On Wed, 29 Dec 2021 at 13:54, Gary Gregory <garydgreg...@gmail.com> wrote: > > One critical feature is that dependabot does all the builds for you on > GitHub Actions, this is an enormous time and resource saver!
Not at all. Just the reverse. It does NOT save resources, because it runs builds for updates that are not necessary at that point in time (or ever, in some cases). Nor does it same time, because the the noise that it generates. Please stop pretending that Dependabot does things it does not (and likely cannot) do. > Gary > > On Wed, Dec 29, 2021, 08:51 Rob Tompkins <chtom...@gmail.com> wrote: > > > > > > > > On Dec 29, 2021, at 8:45 AM, Romain Manni-Bucau <rmannibu...@gmail.com> > > wrote: > > > > > > @Rob: dependabot is mainly about dependencies upgrades and it is also > > why > > > it is so chatty and has so much false positives. > > > > Yes, I am well aware. But I do not see how a robot telling you to simply > > upgrade is a problem? > > > > Maybe I’m missing something but my impression is that’s what dependabot > > does right? Tell you you need to upgrade? > > > > -Rob > > > > > If you want to focus on > > > CVE then setting up on the CI > > > https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more > > > efficient and accurate (basically when it fails you must act) so > > dependabot > > > is a great reporting tool for managers but not to work on an everyday > > basis > > > IMHO until it is very finely configure but commons is far to need so much > > > investment since there already have solutions for everything needed IMHO. > > > > > > Romain Manni-Bucau > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > <http://rmannibucau.wordpress.com> | Github < > > https://github.com/rmannibucau> | > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > < > > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > > > >> Le mer. 29 déc. 2021 à 14:39, Rob Tompkins <chtom...@gmail.com> a > > écrit : > > >> > > >> Guys. I think dependabot is our greatest advantage in the work against > > >> security problems. I know she has her failings and is chatty. But, I > > think > > >> we should open a line of thinking about how best she can help. > > >> > > >> The reason she’s a pain in the ass is that we don’t have enough hands on > > >> the project making it better. I know I would help more, but I have to > > keep > > >> up with my father who’s a quadriplegic as well as a currently failing > > >> marriage. > > >> > > >> The answer is that we need more hands on the project. I wish I could be > > >> those hands but time and priorities keep me chained. > > >> > > >> Cheers, > > >> -Rob > > >> > > >>> On Dec 29, 2021, at 8:26 AM, Gilles Sadowski <gillese...@gmail.com> > > >> wrote: > > >>> > > >>> Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl <t...@apache.org> a écrit > > : > > >>>> > > >>>> +1 > > >>>> Thank you, Phil. This thing is a P.I.T.A. > > >>> > > >>> In effect, from day one: > > >>> https://markmail.org/message/2vutc4p3b3eqv73f > > >>> > > >>> Basically, the argument is that > > >>> * the (dependabot) feature is too important to be disabled > > >>> * the annoyed people should filter out those mails (which I > > >>> did since no one at the time supported that they be diverted > > >>> to another ML). > > >>> Did anything change since then? > > >>> [Or do we eventually question the general anomaly that code > > >>> discussions have been almost completely off-loaded to GH?] > > >>> > > >>> Gilles > > >>> > > >>>> > > >>>>>> Am 28.12.2021 um 19:20 schrieb Phil Steitz <phil.ste...@gmail.com>: > > >>>>> > > >>>>> I can no longer effectively monitor commits@ due to the spam > > >> generated by this tool. I am afraid my eyeballs aren't the only ones > > going > > >> missing here and that is a problem much more severe than any value > > provided > > >> by this tool, IMO. > > >>>>> > > >>>>> Phil > > >>>> > > >>>> Bye, Thomas > > >>> > > >>> --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > >>> For additional commands, e-mail: dev-h...@commons.apache.org > > >>> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > >> For additional commands, e-mail: dev-h...@commons.apache.org > > >> > > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
