> On Dec 29, 2021, at 8:45 AM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote:
>
> @Rob: dependabot is mainly about dependencies upgrades and it is also why
> it is so chatty and has so much false positives.
Yes, I am well aware. But I do not see how a robot telling you to simply
upgrade is a problem?
Maybe I’m missing something but my impression is that’s what dependabot does
right? Tell you you need to upgrade?
-Rob
> If you want to focus on
> CVE then setting up on the CI
> https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more
> efficient and accurate (basically when it fails you must act) so dependabot
> is a great reporting tool for managers but not to work on an everyday basis
> IMHO until it is very finely configure but commons is far to need so much
> investment since there already have solutions for everything needed IMHO.
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <https://www.packtpub.com/application-development/java-ee-8-high-performance>
>
>
>> Le mer. 29 déc. 2021 à 14:39, Rob Tompkins <chtom...@gmail.com> a écrit :
>>
>> Guys. I think dependabot is our greatest advantage in the work against
>> security problems. I know she has her failings and is chatty. But, I think
>> we should open a line of thinking about how best she can help.
>>
>> The reason she’s a pain in the ass is that we don’t have enough hands on
>> the project making it better. I know I would help more, but I have to keep
>> up with my father who’s a quadriplegic as well as a currently failing
>> marriage.
>>
>> The answer is that we need more hands on the project. I wish I could be
>> those hands but time and priorities keep me chained.
>>
>> Cheers,
>> -Rob
>>
>>> On Dec 29, 2021, at 8:26 AM, Gilles Sadowski <gillese...@gmail.com>
>> wrote:
>>>
>>> Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl <t...@apache.org> a écrit :
>>>>
>>>> +1
>>>> Thank you, Phil. This thing is a P.I.T.A.
>>>
>>> In effect, from day one:
>>> https://markmail.org/message/2vutc4p3b3eqv73f
>>>
>>> Basically, the argument is that
>>> * the (dependabot) feature is too important to be disabled
>>> * the annoyed people should filter out those mails (which I
>>> did since no one at the time supported that they be diverted
>>> to another ML).
>>> Did anything change since then?
>>> [Or do we eventually question the general anomaly that code
>>> discussions have been almost completely off-loaded to GH?]
>>>
>>> Gilles
>>>
>>>>
>>>>>> Am 28.12.2021 um 19:20 schrieb Phil Steitz <phil.ste...@gmail.com>:
>>>>>
>>>>> I can no longer effectively monitor commits@ due to the spam
>> generated by this tool. I am afraid my eyeballs aren't the only ones going
>> missing here and that is a problem much more severe than any value provided
>> by this tool, IMO.
>>>>>
>>>>> Phil
>>>>
>>>> Bye, Thomas
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org