > > > >
