> On Dec 29, 2021, at 8:54 AM, Gary Gregory <garydgreg...@gmail.com> wrote:
>
> One critical feature is that dependabot does all the builds for you on
> GitHub Actions, this is an enormous time and resource saver!
>
Ding ding ding ding….we have a winner. We just don’t yet know how to implement.
> Gary
>
>> On Wed, Dec 29, 2021, 08:51 Rob Tompkins <chtom...@gmail.com> wrote:
>>
>>
>>
>>> On Dec 29, 2021, at 8:45 AM, Romain Manni-Bucau <rmannibu...@gmail.com>
>> wrote:
>>>
>>> @Rob: dependabot is mainly about dependencies upgrades and it is also
>> why
>>> it is so chatty and has so much false positives.
>>
>> Yes, I am well aware. But I do not see how a robot telling you to simply
>> upgrade is a problem?
>>
>> Maybe I’m missing something but my impression is that’s what dependabot
>> does right? Tell you you need to upgrade?
>>
>> -Rob
>>
>>> If you want to focus on
>>> CVE then setting up on the CI
>>> https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more
>>> efficient and accurate (basically when it fails you must act) so
>> dependabot
>>> is a great reporting tool for managers but not to work on an everyday
>> basis
>>> IMHO until it is very finely configure but commons is far to need so much
>>> investment since there already have solutions for everything needed IMHO.
>>>
>>> Romain Manni-Bucau
>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog
>>> <https://rmannibucau.metawerx.net/> | Old Blog
>>> <http://rmannibucau.wordpress.com> | Github <
>> https://github.com/rmannibucau> |
>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
>>> <
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>>>
>>>
>>>
>>>> Le mer. 29 déc. 2021 à 14:39, Rob Tompkins <chtom...@gmail.com> a
>> écrit :
>>>>
>>>> Guys. I think dependabot is our greatest advantage in the work against
>>>> security problems. I know she has her failings and is chatty. But, I
>> think
>>>> we should open a line of thinking about how best she can help.
>>>>
>>>> The reason she’s a pain in the ass is that we don’t have enough hands on
>>>> the project making it better. I know I would help more, but I have to
>> keep
>>>> up with my father who’s a quadriplegic as well as a currently failing
>>>> marriage.
>>>>
>>>> The answer is that we need more hands on the project. I wish I could be
>>>> those hands but time and priorities keep me chained.
>>>>
>>>> Cheers,
>>>> -Rob
>>>>
>>>>> On Dec 29, 2021, at 8:26 AM, Gilles Sadowski <gillese...@gmail.com>
>>>> wrote:
>>>>>
>>>>> Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl <t...@apache.org> a écrit
>> :
>>>>>>
>>>>>> +1
>>>>>> Thank you, Phil. This thing is a P.I.T.A.
>>>>>
>>>>> In effect, from day one:
>>>>> https://markmail.org/message/2vutc4p3b3eqv73f
>>>>>
>>>>> Basically, the argument is that
>>>>> * the (dependabot) feature is too important to be disabled
>>>>> * the annoyed people should filter out those mails (which I
>>>>> did since no one at the time supported that they be diverted
>>>>> to another ML).
>>>>> Did anything change since then?
>>>>> [Or do we eventually question the general anomaly that code
>>>>> discussions have been almost completely off-loaded to GH?]
>>>>>
>>>>> Gilles
>>>>>
>>>>>>
>>>>>>>> Am 28.12.2021 um 19:20 schrieb Phil Steitz <phil.ste...@gmail.com>:
>>>>>>>
>>>>>>> I can no longer effectively monitor commits@ due to the spam
>>>> generated by this tool. I am afraid my eyeballs aren't the only ones
>> going
>>>> missing here and that is a problem much more severe than any value
>> provided
>>>> by this tool, IMO.
>>>>>>>
>>>>>>> Phil
>>>>>>
>>>>>> Bye, Thomas
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
