Hi, Note this thread spans both dev@ (a public list) and private@ (a private list). We usually try not to do that, to avoid accidentally leaking information from the private to the public sphere (see also for example https://incubator.apache.org/guides/committer.html). For this particular thread I suppose that risk is not so big, but let's be careful especially when discussing security impact. More comments inline:
On Wed, Sep 17, 2025 at 1:56 AM Jinwoo Hwang <[email protected]> wrote: > As it stands, the policy requires *three binding +1 votes* from PMC members > to finalize a release. While this standard has served us well historically, > it may no longer reflect the current reality of our project’s active > participation. In 2023, it was noted that although the PMC officially lists > 31 members, fewer than 10 were actively engaged. As Leon recently pointed > out, based on current email activity, it appears that *only three PMC > members* are actively participating—suggesting that the actual number of > engaged PMC members may now be just three. > > This makes reaching quorum increasingly difficult—even when the broader > community is contributing actively and consistently. The current release > effort, which includes over 20 commits and four release candidates, is a > clear example of this challenge. Despite strong momentum, we are at risk of > stalling due to procedural thresholds that no longer match our operational > scale. > I'd like to note that my understanding is that the 'voting window' is a 'no closing the vote before', but not a 'the vote must close at' - so even if the vote would be delayed that is not necessarily a dealbreaker. I agree it's better for momentum if the vote can close quickly, of course ;) . > More importantly, this release remediates *critical security > vulnerabilities* that directly impact the reliability and safety of Apache > Geode deployments. These include: > > - *CVE-2023-40167*: Request smuggling via '+' in Content-Length > - *CVE-2023-22602*: Spring Boot pattern mismatch auth bypass > - *CVE-2023-34478*: Path traversal routing bypass > - *CVE-2023-46750*: Form auth open redirect > - *CVE-2024-8184*: DoS via memory exhaustion > - *CVE-2024-13009*: Gzip buffer mismanagement causing cross-request data > leakage > - *CVE-2023-26049*: Cookie smuggling > - *CVE-2023-26048*: Multipart request DoS > - *CVE-2022-42004 & CVE-2022-42003*: Deep nested array DoS > vulnerabilities > - *CVE-2020-36518*: Stack overflow vulnerability > - *CVE-2022-40664*: Authentication bypass via RequestDispatcher > - *CVE-2022-32532*: RegexRequestMatcher misconfiguration > - *CVE-2023-46749*: Path traversal leading to auth bypass > - *CVE-2024-36124*: JVM crash risk enabling DoS > - *CVE-2025-48734*: Improper access control via Java enum ClassLoader > exposure > > Delaying this release not only risks losing community momentum—it also > prolongs exposure to known vulnerabilities that have already been > addressed. > While I agree these advisories for dependencies represent some risk, I want to note that AFAIK none of those have been confirmed to actually impact Geode. A release may also fix undisclosed vulnerabilities, but frankly given the previous release AFAICS was in 2022 it's hard to argue particular urgency. Still, I'm thrilled the release is proceeding! > Given this, I propose we revisit the voting threshold to better reflect the > actual number of active PMC members. If the original intent of requiring > three votes was to represent roughly 10% of the full PMC, then applying > that same ratio to the currently active group would suggest a threshold of > *one > binding vote*. > > This adjustment would: > > - Align our process with the current scale of active participation > - Prevent valuable contributions and security fixes from being blocked > due to quorum issues > - Encourage continued engagement by reducing procedural bottlenecks > > I recognize this is a significant change and welcome discussion on how best > to approach it—whether through a formal vote, a temporary adjustment, or a > broader review of our governance practices. > > Thank you for your continued dedication to Apache Geode. I look forward to > hearing your thoughts. The '3 votes' threshold comes from the Apache Release Policy ( https://www.apache.org/legal/release-policy.html). If a project has insufficient active PMC members to make that quorum, it should consider retiring. Indeed Geode has been at the brink of retirement, but I agree it is now on a good trajectory back to health. I think Leon's assessment of the number of active PMCs may be a bit pessimistic, as I've seen a few other PMC members be active as well (though that may have been on the private list, I haven't checked). Instead of dropping the threshold, I'm optimistic we can use the current momentum both to encourage existing PMC members to become/remain active, but also to work towards onboarding new PMC members. Kind regards, Arnout > On Tue, Sep 16, 2025 at 6:22 PM Jinwoo Hwang <[email protected]> wrote: > > > Dear Apache Geode PMC Members, > > > > We are standing at the edge of a major milestone—and we need your help to > > cross it. > > > > As of the original deadline, we are still two binding votes short of > > finalizing the release. > > In recognition of the tremendous effort poured into this by our > > contributors and reviewers, we are extending the vote by 24 hours. > > > > This release is the result of months of focused collaboration: > > > > - 20+ commits > > - 4 release candidates > > - Countless hours of testing, reviewing, and refining > > > > > > To let this moment pass without action would be to set aside the hard > work > > of those who have reignited momentum in our community. > > We owe it to them—and to the future of Apache Geode—to see this through. > > > > If you are a PMC member who has not yet voted, I urge you to take a > moment > > and cast your vote. > > Your participation is not just procedural—it is a statement of support > for > > the community, for the contributors, and for the continued vitality of > this > > project. > > > > Let’s not allow this opportunity to stall. Let’s finish what we > > started—together. > > If you have any questions or concerns, I’m available and happy to assist. > > > > With respect and appreciation, > > > > Jinwoo Hwang (he/him/his) > > > > SAS® Research and Development > > http://JinwooHwang.com > > > > ---------- Forwarded message --------- > > From: Jinwoo Hwang <[email protected]> > > Date: Tue, Sep 16, 2025 at 7:55 AM > > Subject: Project Management Committee Support Needed Today – Help > Finalize > > the Apache Geode Release > > To: <[email protected]> > > > > > > Dear Apache Geode Community and PMC members, > > > > > > It has been nearly three years since our last release on October 10, > 2022, > > and we are pleased to share that we are now on the verge of delivering a > > long-awaited update. Over the past five months, we’ve made more than 20 > > commits and produced four release candidates—a remarkable achievement > that > > reflects the renewed energy within our community. > > > > This progress would not have been possible without the dedication of many > > contributors and reviewers. We would like to extend our sincere > > appreciation to Arnout, Bryan, Calvin, Charlie, Kirk, Kishor, Leon, and > > Niall for your generous support and active engagement. Your efforts have > > been instrumental in reigniting momentum and moving the project forward. > > > > As of this morning, we are just two PMC votes away from finalizing the > > release. If you are a PMC member and have not yet voted, please consider > > doing so by 3 PM PST today. Your participation is essential to completing > > this milestone. > > > > More importantly, we kindly ask our PMC members to help maintain—and > > ideally accelerate—the momentum that the community has just rekindled. > This > > is a pivotal moment for Apache Geode. While we’ve faced challenges due to > > limited active committers and documentation that has struggled to keep > pace > > with evolving tooling and workflows, your renewed involvement can be a > > turning point. Active PMC engagement will not only help us close this > > release but also strengthen the foundation for future contributions and > > collaboration. > > > > Please feel free to reach out to me if you have any concerns or feedback. > > I’d be happy to discuss and support in any way I can. > > > > Let’s take this final step together and build on the collective effort > > that has brought us here. > > > > With appreciation and respect, > > Jinwoo Hwang (he/him/his) > > > > > > SAS® Research and Development > > http://JinwooHwang.com > > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
