On 5/16/26 4:56 AM, Elliotte Rusty Harold wrote:
We are one compromised committer account away from a massive breach that actively runs code on the computers of probably half the Java developers on the planet.
I agree with Elliotte. It seems irresponsible to allow commits in a project like Maven without a review by at least one other person.
Maven is always held up as the example to follow when compromises happen in other package managers, such as those for Node, Python, Rust, or Go. Let's keep it that way!
It isn't always due to compromised accounts. Compromises can be introduced due to mistakes, money, coercion, or extortion. A review actually protects Maven developers from such acts. Without one, they instead become a target.
We shouldn't push our luck, and single-author commits going out to developer machines without any review is relying on pure luck.
John --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
