On 24.02.25 10:54, Jean-Baptiste Onofré wrote:
Hi Robert,
As your vote is binding, and this vote is a code modification change,
it basically means veto.
Let me try to convince you to revert your vote ;)
You are maybe right about the noise, but worth a try. I think that
grouping + weekly schedule should reduce the noise.
I'm confused now. This one is about "weekly schedule" but ARAIK we all
agreed that "grouping everything" is definitely not an option, no?
About keeping dependencies up-to-date, especially for bugs and
security issues, I'm with you on that.
That said, we can always have a "quick" update, so we can have weekly
schedules and "on-demand" updates when needed (CVE, ...).
Thoughts ?
Currently it's sadly maybe 3 people who constantly tackle dependency
updates. To be honest, I'm quite disappointed that not more people are
interested in keeping dependencies up to date. Keeping those up-to-date
_actively_ prevents tech debt from piling up and running into (already
fixed) bugs and security issues.
What was probably not considered at all: Weekly updates will _increase_
the amount of "noise". Just think about it: Renovate creates all updates
at once - once one change is merged, Renovate will rebase/recreate all
other updates, CI will run again for all the other updates.
If all people are fine with more noise, let's go for it - I'd be happy
to revert my vote if that's the case.
Regards
JB
On Sun, Feb 23, 2025 at 1:04 PM Robert Stupp <sn...@snazy.de> wrote:
Keeping dependencies up-to-date is mandatory to get bug and security
fixes as fast as possible and avoid piling up tech debt and CVEs from
outdated dependencies.
Moving to a weekly schedule would _not_ reduce that noise but instead
_increase_ it and imply _more_ work to the few persons who deal with
dependency updates.
It is _much_ easier to deal with dependency updates as they are created.
Therefore my (binding) -1 vote on this.
On 21.02.25 14:38, Jean-Baptiste Onofré wrote:
Hi folks,
I know it's a hot topic, but I would like to avoid any frustration in
our community.
Before the vote, let me put some context.
To manage our dependency updates, we are using renovatebot.
The current renovatebot configuration uses "at any time" schedule
(e.g. * * * * * cron), except for AWS SDK and boto3 updates which run
weekly.
Some contributors are complaining about the "noise" generated by renovatebot.
In order to "mitigate" that, we introduced "polaris-renovate" label to
easily filter the notification coming from renovatebot.
However, an issue has been created 4 days ago
(https://github.com/apache/polaris/issues/1018), meaning the "issue"
is still there.
So, I propose this vote to have clear feedback from the community, as
we don't have clear lazy consensus.
The vote is to schedule renovatebot update weekly:
[ ] +1 - Use weekly schedule for all renovatebot updates
[ ] 0
[ ] -1 - Don't use weekly schedule, keep the "at any time" schedule
Thanks,
Regards
JB
NB: we can consider this vote as a code modification vote (see
https://www.apache.org/foundation/voting.html#votes-on-code-modification).
--
Robert Stupp
@snazy
--
Robert Stupp
@snazy
