I would expect the foundation's "Apache Way" to have the effects it claims, rather than in fact being a way to dismiss concerns and pretend everything is on track when it isn't.
In particular the Apache Way includes: Responsible Oversight and The ASF Security Committee which you might think would be trying to stop stuff like this happening but really exists so that they can say they're responding to whatever new horrible problem has been found and so the system works.
What did the Responsible Oversight do with the idea of adding "lookups" to log4j which by the nature of the language and design of the API can't be safe? They accepted it and cheerfully documented this obviously bad idea. You can still go back and look at their documentation with the Wayback Machine, short of just writing "Look at this amazing remote execution security bug we added to our software" it could not be any clearer.
In particular the Apache Way includes: Responsible Oversight and The ASF Security Committee which you might think would be trying to stop stuff like this happening but really exists so that they can say they're responding to whatever new horrible problem has been found and so the system works.
What did the Responsible Oversight do with the idea of adding "lookups" to log4j which by the nature of the language and design of the API can't be safe? They accepted it and cheerfully documented this obviously bad idea. You can still go back and look at their documentation with the Wayback Machine, short of just writing "Look at this amazing remote execution security bug we added to our software" it could not be any clearer.