Re: Did you see dependabot?
Now there's a LEGAL ticket for that: https://issues.apache.org/jira/browse/LEGAL-491 With a comment from Mark Thomas that this is no different than a committer running a local tool, reviewing the commit and pushing it. Read his comment on the ticket for more information and advice. Martijn On Sat, Oct 19, 2019 at 8:51 PM Enrico Olivelli wrote: > > I see value in it. > But from a legal point of viewthere is no human who sends the PR, so in > theory we cannot accept such patches, can we? > > Enrico > > Il sab 19 ott 2019, 20:26 Tibor Digana ha scritto: > > > The dependabot looks interesting, cli has more possibilities than a pure > > button on GUI. > > >> does anyone enabled it > > I am all the ear how it can be enabled. > > > > On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli > > wrote: > > > > > Hey guys, > > > Did you see dependabot on our repos? > > > > > > Like this automatic PR > > > > > > > > https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692 > > > > > > I feel this is very useful, but... does anyone enabled it? > > > > > > Do we have to set a policy, this suggestions are security related fixes, > > we > > > could give them some kind of high priority? > > > > > > Enrico > > > > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Did you see dependabot?
I have received dependabot right now and merged. https://github.com/Tibor17/surefire-tcp-connector/pull/1 Of course, my code is written just for fun and no legal issues are my problem. On Tue, Oct 29, 2019 at 7:49 PM Paul Hammant wrote: > Here's an interesting co-incidence. A chg I donated to Google's Cloud bits > and pieces - > > https://github.com/GoogleCloudPlatform/google-cloud-datastore/pull/205/files > *required > and received* a CLA. > > @elharo just marked it as not needed, which is quite correct as this lib > has been succeeded by something else. *Humans quality controlling bot > actions :)* >
Re: Did you see dependabot?
Here's an interesting co-incidence. A chg I donated to Google's Cloud bits and pieces - https://github.com/GoogleCloudPlatform/google-cloud-datastore/pull/205/files *required and received* a CLA. @elharo just marked it as not needed, which is quite correct as this lib has been succeeded by something else. *Humans quality controlling bot actions :)*
Re: Did you see dependabot?
I think you agree that the thesis has no bearing on the actions that Dependabot recommends. Worked Dependabot example https://github.com/jbehave/jbehave-tutorial/pull/19/files (I consumed this one for the JBehave team). ^ That was not copyrightable. It is not *original expression*, if it was and Dependabot beat me to an upgrade, and did not also grant me a copyright for the same, I would be legally prevented from effecting the same upgrade be retyping the same two-character change. Patch upgrades like this are in the "obvious" and "could not be done any other way" that are decades old as considered dilemmas and well and truly answered in law. The alternative would be skip 1.4.6 as an upgrade and wait for 1.4.7 - hoping to beat dependabot to the punch?? On Tue, Oct 29, 2019 at 4:19 PM Martijn Dashorst wrote: > The conclusion of the paper itself is 3 pages (no paragraphs, so it > might be written by an AI ;-). > > - Dutch (and international) copyright law don't require a copyright > holder to be human > - so the work itself needs to be evaluated, two criteria that factor > into this; requirement of reflecting an original expression and the > carrying of a personal imprint > - original expression is feasible for AIs (according to author) > > The author lost me at the reasoning for "personal imprint". > > Martijn > > On Tue, Oct 29, 2019 at 11:18 AM Paul Hammant wrote: > > > > Summary ? > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: Did you see dependabot?
The conclusion of the paper itself is 3 pages (no paragraphs, so it might be written by an AI ;-). - Dutch (and international) copyright law don't require a copyright holder to be human - so the work itself needs to be evaluated, two criteria that factor into this; requirement of reflecting an original expression and the carrying of a personal imprint - original expression is feasible for AIs (according to author) The author lost me at the reasoning for "personal imprint". Martijn On Tue, Oct 29, 2019 at 11:18 AM Paul Hammant wrote: > > Summary ? -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Did you see dependabot?
Summary ?
Re: Did you see dependabot?
On Sat, Oct 19, 2019 at 8:51 PM Enrico Olivelli wrote: > > I see value in it. > But from a legal point of viewthere is no human who sends the PR, so in > theory we cannot accept such patches, can we? I'm not a lawyer, nor a scientist, but this paper sounds like a compelling read on this subject: http://arno.uvt.nl/show.cgi?fid=145318 Martijn - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Did you see dependabot?
Pretty sure that small changes that could not be done any other way are not subject to copyright claims. s/1.199/1.200/g ^ Being an example. On Sat, Oct 19, 2019 at 7:51 PM Enrico Olivelli wrote: > I see value in it. > But from a legal point of viewthere is no human who sends the PR, so in > theory we cannot accept such patches, can we? > > Enrico > > Il sab 19 ott 2019, 20:26 Tibor Digana ha > scritto: > > > The dependabot looks interesting, cli has more possibilities than a pure > > button on GUI. > > >> does anyone enabled it > > I am all the ear how it can be enabled. > > > > On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli > > wrote: > > > > > Hey guys, > > > Did you see dependabot on our repos? > > > > > > Like this automatic PR > > > > > > > > > https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692 > > > > > > I feel this is very useful, but... does anyone enabled it? > > > > > > Do we have to set a policy, this suggestions are security related > fixes, > > we > > > could give them some kind of high priority? > > > > > > Enrico > > > > > >
Re: Did you see dependabot?
I see value in it. But from a legal point of viewthere is no human who sends the PR, so in theory we cannot accept such patches, can we? Enrico Il sab 19 ott 2019, 20:26 Tibor Digana ha scritto: > The dependabot looks interesting, cli has more possibilities than a pure > button on GUI. > >> does anyone enabled it > I am all the ear how it can be enabled. > > On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli > wrote: > > > Hey guys, > > Did you see dependabot on our repos? > > > > Like this automatic PR > > > > > https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692 > > > > I feel this is very useful, but... does anyone enabled it? > > > > Do we have to set a policy, this suggestions are security related fixes, > we > > could give them some kind of high priority? > > > > Enrico > > >
Re: Did you see dependabot?
The dependabot looks interesting, cli has more possibilities than a pure button on GUI. >> does anyone enabled it I am all the ear how it can be enabled. On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli wrote: > Hey guys, > Did you see dependabot on our repos? > > Like this automatic PR > > https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692 > > I feel this is very useful, but... does anyone enabled it? > > Do we have to set a policy, this suggestions are security related fixes, we > could give them some kind of high priority? > > Enrico >
