In our case we want CVEs fixed as much as possible across our dependencies to have a clean grade on security analysis by sonar/etc. This can be either for company security stance and/or security audits by clients. It’s not manageable if geode dependency shows many of its dependencies flagged with various CVEs. So a periodic update in this area is required.
On Wed, Sep 17, 2025 at 7:46 AM Jinwoo Hwang <[email protected]> wrote: > Hi Arnout, > > Thank you for your thoughtful and constructive feedback. I sincerely > apologize for the oversight in cross-posting between dev@ and private@ > lists. I understand the importance of maintaining clear boundaries between > public and private communications, especially when sensitive topics like > security are involved. I’ll be more careful moving forward. > > I also want to acknowledge that my limited experience with some of these > processes may have caused concern or alarm. I appreciate your patience and > the clarity you've provided—it’s been very helpful in deepening my > understanding. > > Regarding the '3 votes' threshold, I agree it’s important to adhere to the > Apache Release Policy. Your point about leveraging current momentum to > re-engage existing PMC members and onboard new ones is encouraging. I share > your optimism and believe Geode is indeed on a promising path. > > On PMC activity, I’ve also noticed signs of engagement from members who > may not be visible on dev@, so your observation about Leon’s assessment > possibly being a bit conservative makes sense. > > As for the dependency advisories, I appreciate your clarification that > none have been confirmed to directly impact Geode. While urgency may be > debatable, I do think the release is a positive step forward and reflects > renewed commitment. > > Your note on the voting window is also helpful. I agree that while quick > closure supports momentum, flexibility in timing is built into the process > and can be accommodated when needed. > > Thanks again for your insights and support. I look forward to continued > collaboration and learning. > > > Best regards, > > Jinwoo Hwang (he/him/his) > > > > SAS® Research and Development > > http://JinwooHwang.com<http://jinwoohwang.com/> > > > > From: Arnout Engelen <[email protected]> > Date: Wednesday, September 17, 2025 at 7:29 AM > To: [email protected] <[email protected]> > Subject: Re: Proposal to Revisit PMC Voting Threshold for Apache Geode > Releases > > EXTERNAL > > Hi, > > Note this thread spans both dev@ (a public list) and private@ (a private > list). We usually try not to do that, to avoid accidentally leaking > information from the private to the public sphere (see also for example > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect.checkpoint.com%2Fv2%2Fr01%2F___https%3A%2F%2Fincubator.apache.org%2Fguides%2Fcommitter.html___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo2MmNiOjY0Yzk3ZGZkMTg2ZTJiOGY5OWI4MzQwYmE3YTI0NWEzMDZlZTA1NzkwMDcxMzQ1ZjU3Yzc0YjJiZWFhZTQwMzI6cDpUOk4&data=05%7C02%7CJinwoo.Hwang%40sas.com%7C7812260da37e4c4b1eee08ddf5dd6a2f%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C638937053526510443%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ziHw184t8gDhqWyramahK0QgRN1g%2FG%2BV3f4o%2B2%2Br%2FTI%3D&reserved=0 > )< > https://protect.checkpoint.com/v2/r01/___https://incubator.apache.org/guides/committer.html___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo2MmNiOjY0Yzk3ZGZkMTg2ZTJiOGY5OWI4MzQwYmE3YTI0NWEzMDZlZTA1NzkwMDcxMzQ1ZjU3Yzc0YjJiZWFhZTQwMzI6cDpUOk4>. > For this > particular thread I suppose that risk is not so big, but let's be careful > especially when discussing security impact. More comments inline: > > On Wed, Sep 17, 2025 at 1:56 AM Jinwoo Hwang <[email protected]> wrote: > > > As it stands, the policy requires *three binding +1 votes* from PMC > members > > to finalize a release. While this standard has served us well > historically, > > it may no longer reflect the current reality of our project’s active > > participation. In 2023, it was noted that although the PMC officially > lists > > 31 members, fewer than 10 were actively engaged. As Leon recently pointed > > out, based on current email activity, it appears that *only three PMC > > members* are actively participating—suggesting that the actual number of > > engaged PMC members may now be just three. > > > > This makes reaching quorum increasingly difficult—even when the broader > > community is contributing actively and consistently. The current release > > effort, which includes over 20 commits and four release candidates, is a > > clear example of this challenge. Despite strong momentum, we are at risk > of > > stalling due to procedural thresholds that no longer match our > operational > > scale. > > > > I'd like to note that my understanding is that the 'voting window' is a 'no > closing the vote before', but not a 'the vote must close at' - so even if > the vote would be delayed that is not necessarily a dealbreaker. I agree > it's better for momentum if the vote can close quickly, of course ;) . > > > > More importantly, this release remediates *critical security > > vulnerabilities* that directly impact the reliability and safety of > Apache > > Geode deployments. These include: > > > > - *CVE-2023-40167*: Request smuggling via '+' in Content-Length > > - *CVE-2023-22602*: Spring Boot pattern mismatch auth bypass > > - *CVE-2023-34478*: Path traversal routing bypass > > - *CVE-2023-46750*: Form auth open redirect > > - *CVE-2024-8184*: DoS via memory exhaustion > > - *CVE-2024-13009*: Gzip buffer mismanagement causing cross-request > data > > leakage > > - *CVE-2023-26049*: Cookie smuggling > > - *CVE-2023-26048*: Multipart request DoS > > - *CVE-2022-42004 & CVE-2022-42003*: Deep nested array DoS > > vulnerabilities > > - *CVE-2020-36518*: Stack overflow vulnerability > > - *CVE-2022-40664*: Authentication bypass via RequestDispatcher > > - *CVE-2022-32532*: RegexRequestMatcher misconfiguration > > - *CVE-2023-46749*: Path traversal leading to auth bypass > > - *CVE-2024-36124*: JVM crash risk enabling DoS > > - *CVE-2025-48734*: Improper access control via Java enum ClassLoader > > exposure > > > > Delaying this release not only risks losing community momentum—it also > > prolongs exposure to known vulnerabilities that have already been > > addressed. > > > > While I agree these advisories for dependencies represent some risk, I want > to note that AFAIK none of those have been confirmed to actually impact > Geode. A release may also fix undisclosed vulnerabilities, but frankly > given the previous release AFAICS was in 2022 it's hard to argue particular > urgency. Still, I'm thrilled the release is proceeding! > > > > Given this, I propose we revisit the voting threshold to better reflect > the > > actual number of active PMC members. If the original intent of requiring > > three votes was to represent roughly 10% of the full PMC, then applying > > that same ratio to the currently active group would suggest a threshold > of > > *one > > binding vote*. > > > > This adjustment would: > > > > - Align our process with the current scale of active participation > > - Prevent valuable contributions and security fixes from being blocked > > due to quorum issues > > - Encourage continued engagement by reducing procedural bottlenecks > > > > I recognize this is a significant change and welcome discussion on how > best > > to approach it—whether through a formal vote, a temporary adjustment, or > a > > broader review of our governance practices. > > > > Thank you for your continued dedication to Apache Geode. I look forward > to > > hearing your thoughts. > > > The '3 votes' threshold comes from the Apache Release Policy ( > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect.checkpoint.com%2Fv2%2Fr01%2F___https%3A%2F%2Fwww.apache.org%2Flegal%2Frelease-policy.html___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6NzozYjA3OjU5NzNkYTRhMTYxNzNlYThiYTkzNWFiZmM4MGFkY2M0MTBmYmU2OThiNDVhMGNkZTljOGNiZGQ0MDFiMmJkYjU6cDpUOk4&data=05%7C02%7CJinwoo.Hwang%40sas.com%7C7812260da37e4c4b1eee08ddf5dd6a2f%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C638937053526521253%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2FJ4NtqgVv92YH1zt7Jur0BOVW9%2Fa43LdW3gcxydoPno%3D&reserved=0 > )< > https://protect.checkpoint.com/v2/r01/___https://www.apache.org/legal/release-policy.html___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6NzozYjA3OjU5NzNkYTRhMTYxNzNlYThiYTkzNWFiZmM4MGFkY2M0MTBmYmU2OThiNDVhMGNkZTljOGNiZGQ0MDFiMmJkYjU6cDpUOk4>. > If a project has > insufficient active PMC members to make that quorum, it should consider > retiring. Indeed Geode has been at the brink of retirement, but I agree it > is now on a good trajectory back to health. I think Leon's assessment of > the number of active PMCs may be a bit pessimistic, as I've seen a few > other PMC members be active as well (though that may have been on the > private list, I haven't checked). > > Instead of dropping the threshold, I'm optimistic we can use the current > momentum both to encourage existing PMC members to become/remain active, > but also to work towards onboarding new PMC members. > > > Kind regards, > > Arnout > > > > On Tue, Sep 16, 2025 at 6:22 PM Jinwoo Hwang <[email protected]> wrote: > > > > > Dear Apache Geode PMC Members, > > > > > > We are standing at the edge of a major milestone—and we need your help > to > > > cross it. > > > > > > As of the original deadline, we are still two binding votes short of > > > finalizing the release. > > > In recognition of the tremendous effort poured into this by our > > > contributors and reviewers, we are extending the vote by 24 hours. > > > > > > This release is the result of months of focused collaboration: > > > > > > - 20+ commits > > > - 4 release candidates > > > - Countless hours of testing, reviewing, and refining > > > > > > > > > To let this moment pass without action would be to set aside the hard > > work > > > of those who have reignited momentum in our community. > > > We owe it to them—and to the future of Apache Geode—to see this > through. > > > > > > If you are a PMC member who has not yet voted, I urge you to take a > > moment > > > and cast your vote. > > > Your participation is not just procedural—it is a statement of support > > for > > > the community, for the contributors, and for the continued vitality of > > this > > > project. > > > > > > Let’s not allow this opportunity to stall. Let’s finish what we > > > started—together. > > > If you have any questions or concerns, I’m available and happy to > assist. > > > > > > With respect and appreciation, > > > > > > Jinwoo Hwang (he/him/his) > > > > > > SAS® Research and Development > > > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect.checkpoint.com%2Fv2%2Fr01%2F___http%3A%2F%2FJinwooHwang.com___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo3ZTVhOmFiZjUwYTVjNTAxOWExNjllNmY5NjZhZWJmMmMzZjkzNGQxZGY1N2Q4ZTUxZTAxMjVlMjM0YmMyZTMyODEyMzE6cDpUOk4&data=05%7C02%7CJinwoo.Hwang%40sas.com%7C7812260da37e4c4b1eee08ddf5dd6a2f%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C638937053526528268%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5QSWpDtnG%2B7KF7i14Mh9KSS7SL2qYKhVD6Pck3aWzEA%3D&reserved=0 > < > https://protect.checkpoint.com/v2/r01/___http://JinwooHwang.com___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo3ZTVhOmFiZjUwYTVjNTAxOWExNjllNmY5NjZhZWJmMmMzZjkzNGQxZGY1N2Q4ZTUxZTAxMjVlMjM0YmMyZTMyODEyMzE6cDpUOk4 > > > > > > > > ---------- Forwarded message --------- > > > From: Jinwoo Hwang <[email protected]> > > > Date: Tue, Sep 16, 2025 at 7:55 AM > > > Subject: Project Management Committee Support Needed Today – Help > > Finalize > > > the Apache Geode Release > > > To: <[email protected]> > > > > > > > > > Dear Apache Geode Community and PMC members, > > > > > > > > > It has been nearly three years since our last release on October 10, > > 2022, > > > and we are pleased to share that we are now on the verge of delivering > a > > > long-awaited update. Over the past five months, we’ve made more than 20 > > > commits and produced four release candidates—a remarkable achievement > > that > > > reflects the renewed energy within our community. > > > > > > This progress would not have been possible without the dedication of > many > > > contributors and reviewers. We would like to extend our sincere > > > appreciation to Arnout, Bryan, Calvin, Charlie, Kirk, Kishor, Leon, and > > > Niall for your generous support and active engagement. Your efforts > have > > > been instrumental in reigniting momentum and moving the project > forward. > > > > > > As of this morning, we are just two PMC votes away from finalizing the > > > release. If you are a PMC member and have not yet voted, please > consider > > > doing so by 3 PM PST today. Your participation is essential to > completing > > > this milestone. > > > > > > More importantly, we kindly ask our PMC members to help maintain—and > > > ideally accelerate—the momentum that the community has just rekindled. > > This > > > is a pivotal moment for Apache Geode. While we’ve faced challenges due > to > > > limited active committers and documentation that has struggled to keep > > pace > > > with evolving tooling and workflows, your renewed involvement can be a > > > turning point. Active PMC engagement will not only help us close this > > > release but also strengthen the foundation for future contributions and > > > collaboration. > > > > > > Please feel free to reach out to me if you have any concerns or > feedback. > > > I’d be happy to discuss and support in any way I can. > > > > > > Let’s take this final step together and build on the collective effort > > > that has brought us here. > > > > > > With appreciation and respect, > > > Jinwoo Hwang (he/him/his) > > > > > > > > > SAS® Research and Development > > > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect.checkpoint.com%2Fv2%2Fr01%2F___http%3A%2F%2FJinwooHwang.com___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo2OTNkOmQ2OTIxNWI0NTNlMmYxZTU5ZTJkY2E0NTE5MjBlZjM0MTIzZGNmMjBmMmYzNmYyYTBjYWZjNzE4MGRkMGY5YjY6cDpUOk4&data=05%7C02%7CJinwoo.Hwang%40sas.com%7C7812260da37e4c4b1eee08ddf5dd6a2f%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C638937053526534674%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=o8VxVlBLrIUIRbd1vBr2Ndw0igY3MCaDi0s5Td65xmU%3D&reserved=0 > < > https://protect.checkpoint.com/v2/r01/___http://JinwooHwang.com___.YzJ1OnNhc2luc3RpdHV0ZTpjOm86NDEwMTEzNmY2ZmE1NjhmNTNlNzA5NWRlYTBmOTJlMWY6Nzo2OTNkOmQ2OTIxNWI0NTNlMmYxZTU5ZTJkY2E0NTE5MjBlZjM0MTIzZGNmMjBmMmYzNmYyYTBjYWZjNzE4MGRkMGY5YjY6cDpUOk4 > > > > > > > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
