Overhaul Homebrew governance

[p-linnane]

This PR proposes an updated governance model for Homebrew that replaces the legacy PLC and TSC with a simpler, contribution-driven structure. The previous model had unclear responsibilities in practice and placed most governance work on a small number of active contributors regardless of formal roles. This update aligns decision-making and elevated access with ongoing contribution, strengthens Homebrew’s security posture, and provides clearer expectations for all maintainers. It follows the long-standing open-source principle of “they who do the work, decide.”

Recent supply-chain incidents in major ecosystems demonstrate why clearer ownership, predictable governance, and stricter privilege boundaries are essential for widely used infrastructure projects. The RubyGems ecosystem recently experienced a governance breakdown involving ownership transfers and authority disputes. Node’s ecosystem is currently under pressure from the Sha1-Hulud 2.0 malware campaign, which compromised hundreds of npm packages using stolen maintainer credentials. Homebrew maintains high-traffic, security-critical repositories relied on by millions, and our governance structure should reflect that level of responsibility.

Summary of changes

• Introduces three roles: Maintainer, Lead Maintainer, and Project Leader.
• Aligns voting rights and elevated access with sustained contribution and participation.
• Replaces PLC and TSC with a unified group of Lead Maintainers responsible for project-wide decisions.
• Defines criteria for role eligibility, contribution thresholds, and automatic removal for inactivity.
• Establishes a two-year Project Leader term, with elections only when contested.
• Documents security and emergency procedures for access revocation and follow-up review.
• Adds an annual governance review requirement.

Lead Maintainers

The Lead Maintainers under this proposed model are:

@bevanjkay
@Bo98
@branchvincent
@carlocab
@chenrui333
@cho-m
@dtrodrigues
@fxcoudert
@iMichka
@issyl0
@krehel
@MikeMcQuaid
@Moisan
@nandahkrishna
@p-linnane
@samford
@SMillerDev
@ZhongRuoyu

These maintainers meet both of the following criteria:

• They held Maintainer status three years ago.
• They have been eligible for the Homebrew stipend for the last four quarters (50 or more contributions per quarter or have gone above and beyond in another leadership capacity in this window).

Maintainers not promoted to Lead Maintainer will remain in the Maintainer role.

Additional context

• All non-maintainer and non-PLC “members” have been removed from the governance structure.
• The draft of this proposal was approved by 4 of the 5 PLC members (one did not respond).
• At the time of merging the initial draft, 13 maintainers expressed support, with additional maintainers expressing support afterwards.
• This proposal builds on and supersedes the earlier draft PR:
  https://github.com/Homebrew/private/pull/429

Next steps

This PR is being put forward for a vote under the existing governance rules.

[p-linnane]

✅ Commenting to record my vote in favor, since I cannot submit a review on my own PR.

[MikeMcQuaid]

Thanks for opening the initial proposal and this one @p-linnane. Thanks to the multiple maintainers and PLC member who helped to improve this to get it to the state its in today.

I strongly support this given the context explained in the PR body.

@p-linnane and any voters: let's not worry about the failing 🔴 Documentation / docs GitHub Actions job with broken links for now; we can fix them if this vote passes before merge.

[iMichka]

As a long-term maintainer and PLC member, I am also in favour of this change, as the new governance model will hopefully better suit how we function. Thanks @p-linnane and all who worked on this.

[woodruffw]

No concerns. Thanks @p-linnane for driving this!

[issyl0]

This is so much clearer than the previous rules. Thank you!

[nandahkrishna]

Thank you for spearheading these changes, Patrick! As others have said, I appreciate the clarity these changes bring.

[chenrui333]

LGTM, thanks ❤️

[krehel]

Love this and thankful to have been a very small part in shaping it. Everyone in this group is just fantastic. ❤️

[ZhongRuoyu]

Thanks again for doing this, @p-linnane!

[colindean]

I'm a non-maintainer PLC member who does not have explicit access to this repository, so I'm one of the people who has to vote via comment.

Several discussions helped me understand that a change is needed to enhance the security of the project. While I initially considered some alternative approaches, the final revision of the document—approved for consideration by the PLC, including myself—addresses most of the concerns I raised internally. If any of those more hypothetical scenarios happen, I'm confident that the new Lead Maintainers group will figure it out. This team has been one of my favorites to work with.

So, ✅.

My role on the PLC will be retired upon acceptance of this new governance model. I'll continue my passer-by commits, formula additions, and odd side projects. If 2026 is kinder to me than 2025, maybe I'll meet the new activity criteria and become a maintainer once again.

It's been a pleasure to serve 🫡

[Rylan12]

Thanks @p-linnane and also everyone who managed to help workshop this despite the impossible-to-use PR...

This one is so much nicer 😅

[fxcoudert]

Overall in favour, and thanks to all who worked hard on this proposal!

I think the "identity verification" is unclear and could be better worded: by “identity” do we mean “legal name” (where is that recorded) or “that there is a physical person with ownership of the specific GitHub account” (how do we verify that?), etc. I understand the concerns that this is trying to address, I just think it would be either ineffective or very intrusive.

[MikeMcQuaid]

We now have 20 people ✅ out of 30 possible voters. This gives a supermajority so this proposal has passed. I will fix the 🔴 CI and merge.

[stefanb]

✅ Nicely simplified, thank you @p-linnane!

Bylaws explicitly mentioning vendors (eg "Github", "Open Collective"...) are clear. Some may see those as vendor-lockin, but we may change that later if needed.

[p-linnane]

Thank you everyone for your collaboration and support during this process! Very happy to see the enthusiastic response.