fsnotify Maintainer Dispute Sparks Supply Chain Concerns

A dispute over maintainer access in the popular Go library fsnotify raised concerns about potential takeovers after contributors were removed from the project's GitHub organization, though no evidence of compromised releases has been found. The situation highlighted issues with unclear maintainer roles, release access, and review norms, which can quickly become problematic for downstream users relying on the library for cross-platform filesystem notifications. The controversy began when Yasuhiro Matsumoto, a notable Go developer, reported losing access to the project, sparking a heated discussion about maintainer roles. Project maintainer Martin Tournoij defended the access removals as necessary for trust and quality control, refuting claims of a hostile takeover. Matsumoto later acknowledged mistakes in his actions and apologized, emphasizing his intent to help address the project's lack of updates. The incident underscored the challenges of governance ambiguity in open-source projects, prompting users to consider forks or alternatives and illustrating the blurred lines between maintainer disputes and potential supply chain vulnerabilities.