>creating a maintenance fork >It is also completely consistent with how open-source ecosystems have historically handled diverging maintenance expectations
Could you please provide such library examples from the Java ecosystem? I know there's log4j 1.x vs reload4j, however, libraries do not typically use log4j API explicitly. So reload4j is viable for drop-in jar replacement when fixing a CVE, however, it is not viable as a library dependency. >creating a maintenance fork is not only possible but straightforward: update the package metadata Creating a fork would require: 1) Select a new name 2) Replace existing mentions of Apache Foo with the new name. Releasing a fork under Apache commons-lang3 name would literally violate the ASF trademark. 3) Prepare a website and configure the publication 4) Configure publication to Central (note that ASF publishes to its own Nexus, and Central requires different buildscript config) 5) Update the transitive dependencies to use a fork rather than the base commons-lang3 Those are non-trivial efforts. >and consumers who need stability can depend on that fork without touching anything else in their codebase You can't easily update old consumers to depend on the fork. In my library I can't force everybody to "exclude commons-lang3 and add safe-lang3 instead". Everybody would have to duplicate the same exclude-include dance. It is far from straightforward. It might be doable when you build an application (~you control all the jars), however, libraries can't esily apply that. A library can't easily switch to a "hardened fork" since it would cause split packages for Maven consumers if both commons-lang3 and safe-lang3 appears on the classpath. > the community or individual users prefer not to publish a separate artifact, they can simply monkey-patch the existing JAR Same thing here: if commons-lang3 is used in transitive dependencies, I can't easily switch it to a different alternative. >This avoids placing an ongoing release burden on the PMC Is the burden measureable? The efforts to roll a release are minimal. Vladimir
