Over the last few months, our dependency gunicorn has received a large amount
of contributions written primarily by the maintainer with close to zero external
review.
A couple of examples:
- +3650 lines https://github.com/benoitc/gunicorn/pull/3549
- +400 lines https://github.com/benoitc/gunicorn/pull/3513
- +3800 lines https://github.com/benoitc/gunicorn/pull/3505
- +734 lines https://github.com/benoitc/gunicorn/pull/3504
- +1626 lines https://github.com/benoitc/gunicorn/pull/3503
- +2200 lines https://github.com/benoitc/gunicorn/pull/3500
- +890 lines https://github.com/benoitc/gunicorn/pull/3467
- and the award goes to: +15968 lines, close to 0 external review, merged by the
maintainer after 3 days https://github.com/benoitc/gunicorn/pull/3460
None of these pull requests implement features that we need: dirty workers,
uWSGI protocol support, control socket, shared memory, ....
Nor do I ever recall looking for any of these features in it.
The sheer volume of code and the general format of changes also strongly reeks
of LLM authorship or assistance.
Of course, every maintainer is free to do with their software whatever they
wish. But, as with any other dependency, I will evaluate any updates, keeping in
mind that any dependency we have here has full access to our database and API.
We do not need a WSGI server with regular feature development. We need one that
works and is maintained - that is the only requirement.
Therefore, I will remove gunicorn and seek out alternatives. This issue serves
to provide a public record of that decision.
Over the last few months, our dependency
gunicornhas received a large amountof contributions written primarily by the maintainer with close to zero external
review.
A couple of examples:
None of these pull requests implement features that we need: dirty workers,
uWSGI protocol support, control socket, shared memory, ....
Nor do I ever recall looking for any of these features in it.
The sheer volume of code and the general format of changes also strongly reeks
of LLM authorship or assistance.
Of course, every maintainer is free to do with their software whatever they
wish. But, as with any other dependency, I will evaluate any updates, keeping in
mind that any dependency we have here has full access to our database and API.
We do not need a WSGI server with regular feature development. We need one that
works and is maintained - that is the only requirement.
Therefore, I will remove
gunicornand seek out alternatives. This issue servesto provide a public record of that decision.