I see problem similar to Achim. We still didn't hear anything about
solving a community trouble. We definitely do not solve a trouble of
ops4j community which probably do not overlap 100% with Karaf. We may be
solving some trouble for Karaf community, however we probably ask about
shifting even more work on already small set of people working on it.
We hear concerns, which might or might not be justified. I don't think
they are since there is no record of any malicious activities made by
people contributing to ops4j/pax.
People which are mainly contributing to these project are well known
(Grzegorz, JB, Achim), externals contributions are coming over pull
requests, just like they would come to the ASF, so why we should be
moving around sources? As far I remember ASF does not scan IDs of their
contributors so it can't guarantee identity of people behind
contributions as well. Back at the times I was signing my agreement I
was sending it by online fax service, so verification was very mild.
While the GPG keys is some kind of resort, a lot of people (including
myself) have self signed key which is as good as my ssh key I use to
push things to git.
The big customers can become part of community if they wish, no matter
where project is hosted - at github or at ASF. So far it seems to me
that they are asking for favor without giving anything back to
communities which will be affected.
Best,
Łukasz