> If the current owner of the code base is not acting in the best interest of the wider community, then that might be a reason for it to be considered
Frankly speaking, my experience with Elm is limited to watching talks and reading blogposts, however, I incline that the code owner does ignore wide community. See https://dev.to/kspeakman/elm-019-broke-us--khn , https://discourse.elm-lang.org/t/native-code-in-0-19/826 Long story short: elm changed the compiler in such a way that only modules that come with elm-lang and elm-explorations can integrate with "native JavaScript modules". In other words, suppose someone selected Elm for creating web application. It might be they reused one of the existing JavaScript libraries (e.g. opensource or in-house ones). Then Elm 0.19 appears, and only choice for the users is: a) Rewrite all their JavaScript dependencies in Elm. That is fine for enthusiasts, however, it is not the way to go for business apps b) Stay with Elm 0.18. It implies "no security fixes", so it bad as well. The case does sound like a show-stopper for using Elm in production for me. Well, it might be ok for toy projects, however, I would really refrain from selecting Elm for a prod system. I would even consider tuning down and declining Elm-related talks for conferences for exactly this reason: the current Elm sounds like a trap. --- Rupert>I like the values of Apache - openness, independance and plurality of Rupert>contributors Have you tried asking Apache Logging team to release one-liner fix for CVE with 5..9 score in log4j 1.x? The fixes are there. They can be easily reviewed, tested, and merged. They would make a LOT of applications more secure by a mere bumping of log4j 1.2.17 to 1.2.18 with CVE fixes. The devastating news is that Apache Logging team completely ignores the interests of log4j 1.x users, and, at the same time, they block everybody else from releasing log4j 1.x fixes: * They do not invite committers that are eager to support log4j 1.x * They do not want to transfer log4j 1.x to a different TLP * They ignore PRs and they ignore issues related to log4j 1.x. Their answer is that "1.x is end-of-life, do not use it". The reality is that there are people providing well-reviewed and well-tested code, and the Logging team ignores the code. What they say is "contribute to the log4j 2.x, and one day we might consider inviting you as a committer". That does not really scale, as releasing log4j 1.x requires at least 3 PMC, so it would take ages to get new people contributing to Logging and promoting them to PMCs. That means "Apache Logging" is not really acting in the best interest of the global community that uses log4j 1.x. Vladimir
