Hi all, I am fine with going forward with enabling Dependabot for a wider set of plugins. But IMHO it is still not ready for GA. Why?
- We are still missing usage guidelines as it was discussed in the original emails - In Dependabot there is also no way to set Dependabot on an organization level, and it complicates the adoptions for plugins ( dependabot/feedback/issues/353 <https://github.com/dependabot/feedback/issues/353>) - Dependabot needs write permissions to the repo. If you want to enable it for a mission-critical component, it might make sense to think twice before doing so - We are missing feedback from early adopters. There are some comments in this thread + this Google Doc <https://docs.google.com/document/d/1hRrH8PSCswBQgY_Q-7eHCHCVZHJOl4XgQQCswdUmpKY/edit> . Personally I am pretty fine with Dependabot results for my projects, and I am ready to go forward with plugins. > I'd really love to see the jackson repo most of all because I could get > the PR ready to release by the time jackson gets around to announcing that > release. Helps speed up resolution of their countless CVEs over time. > - show quoted text - > With Dependabot you get "eventual security" (c) at best. Delivery of patches may be delivered by a week or so. It does not replace the security process in the Jenkins organization, but I do agree that keeping dependencies up to date reduced number of issues in projects which disclose security fixes post-factum after the release. is it setup for all deps or only the parent plugin? > Can blueocean-plugin get updated for the parent plugin (or is that a > config file somewhere)? - Dependabot manages all dependencies it can digest. It can handle almost all dependencies in Maven, including ones with versions defined by system properties. Maven plugins will be also updated - BlueOcean plugins (multi-module repos) will be also handled by Dependabot. Now it supports multi-module repos Can I have the following added: > Can blueocean-display-url-plugin get it enabled? I can add them if you want to proceed after the comments above. Best regards, Oleg On Thursday, May 23, 2019 at 2:56:21 AM UTC+2, Gavin Mogan wrote: > > Can blueocean-display-url-plugin get it enabled? is it setup for all deps > or only the parent plugin? > Can blueocean-plugin get updated for the parent plugin (or is that a > config file somewhere)? > > On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[email protected] > <javascript:>> wrote: > >> I'd really love to see the jackson repo most of all because I could >> get the PR ready to release by the time jackson gets around to >> announcing that release. Helps speed up resolution of their countless >> CVEs over time. >> >> On Tue, May 21, 2019 at 2:12 PM Mark Waite <[email protected] >> <javascript:>> wrote: >> > >> > I've been very happy with dependabot enabled on the >> platformlabeler-plugin in the Jenkins organization. >> > >> > I've also continued my experiment allowing it to run on my forks of the >> git plugin and git client plugin. It has been helpful in all cases. >> > >> > By the time I am reviewing a dependabot pull request to update a >> dependency, the CI job has completed and test results are available. >> > >> > On Tue, May 21, 2019 at 12:36 PM Matt Sicker <[email protected] >> <javascript:>> wrote: >> >> >> >> Can I have the following added: >> >> >> >> https://github.com/jenkinsci/jackson2-api-plugin >> >> https://github.com/jenkinsci/jsch-plugin >> >> https://github.com/jenkinsci/pam-auth-plugin >> >> https://github.com/jenkinsci/ssh-credentials-plugin >> >> https://github.com/jenkinsci/audit-log-plugin >> >> >> >> On Thu, May 2, 2019 at 2:35 AM Baptiste Mathus <[email protected] >> <javascript:>> wrote: >> >> > >> >> > Done Carlos. >> >> > >> >> > Le jeu. 2 mai 2019 à 09:28, Carlos Sanchez <[email protected] >> <javascript:>> a écrit : >> >> >> >> >> >> please add https://github.com/jenkinsci/kubernetes-plugin >> >> >> >> >> >> thanks >> >> >> >> >> >> On Wed, Mar 27, 2019 at 5:33 PM Jesse Glick <[email protected] >> <javascript:>> wrote: >> >> >>> >> >> >>> Please remove `pipeline-cloudwatch-logs-plugin` since its >> interesting >> >> >>> tests are not currently run in CI. >> >> >>> >> >> >>> -- >> >> >>> You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> >> >>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3%2BA%3DuSo4kmOM_BXjbOVeN9u9UFUChB59csZGhW7AoPgA%40mail.gmail.com >> . >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CALHFn6OAy5HHW_aDNp-xCv69zxvW7p05VCdXh9LjVte%3DOpRhjA%40mail.gmail.com >> . >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7fQSpnUf8GhGdFyXcQ6SErLMbM9F0PuUKgyAVLzPdi4A%40mail.gmail.com >> . >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> -- >> >> Matt Sicker >> >> Senior Software Engineer, CloudBees >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] <javascript:>. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxJn9wy4t%2BQpH7y2ExWtC4tBEUWSawrQmCy1ucJAx77XQ%40mail.gmail.com >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > -- >> > Thanks! >> > Mark Waite >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Jenkins Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] <javascript:>. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtFLGQ%3DkRezSywLV9xQubrG6bxxmeMAahoZ%2BXcNyzEh0kA%40mail.gmail.com >> . >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Matt Sicker >> Senior Software Engineer, CloudBees >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow%2BJwMWR%2BD51YDNK-4%2BNyvwTYW83tkPELn_QN-W9GaMLA%40mail.gmail.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39d5d27a-4371-4bf5-b8fb-89e1b77419ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
