Dear Apache Geode PMC Members, I’d like to raise a proposal for consideration regarding our current release voting threshold.
As it stands, the policy requires *three binding +1 votes* from PMC members to finalize a release. While this standard has served us well historically, it may no longer reflect the current reality of our project’s active participation. In 2023, it was noted that although the PMC officially lists 31 members, fewer than 10 were actively engaged. As Leon recently pointed out, based on current email activity, it appears that *only three PMC members* are actively participating—suggesting that the actual number of engaged PMC members may now be just three. This makes reaching quorum increasingly difficult—even when the broader community is contributing actively and consistently. The current release effort, which includes over 20 commits and four release candidates, is a clear example of this challenge. Despite strong momentum, we are at risk of stalling due to procedural thresholds that no longer match our operational scale. More importantly, this release remediates *critical security vulnerabilities* that directly impact the reliability and safety of Apache Geode deployments. These include: - *CVE-2023-40167*: Request smuggling via '+' in Content-Length - *CVE-2023-22602*: Spring Boot pattern mismatch auth bypass - *CVE-2023-34478*: Path traversal routing bypass - *CVE-2023-46750*: Form auth open redirect - *CVE-2024-8184*: DoS via memory exhaustion - *CVE-2024-13009*: Gzip buffer mismanagement causing cross-request data leakage - *CVE-2023-26049*: Cookie smuggling - *CVE-2023-26048*: Multipart request DoS - *CVE-2022-42004 & CVE-2022-42003*: Deep nested array DoS vulnerabilities - *CVE-2020-36518*: Stack overflow vulnerability - *CVE-2022-40664*: Authentication bypass via RequestDispatcher - *CVE-2022-32532*: RegexRequestMatcher misconfiguration - *CVE-2023-46749*: Path traversal leading to auth bypass - *CVE-2024-36124*: JVM crash risk enabling DoS - *CVE-2025-48734*: Improper access control via Java enum ClassLoader exposure Delaying this release not only risks losing community momentum—it also prolongs exposure to known vulnerabilities that have already been addressed. Given this, I propose we revisit the voting threshold to better reflect the actual number of active PMC members. If the original intent of requiring three votes was to represent roughly 10% of the full PMC, then applying that same ratio to the currently active group would suggest a threshold of *one binding vote*. This adjustment would: - Align our process with the current scale of active participation - Prevent valuable contributions and security fixes from being blocked due to quorum issues - Encourage continued engagement by reducing procedural bottlenecks I recognize this is a significant change and welcome discussion on how best to approach it—whether through a formal vote, a temporary adjustment, or a broader review of our governance practices. Thank you for your continued dedication to Apache Geode. I look forward to hearing your thoughts. Respectfully, Jinwoo Hwang (he/him/his) SAS® Research and Development http://JinwooHwang.com On Tue, Sep 16, 2025 at 6:22 PM Jinwoo Hwang <[email protected]> wrote: > Dear Apache Geode PMC Members, > > We are standing at the edge of a major milestone—and we need your help to > cross it. > > As of the original deadline, we are still two binding votes short of > finalizing the release. > In recognition of the tremendous effort poured into this by our > contributors and reviewers, we are extending the vote by 24 hours. > > This release is the result of months of focused collaboration: > > - 20+ commits > - 4 release candidates > - Countless hours of testing, reviewing, and refining > > > To let this moment pass without action would be to set aside the hard work > of those who have reignited momentum in our community. > We owe it to them—and to the future of Apache Geode—to see this through. > > If you are a PMC member who has not yet voted, I urge you to take a moment > and cast your vote. > Your participation is not just procedural—it is a statement of support for > the community, for the contributors, and for the continued vitality of this > project. > > Let’s not allow this opportunity to stall. Let’s finish what we > started—together. > If you have any questions or concerns, I’m available and happy to assist. > > With respect and appreciation, > > Jinwoo Hwang (he/him/his) > > SAS® Research and Development > http://JinwooHwang.com > > ---------- Forwarded message --------- > From: Jinwoo Hwang <[email protected]> > Date: Tue, Sep 16, 2025 at 7:55 AM > Subject: Project Management Committee Support Needed Today – Help Finalize > the Apache Geode Release > To: <[email protected]> > > > Dear Apache Geode Community and PMC members, > > > It has been nearly three years since our last release on October 10, 2022, > and we are pleased to share that we are now on the verge of delivering a > long-awaited update. Over the past five months, we’ve made more than 20 > commits and produced four release candidates—a remarkable achievement that > reflects the renewed energy within our community. > > This progress would not have been possible without the dedication of many > contributors and reviewers. We would like to extend our sincere > appreciation to Arnout, Bryan, Calvin, Charlie, Kirk, Kishor, Leon, and > Niall for your generous support and active engagement. Your efforts have > been instrumental in reigniting momentum and moving the project forward. > > As of this morning, we are just two PMC votes away from finalizing the > release. If you are a PMC member and have not yet voted, please consider > doing so by 3 PM PST today. Your participation is essential to completing > this milestone. > > More importantly, we kindly ask our PMC members to help maintain—and > ideally accelerate—the momentum that the community has just rekindled. This > is a pivotal moment for Apache Geode. While we’ve faced challenges due to > limited active committers and documentation that has struggled to keep pace > with evolving tooling and workflows, your renewed involvement can be a > turning point. Active PMC engagement will not only help us close this > release but also strengthen the foundation for future contributions and > collaboration. > > Please feel free to reach out to me if you have any concerns or feedback. > I’d be happy to discuss and support in any way I can. > > Let’s take this final step together and build on the collective effort > that has brought us here. > > With appreciation and respect, > Jinwoo Hwang (he/him/his) > > > SAS® Research and Development > http://JinwooHwang.com >
