Re: Dependabot pr's
On Fri, 16 Oct 2020 at 13:49, Rob Tompkins wrote: > > A thought occurs to me. We are implicitly subscribed to GitHub as committers > on the repo and GitHub sends us emails individually (unless you “un-watch”) > the repo for all of these events. Putting them in a “notifications” list will > likely duplicate the traffic. Huh? The traffic already exists, it's just a question of where it is sent. > I’m not certain how much control we have over the alerts generated from each > repo at the GitHub level. We should though be careful because we could end up > with more emails if we’re not careful. > > Personally I use email inbox rules based upon subject line and from whom the > email came to determine how to arrange my inbox. > > I’m indifferent about direction, but wanted to minimally give light to the > issue at hand. > > Cheers, > -Rob > > > On Oct 16, 2020, at 8:35 AM, Rob Tompkins wrote: > > > > I’m a +0.5 to a notifications (GitHub + Jira) list. This seems reasonable > > to me. > > > > -Rob > > > >> On Oct 16, 2020, at 2:43 AM, Mark Thomas wrote: > >> > >> On 15/10/2020 19:30, Gary Gregory wrote: > On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels > wrote: > > Before we do that, I need help. I am considering to ignore or unsubscribe > the commit mailing list. Which is IMHO not a good thing (from the point > of > security reviews). However I cannot keep up with dependable suggestions > (and don’t have an easy way to filter - and frankly I don’t want to spent > any time on finding one) > > So can we turn the notifications off or at least send them to a different > mailinglist? > > >>> > >>> Dependabot emails are sent from notificati...@github.com, so we could ask > >>> infra to create a list called... gh-no...@commons.apache.org? > >> > >> notificati...@commons.apache.org would be the standard name. > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
A thought occurs to me. We are implicitly subscribed to GitHub as committers on the repo and GitHub sends us emails individually (unless you “un-watch”) the repo for all of these events. Putting them in a “notifications” list will likely duplicate the traffic. I’m not certain how much control we have over the alerts generated from each repo at the GitHub level. We should though be careful because we could end up with more emails if we’re not careful. Personally I use email inbox rules based upon subject line and from whom the email came to determine how to arrange my inbox. I’m indifferent about direction, but wanted to minimally give light to the issue at hand. Cheers, -Rob > On Oct 16, 2020, at 8:35 AM, Rob Tompkins wrote: > > I’m a +0.5 to a notifications (GitHub + Jira) list. This seems reasonable to > me. > > -Rob > >> On Oct 16, 2020, at 2:43 AM, Mark Thomas wrote: >> >> On 15/10/2020 19:30, Gary Gregory wrote: On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels wrote: Before we do that, I need help. I am considering to ignore or unsubscribe the commit mailing list. Which is IMHO not a good thing (from the point of security reviews). However I cannot keep up with dependable suggestions (and don’t have an easy way to filter - and frankly I don’t want to spent any time on finding one) So can we turn the notifications off or at least send them to a different mailinglist? >>> >>> Dependabot emails are sent from notificati...@github.com, so we could ask >>> infra to create a list called... gh-no...@commons.apache.org? >> >> notificati...@commons.apache.org would be the standard name. >> >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
It would be so great to be able to act differently (i.e. redirecting to *different* lists) depending on whether the sender is a bot or a human being. This used to be considered a feature (cf. "robots.txt" for web crawlers). Gilles Le ven. 16 oct. 2020 à 14:36, Rob Tompkins a écrit : > > I’m a +0.5 to a notifications (GitHub + Jira) list. This seems reasonable to > me. > > -Rob > > > On Oct 16, 2020, at 2:43 AM, Mark Thomas wrote: > > > > On 15/10/2020 19:30, Gary Gregory wrote: > >>> On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels > >>> wrote: > >>> > >>> Before we do that, I need help. I am considering to ignore or unsubscribe > >>> the commit mailing list. Which is IMHO not a good thing (from the point of > >>> security reviews). However I cannot keep up with dependable suggestions > >>> (and don’t have an easy way to filter - and frankly I don’t want to spent > >>> any time on finding one) > >>> > >>> So can we turn the notifications off or at least send them to a different > >>> mailinglist? > >>> > >> > >> Dependabot emails are sent from notificati...@github.com, so we could ask > >> infra to create a list called... gh-no...@commons.apache.org? > > > > notificati...@commons.apache.org would be the standard name. > > > > Mark - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
> On Oct 16, 2020, at 6:39 AM, sebb wrote: > > On Fri, 16 Oct 2020 at 07:43, Mark Thomas wrote: >> >>> On 15/10/2020 19:30, Gary Gregory wrote: >>> On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels >>> wrote: >>> Before we do that, I need help. I am considering to ignore or unsubscribe the commit mailing list. Which is IMHO not a good thing (from the point of security reviews). However I cannot keep up with dependable suggestions (and don’t have an easy way to filter - and frankly I don’t want to spent any time on finding one) So can we turn the notifications off or at least send them to a different mailinglist? >>> >>> Dependabot emails are sent from notificati...@github.com, so we could ask >>> infra to create a list called... gh-no...@commons.apache.org? >> >> notificati...@commons.apache.org would be the standard name. > > +1 > > It already exists, so just need to get the mails redirected. Ah...there’s the answer. -Rob > >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
I’m a +0.5 to a notifications (GitHub + Jira) list. This seems reasonable to me. -Rob > On Oct 16, 2020, at 2:43 AM, Mark Thomas wrote: > > On 15/10/2020 19:30, Gary Gregory wrote: >>> On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels >>> wrote: >>> >>> Before we do that, I need help. I am considering to ignore or unsubscribe >>> the commit mailing list. Which is IMHO not a good thing (from the point of >>> security reviews). However I cannot keep up with dependable suggestions >>> (and don’t have an easy way to filter - and frankly I don’t want to spent >>> any time on finding one) >>> >>> So can we turn the notifications off or at least send them to a different >>> mailinglist? >>> >> >> Dependabot emails are sent from notificati...@github.com, so we could ask >> infra to create a list called... gh-no...@commons.apache.org? > > notificati...@commons.apache.org would be the standard name. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
On Fri, 16 Oct 2020 at 07:43, Mark Thomas wrote: > > On 15/10/2020 19:30, Gary Gregory wrote: > > On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels > > wrote: > > > >> Before we do that, I need help. I am considering to ignore or unsubscribe > >> the commit mailing list. Which is IMHO not a good thing (from the point of > >> security reviews). However I cannot keep up with dependable suggestions > >> (and don’t have an easy way to filter - and frankly I don’t want to spent > >> any time on finding one) > >> > >> So can we turn the notifications off or at least send them to a different > >> mailinglist? > >> > > > > Dependabot emails are sent from notificati...@github.com, so we could ask > > infra to create a list called... gh-no...@commons.apache.org? > > notificati...@commons.apache.org would be the standard name. +1 It already exists, so just need to get the mails redirected. > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
On 15/10/2020 19:30, Gary Gregory wrote: > On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels > wrote: > >> Before we do that, I need help. I am considering to ignore or unsubscribe >> the commit mailing list. Which is IMHO not a good thing (from the point of >> security reviews). However I cannot keep up with dependable suggestions >> (and don’t have an easy way to filter - and frankly I don’t want to spent >> any time on finding one) >> >> So can we turn the notifications off or at least send them to a different >> mailinglist? >> > > Dependabot emails are sent from notificati...@github.com, so we could ask > infra to create a list called... gh-no...@commons.apache.org? notificati...@commons.apache.org would be the standard name. Mark - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
On Thu, Oct 15, 2020 at 1:57 PM Bernd Eckenfels wrote: > Before we do that, I need help. I am considering to ignore or unsubscribe > the commit mailing list. Which is IMHO not a good thing (from the point of > security reviews). However I cannot keep up with dependable suggestions > (and don’t have an easy way to filter - and frankly I don’t want to spent > any time on finding one) > > So can we turn the notifications off or at least send them to a different > mailinglist? > Dependabot emails are sent from notificati...@github.com, so we could ask infra to create a list called... gh-no...@commons.apache.org? Gary > Gruss > Bernd > -- > http://bernd.eckenfels.net > > Von: John Patrick > Gesendet: Wednesday, October 14, 2020 3:17:22 PM > An: Commons Developers List > Betreff: Dependabot pr's > > to shortcut multiple people telling me not to manually raise pr's to > upgrade dependencies, and dependabot is the preferred option for > commons to be raising these upgrades, and i should raise a pr to > enable dependabot. > > so... here are all the pr's to enable dependabot on the repo's which > lack a dependabot.yml file. > > https://github.com/apache/commons-bsf/pull/2 > https://github.com/apache/commons-chain/pull/6 > https://github.com/apache/commons-crypto/pull/108 > https://github.com/apache/commons-daemon/pull/20 > https://github.com/apache/commons-digester/pull/6 > https://github.com/apache/commons-functor/pull/3 > https://github.com/apache/commons-geometry/pull/102 > https://github.com/apache/commons-jci/pull/3 > https://github.com/apache/commons-jcs/pull/16 > https://github.com/apache/commons-jelly/pull/7 > https://github.com/apache/commons-jexl/pull/27 > https://github.com/apache/commons-jxpath/pull/21 > https://github.com/apache/commons-math/pull/160 > https://github.com/apache/commons-numbers/pull/86 > https://github.com/apache/commons-ognl/pull/10 > https://github.com/apache/commons-proxy/pull/5 > https://github.com/apache/commons-rng/pull/79 > https://github.com/apache/commons-scxml/pull/9 > https://github.com/apache/commons-statistics/pull/25 > https://github.com/apache/commons-weaver/pull/5 > > They all have the change md5sum for .github/dependabot.yml which > matches the files in the other repos. I don't believe any other change > is required but i might be wrong. > > John > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Dependabot pr's
Hi. Le jeu. 15 oct. 2020 à 19:57, Bernd Eckenfels a écrit : > > Before we do that, I need help. I am considering to ignore or unsubscribe the > commit mailing list. Which is IMHO not a good thing (from the point of > security reviews). However I cannot keep up with dependable suggestions (and > don’t have an easy way to filter - and frankly I don’t want to spent any time > on finding one) > > So can we turn the notifications off or at least send them to a different > mailinglist? +2 (I asked the same, some time ago.) Gilles > [...] - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
Before we do that, I need help. I am considering to ignore or unsubscribe the commit mailing list. Which is IMHO not a good thing (from the point of security reviews). However I cannot keep up with dependable suggestions (and don’t have an easy way to filter - and frankly I don’t want to spent any time on finding one) So can we turn the notifications off or at least send them to a different mailinglist? Gruss Bernd -- http://bernd.eckenfels.net Von: John Patrick Gesendet: Wednesday, October 14, 2020 3:17:22 PM An: Commons Developers List Betreff: Dependabot pr's to shortcut multiple people telling me not to manually raise pr's to upgrade dependencies, and dependabot is the preferred option for commons to be raising these upgrades, and i should raise a pr to enable dependabot. so... here are all the pr's to enable dependabot on the repo's which lack a dependabot.yml file. https://github.com/apache/commons-bsf/pull/2 https://github.com/apache/commons-chain/pull/6 https://github.com/apache/commons-crypto/pull/108 https://github.com/apache/commons-daemon/pull/20 https://github.com/apache/commons-digester/pull/6 https://github.com/apache/commons-functor/pull/3 https://github.com/apache/commons-geometry/pull/102 https://github.com/apache/commons-jci/pull/3 https://github.com/apache/commons-jcs/pull/16 https://github.com/apache/commons-jelly/pull/7 https://github.com/apache/commons-jexl/pull/27 https://github.com/apache/commons-jxpath/pull/21 https://github.com/apache/commons-math/pull/160 https://github.com/apache/commons-numbers/pull/86 https://github.com/apache/commons-ognl/pull/10 https://github.com/apache/commons-proxy/pull/5 https://github.com/apache/commons-rng/pull/79 https://github.com/apache/commons-scxml/pull/9 https://github.com/apache/commons-statistics/pull/25 https://github.com/apache/commons-weaver/pull/5 They all have the change md5sum for .github/dependabot.yml which matches the files in the other repos. I don't believe any other change is required but i might be wrong. John - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Dependabot pr's
-1 as is: Dependabot is only helpful if you have a GitHub Action build to verify that the update did not break anything. I'm not really paying attention to Travis CI these days but even this list contains components without a GHA or a TCI build. FYI I just added a GHA build to BSF. I have a separate thread from a while back to drop Travis CI in favor of GitHub actions. Gary On Wed, Oct 14, 2020 at 9:17 AM John Patrick wrote: > to shortcut multiple people telling me not to manually raise pr's to > upgrade dependencies, and dependabot is the preferred option for > commons to be raising these upgrades, and i should raise a pr to > enable dependabot. > > so... here are all the pr's to enable dependabot on the repo's which > lack a dependabot.yml file. > > https://github.com/apache/commons-bsf/pull/2 > https://github.com/apache/commons-chain/pull/6 > https://github.com/apache/commons-crypto/pull/108 > https://github.com/apache/commons-daemon/pull/20 > https://github.com/apache/commons-digester/pull/6 > https://github.com/apache/commons-functor/pull/3 > https://github.com/apache/commons-geometry/pull/102 > https://github.com/apache/commons-jci/pull/3 > https://github.com/apache/commons-jcs/pull/16 > https://github.com/apache/commons-jelly/pull/7 > https://github.com/apache/commons-jexl/pull/27 > https://github.com/apache/commons-jxpath/pull/21 > https://github.com/apache/commons-math/pull/160 > https://github.com/apache/commons-numbers/pull/86 > https://github.com/apache/commons-ognl/pull/10 > https://github.com/apache/commons-proxy/pull/5 > https://github.com/apache/commons-rng/pull/79 > https://github.com/apache/commons-scxml/pull/9 > https://github.com/apache/commons-statistics/pull/25 > https://github.com/apache/commons-weaver/pull/5 > > They all have the change md5sum for .github/dependabot.yml which > matches the files in the other repos. I don't believe any other change > is required but i might be wrong. > > John > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Dependabot pr's
to shortcut multiple people telling me not to manually raise pr's to upgrade dependencies, and dependabot is the preferred option for commons to be raising these upgrades, and i should raise a pr to enable dependabot. so... here are all the pr's to enable dependabot on the repo's which lack a dependabot.yml file. https://github.com/apache/commons-bsf/pull/2 https://github.com/apache/commons-chain/pull/6 https://github.com/apache/commons-crypto/pull/108 https://github.com/apache/commons-daemon/pull/20 https://github.com/apache/commons-digester/pull/6 https://github.com/apache/commons-functor/pull/3 https://github.com/apache/commons-geometry/pull/102 https://github.com/apache/commons-jci/pull/3 https://github.com/apache/commons-jcs/pull/16 https://github.com/apache/commons-jelly/pull/7 https://github.com/apache/commons-jexl/pull/27 https://github.com/apache/commons-jxpath/pull/21 https://github.com/apache/commons-math/pull/160 https://github.com/apache/commons-numbers/pull/86 https://github.com/apache/commons-ognl/pull/10 https://github.com/apache/commons-proxy/pull/5 https://github.com/apache/commons-rng/pull/79 https://github.com/apache/commons-scxml/pull/9 https://github.com/apache/commons-statistics/pull/25 https://github.com/apache/commons-weaver/pull/5 They all have the change md5sum for .github/dependabot.yml which matches the files in the other repos. I don't believe any other change is required but i might be wrong. John - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org