stevedlawrence commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220641909
I think you overestimate how much work is actually involved in this
checklist in the majority of cases. It's a bit annoying maybe, and definitely
low on my list of priorities to review, but as I (and I think @tuxji) can
attest (we've done pretty much all of them for Daffodil), it really isn't that
difficult or time consuming. Also if more people got involved in it (hint hint
to all our other committers), it should be even less effort.
The amount of effort to verify each item:
- **Do all automated continuous integration checks pass?**
Look at the bottom of the PR, trivial.
- **Is the update a patch, minor, or major update?**
Read the release notes, see if anything stands out. Again, pretty trivial.
Most dependencies have release notes. If not, github (where most dependencies
come from) has a feature to compare tags, it's pretty easy to skim through the
commits and see if anything worrying/interesting jumps out.
- **Is the license still compatible with ASF License Policy?**
Licenses rarely change, and its trivial to find the license and confirm.
- **Have any changes been made to LICENSE/NOTICE files that need to be
incorporated?**
Again, license/notices rarely change. It's trivial to look at the history of
the LICENSE/NOTICE file in github and see the last time it was modified.
- **Have any transitive dependencies been added or changed?**
This is the only one that I find a bit time consuming, but Ive found that
transitive dependencies don't change that much, and when they do the license
rarely change so it doesn't really matter.
Furthermore, for things like this update where we don't distribute the
dependency, the license stuff doesn't really matter and you can just say not
applicable.
I remember when Daffodil didn't do this, and it was a huge pain trying to
manually update all the dependencies all at once prior to a release. Not only
is it time consuming to manually figure out what has a newer version and what
it is, it is sooooo much easier to do this piecemeal and have it all automated.
I'm fine it we want to configure the bots to opened PR's less frequently,
but I'm strongly against removing the automation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
