Call for Lead Maintainers – GraalVM Backports Repositories

[alina-yur]

TL;DR

To express your interest in becoming the Lead Maintainer of community backports, please send an email to [email protected] until June 10th, 2024.

Oracle requires that access to security fixes are made by legal entities rather than individuals. These entities must enter into an NDA with Oracle, ensuring compliance with disclosure timelines and deadlines for delivery of security updates. By doing so, Oracle maintains control over the dissemination of critical security information and safeguards against unauthorized disclosure.

Background

GraalVM Community Edition follows the release model of OpenJDK. GraalVM CE for JDK 17 and JDK 21 will soon no longer receive CPU releases, but there's interest in the community in maintaining the corresponding sources for other GraalVM distributions. To support this community request, we as the GraalVM team at Oracle Labs have created two repositories:

https://github.com/graalvm/graalvm-for-jdk21-community-backports
https://github.com/graalvm/graalvm-for-jdk17-community-backports

We are inviting GraalVM community members to step up as a Lead Maintainer of those repositories. Please send an email to [email protected]. Lead Maintainers will oversee community backports and version-specific bug fixes. They can also invite other community maintainers to join them.

The repositories are intended to maintain source code, that can be used by the community to produce builds than can be then used by community members and vendors to produce their builds and distribute them via distribution platforms.

Upon community request, we will also create such repositories for upcoming Java versions.

We will review all requests and provide an update in this ticket.

[jerboaa]

@alina-yur Thanks for starting this process. Much appreciated!

Quick clarification: Is Oracle still maintaining any one of these repos (as of today) or are are they both looking for new community maintainers? I think we've established that https://github.com/graalvm/graalvm-for-jdk17-community-backports is in need of a maintainer as of now. Not sure what the situation with the JDK 21 repo is. Thanks!

[alina-yur]

Hi @jerboaa. While the older binaries for GraalVM CE for Java 21 remain available for download, they are not receiving security patches any more. Therefore, it is recommended to either upgrade to GraalVM CE for Java 22 or Oracle GraalVM for Java 21. So yes, the same applies to the JDK 21 repo.

[jerboaa]

Thanks for the clarification!

[alina-yur]

Hi everyone, I want to give a quick status update. We have received several requests from potential maintainers; so to proceed with this, we will close the applications on June 10th, 2024.
So if you are interested in becoming the lead maintainer, please send us an email until then. Thank you!

[ezzarghili]

Updated the description to clarify that due to security and compliance requirements, we cannot accept requests from indivudials at this time.

[simonis]

@ezzarghili, I don't see how maintaining the community repositories is strongly coupled with the requirement to sign Oracle's GraalVM Vulnerability NDA?

Security patches will only land in the community repositories after Oracle has lifted the embargo for them anyway, and they can be contributed by somebody who is part of a legal entity that signed the Oracle NDA but not necessarily the Lead Maintainer of the community repositories. From my point of view, these two things are orthogonal. Or am I missing something?

[simonis]

When and where will the "winners" be announced now that the deadline has passed?

[alina-yur]

Hi @simonis. That was the deadline for applications; now we are going through them and talking to those who submitted applications. We will follow up with the Advisory Board and publicly shortly.

[alina-yur]

Hi everyone,
here's a follow up.

We have received a number of applications, and will proceed with Foivos Zakkak (@zakkak) from Red Hat as a lead maintainer, as Foivos has a track record of contributing to the GraalVM project and maintaining related distributions.
He has expressed interest maintaining JDK 21 at least until October 2025, and he is also willing to lead the maintenance of JDK 17 until November 2024.

Thank you for stepping up, @zakkak, and we will coordinate regarding the next steps.

[simonis]

Congratulations @zakkak!

[zakkak]

Thank you all!

I will do my best to support this community and have a fruitful collaboration. Anyone willing to collaborate/contribute on the backport repositories please feel free to reach out to me.

[voitylov]

Congratulations, @zakkak ! I'm really looking forward to working with you.

[jerboaa]

Congratulations, @zakkak! It's great that the backport repos can move forward now.

[Eng-Fouad]

Congratulations @zakkak!