I totally disagree. We are a very small and trustworthy group of
committers. It is not easy to sneak some malware or malicious commit in
at all.
Also .. if all the sponsored hackers are attacking the open source
ecosystem - maybe all these state, government and large organizational
users should step up, form some foundation or whatever, hire 20 highly
skilled developers, get the onboarded as Maven expert developers, let
them earn our trust and then they can start helping with those reviews.
Until then we do what we can and we should NOT slow down .. on the
contrary we should ship Maven 4 and other things faster.
If anyone wants to start such a foundation and sponsor Maven developers
as full time committers who are actually paid, lets get started and get
Tamas and a few others actually paid for their amazing work.
Manfred
On 5/16/2026 4:56 AM, Elliotte Rusty Harold wrote:
I do think we need to decrease code review latency. And I do think
it's inconvenient to wait for code review instead of just committing.
But I have to emphasize the security issue here.
We are one compromised committer account away from a massive breach
that actively runs code on the computers of probably half the Java
developers on the planet.
And that includes the accounts of people we haven't heard from in over
a decade.
And the whole open source ecosystem is under active attack from state
sponsored organizations who are highly motivated to do this.
So yes, implementing this will slow our velocity. That is a cost, and
the cost is worth it.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
