Re: Maven POM "Developers" section

[Gary Gregory]

Some IMOs below.

On Fri, Mar 21, 2025 at 6:40 AM Piotr P. Karwasz
 wrote:
>
> Hi all,
>
> A user report regarding a broken link on `projects.apache.org`[1]
> brought my attention to the amount of out-of-date metadata we publish:
>
> * Our DOAP file has not been updated in ages. It contained out of date
> links. We should probably regenerate it at each release. On
> `projects.apache.org` this would give a result like Maven's[2].
>
> * Our `` and `` sections in POM files are also
> out of date. It contains people that are not active, does **not**
> contain people that are active and some affiliations might not be up to
> date.
>
>
> To better understand what the `` option should contain, I
> looked at the documentation[3] and asked on Slack[4]. The documentation
> says:
>
>  > Developers are presumably members of the project's core development.
> Note that, although an organization may have many developers
> (programmers) as members, it is not good form to list them all as
> developers, but only those who are immediately responsible for the code.
> A good rule of thumb is, if the person should not be contacted about the
> project, they do not need to be listed here.
>
> And of course the Maven team contradicts itself, by listing all PMC
> Members, Committers and even Emeritus members in their POM file[5].
>
>
> We have probably two options here:
>
> 1. My favorite is to break the semantics of `` an add two
> teams in `logging-parent`: an "Apache Logging Services Security Team"
> with address `secur...@logging.apache.org` and an "Apache Logging
> Services PMC" with this mailing list as address.
>
> 2. List team members only in `logging-parent` and keep the list
> up-to-date. If we go for this option:
>
>  * We should remove inactive members from the POM file.

In the spirit of KISS...

1. If someone has had a commit in the history of the project, they
should be listed as a contributor. This includes PR contributions.
2. Active PMC members should be listed as developers.
3. (Redundant with 1) Committers not on the PMC should be listed as
contributors.

I would also be OK to simplify it more as "developers" = PMC and
"contributors" = committers. Everyone else gets credited in
changes.xml or whatever custom system we now use.

>
>  * If we add some people there, we should at least add the whole
> Project Management Committee. These are the people currently
> "immediately responsible for the code" and even Log4cxx and Log4net
> developers assume responsibility and vote on Log4j releases. Adding our
> few active committers does not hurt either.
>
>  * The list should be somehow ordered, with the people that should
> be contacted first at the top. I think the order should be PMC Chair,
> PMC Member, Committer.

This is crazy busy work, if converting the XML to HTML wants to do this, fine.

>
>  * We should not list affiliations, unless our employer explicitly
> pays us to work on Log4j and would like to be listed.

What does this mean? If you mean the "organization" element, I don't
think we should be policing what people put in there, unless it's an
obvious problem like someone putting a link to an ad for a "url"
element.

HTH,
Gary

>
> I started a draft PR for option 2[6].
>
> What do you think?
>
> Piotr
>
>
> [1] https://github.com/apache/logging-log4j2/issues/3536
>
> [2] https://projects.apache.org/project.html?maven
>
> [3] https://maven.apache.org/pom.html#Developers
>
> [4] https://the-asf.slack.com/archives/C7Q9JB404/p1742287422781009
>
> [5] https://mvnrepository.com/artifact/org.apache.maven/maven-core/3.9.9
>
> [6] https://github.com/apache/logging-parent/pull/351
>

Re: [VOTE] Add branch protection rules to Log4j

[Piotr P. Karwasz]

Hi all,
Sorry, my e-mail client reformatted some lines.
So, the concerned repos are all non-dormant Java repos: l-admin, l-jdk, 
l-jmx-gui, l-log4j2, l-log4j-jakarta, l-log4j-kotlin, l-log4j-samples, 
l-log4j-scala, l-log4j-transform, l-log4j-tools, l-parent.


Vote 1. Require a pull request before merging:
[ ] +1, enable this feature
[ ] -1, do not enable this feature

Vote 2. Require conversation resolution before merging:
[ ] +1, enable this feature
[ ] -1, do not enable this feature

Vote 3. Require linear history (Prevent merge commits from being pushed 
to code branches. Only "Squash" and similar allowed):

[ ] +1, enable this feature
[ ] -1, do not enable this feature

Vote 4. Require status checks to pass before merging:
[ ] +1, enable this feature
[ ] -1, do not enable this feature

Vote 5. Require at least one positive review before merging:
[ ] +1, enable this feature
[ ] -1, do not enable this feature

Piotr

[VOTE] Apache Logging Parent `12.1.0` (RC1)

[Piotr P. Karwasz]

This is a lazy-vote to release the Apache Logging Parent `12.1.0`.

Website: https://logging.staged.apache.org/logging-parent-12.1.0
GitHub: https://github.com/apache/logging-parent
Commit: c470a36f072ecb716e8aef7c5719d50ff9d1a9dc
Distribution: 
https://dist.apache.org/repos/dist/dev/logging/logging-parent/12.1.0
Nexus: 
https://repository.apache.org:443/content/repositories/orgapachelogging-1313

Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
Review kit: 
https://logging.apache.org/logging-parent/release-review-instructions.html


Please download, test, and cast your votes on this mailing list.

[ ] +1, release the artifacts
[ ] -1, don't release, because...

This vote is open for 72 hours and will pass unless getting a
net negative vote count. All votes are welcome and we encourage
everyone to test the release, but only the Logging Services PMC
votes are officially counted.

== Release Notes

This minor release adds CodeQL checks for GitHub Actions.
It also fixes a breaking change in Error Prone that prevented projects 
from migrating to version `12.0.0`.


=== Added

* Add "GitHub Actions" to the list of languages analyzed by CodeQL.

=== Fixed

* Use the `maven.deploy.skip` Maven property in 
`nexus-staging-maven-plugin`. This effectively fixes the skipping of 
test artifacts' deployments. (#360)

* Fix Error Prone arguments breaking `maven-compiler-plugin:compile`.
* Fix inheritance of `url` elements in children POMs.

=== Updated

* Update `actions/cache` to version `4.2.3` (#357)
* Update `actions/upload-artifact` to version `4.6.2` (#359)
* Update `com.diffplug.spotless:spotless-maven-plugin` to version 
`2.44.3` (#333)
* Update `com.github.spotbugs:spotbugs-maven-plugin` to version 
`4.9.3.0` (#349)

* Update `com.google.errorprone:error_prone_core` to version `2.37.0` (#356)
* Update `com.gradle:develocity-maven-extension` to version `1.23.2` (#338)
* Update `com.palantir.javaformat:palantir-java-format` to version 
`2.61.0` (#361)
* Update `de.skuzzle.enforcer:restrict-imports-enforcer-rule` to version 
`2.6.1` (#365)

* Update `github/codeql-action` to version `3.28.13` (#364)
* Update `org.apache:apache` to version `34` (#353)
* Update `org.apache.groovy:groovy` to version `4.0.26` (#340)
* Update `org.asciidoctor:asciidoctor-maven-plugin` to version `3.2.0` 
(#362)

* Update `org.codehaus.mojo:flatten-maven-plugin` to version `1.7.0` (#339)
* Update `org.eclipse.jgit:org.eclipse.jgit` to version 
`7.2.0.202503040940-r` (#355)

* Update `ossf/scorecard-action` to version `2.4.1` (#335)