steveloughran commented on issue #15742: URL: https://github.com/apache/iceberg/issues/15742#issuecomment-4118540455
this is good; especially pinning to SHA versions -last week's attack involved forced push of new tags to get target projects to run the malicious code. * the one the week before involved bash commands in the pr name and an over-eager AI action. The fix there is: don't put AI in your reviewing of external PRs. Dependabot has to be on ASF projects, but there's no requirement to listen to it. It is overoptimistic about backwards compatibility of older versions. At the same time, having every project say "let's just upgrade all our dependencies and let downstream deal with it" would be nice -but only possible with coordinated releases across projects alongside library shading. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
