Agree with Elliotte here. I think it's easy to underestimate the risk
we're running. Surely, contributing to Maven is an unpaid job for most
of us - attacking the ecosystem isn't for some other people.
So, a +1 from my side on requiring code reviews from fellow committers.
That would include **updating** our review policy [1], rather than
citing it as an argument to not enforce code reviews.
Thanks,
Maarten
[1] https://maven.apache.org/developers/conventions/git.html#review-policy
On 16/05/2026 13:56, Elliotte Rusty Harold wrote:
I do think we need to decrease code review latency. And I do think
it's inconvenient to wait for code review instead of just committing.
But I have to emphasize the security issue here.
We are one compromised committer account away from a massive breach
that actively runs code on the computers of probably half the Java
developers on the planet.
And that includes the accounts of people we haven't heard from in over
a decade.
And the whole open source ecosystem is under active attack from state
sponsored organizations who are highly motivated to do this.
So yes, implementing this will slow our velocity. That is a cost, and
the cost is worth it.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
