Re: Re: can we get rid of dependabot?

Noticed on recent dependabot PR the below being added to the PR. Would using any of these options (i.e. like @dependabot close which prevent some of the repeats notifications) help? Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - @dependabot

Re: Re: can we get rid of dependabot?

to corrupt the artiface. XenoAmess From: Eric Bresie Sent: Sunday, January 2, 2022 11:36:18 PM To: dev@commons.apache.org Subject: Re: Re: can we get rid of dependabot? Late to the discussion but I think what is being said and with a few follow up questions

Re: Re: can we get rid of dependabot?

Late to the discussion but I think what is being said and with a few follow up questions is… The problem discussed is when a dependabot check occurs following a commit, it highlights out of date dependencies (possibly security related) which notifies folks via an automated email sent to

Re: can we get rid of dependabot?

I believe that we already have begun to do this. -Rob > On Dec 30, 2021, at 6:16 PM, sebb wrote: > > Those of you who want to keep the robot, please use the instructions > to reduce the spam. > >> On Thu, 30 Dec 2021 at 22:51, Rob Tompkins wrote: >> >> >> On Dec 30, 2021, at 5:50 PM,

Re: can we get rid of dependabot?

Those of you who want to keep the robot, please use the instructions to reduce the spam. On Thu, 30 Dec 2021 at 22:51, Rob Tompkins wrote: > > > > > On Dec 30, 2021, at 5:50 PM, Matt Sicker wrote: > > > > There are tons of options to configure. The defaults are handy for smaller > > projects,

Re: can we get rid of dependabot?

> On Dec 30, 2021, at 5:50 PM, Matt Sicker wrote: > > There are tons of options to configure. The defaults are handy for smaller > projects, but they are clearly spammy for larger ones like this. > >

Re: can we get rid of dependabot?

There are tons of options to configure. The defaults are handy for smaller projects, but they are clearly spammy for larger ones like this. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

Re: can we get rid of dependabot?

> On Dec 30, 2021, at 5:37 PM, sebb wrote: > > On Thu, 30 Dec 2021 at 21:39, Rob Tompkins wrote: >> >> Guys. The fundamental argument underpinng all this is whether it’s better to >> have robot eyes on the code and human eyes on the code. Stop arguing one >> side or the other. We need to

Re: can we get rid of dependabot?

This feels like a "Don't shoot the messenger" issue: Some people really don't like this mail carrier and uniform ;-) Gary On Thu, Dec 30, 2021 at 5:37 PM sebb wrote: > On Thu, 30 Dec 2021 at 21:39, Rob Tompkins wrote: > > > > Guys. The fundamental argument underpinng all this is whether it’s

Re: can we get rid of dependabot?

On Thu, 30 Dec 2021 at 21:39, Rob Tompkins wrote: > > Guys. The fundamental argument underpinng all this is whether it’s better to > have robot eyes on the code and human eyes on the code. Stop arguing one side > or the other. We need to find a way to do both successfully. The issue is *not*

Re: can we get rid of dependabot?

Guys. The fundamental argument underpinng all this is whether it’s better to have robot eyes on the code and human eyes on the code. Stop arguing one side or the other. We need to find a way to do both successfully. > On Dec 29, 2021, at 1:57 PM, Phil Steitz wrote: > >  > >> On 12/29/21

Re: can we get rid of dependabot?

Hi, I would prefer a solution that fixes the email issue, but if it bothers others, I guess I could enable dependabot on my fork of commons-imaging, commons-lang, commons-text, or any other repository that I may RM one day. I use dependabot in other personal and $work projects and it's very

Re: can we get rid of dependabot?

On 12/29/21 8:43 AM, sebb wrote: On Wed, 29 Dec 2021 at 14:53, Gary Gregory wrote: On Wed, Dec 29, 2021 at 9:42 AM sebb wrote: On Wed, 29 Dec 2021 at 14:18, Gary Gregory wrote: On Wed, Dec 29, 2021 at 9:07 AM sebb wrote: On Wed, 29 Dec 2021 at 13:54, Gary Gregory wrote: One

Re: can we get rid of dependabot?

All these version pins, notification settings, etc., are all configurable in the Dependabot config file. -- Matt Sicker > On Dec 29, 2021, at 09:22, Romain Manni-Bucau wrote: > > @Rob: not sure dependabot would get commits permissions anytime soon, it is > really an automotion thing on one

Re: can we get rid of dependabot?

I still yet don’t see how thoughtful automation using dependabot doesn’t win out. So the idea behind using a double negative in a sentence like above, is to imply that there is more than just a “yes/no” answer to the question. There is the beginnings (a few choices) of a veritable continuum

Re: can we get rid of dependabot?

On Wed, 29 Dec 2021 at 14:53, Gary Gregory wrote: > > On Wed, Dec 29, 2021 at 9:42 AM sebb wrote: > > > On Wed, 29 Dec 2021 at 14:18, Gary Gregory wrote: > > > > > > On Wed, Dec 29, 2021 at 9:07 AM sebb wrote: > > > > > > > On Wed, 29 Dec 2021 at 13:54, Gary Gregory > > wrote: > > > > > > > >

Re: can we get rid of dependabot?

> On Dec 29, 2021, at 10:29 AM, Matt Benson wrote: > > On Wed, Dec 29, 2021, 9:21 AM Mark Thomas wrote: > >>> On 29/12/2021 15:04, Gary Gregory wrote: On Wed, Dec 29, 2021 at 9:37 AM Rob Tompkins wrote: >>> Why not just run dependabot weekly. We move slowly enough that weekly

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021, 9:27 AM Gary Gregory wrote: > On Wed, Dec 29, 2021 at 9:45 AM sebb wrote: > > > On Wed, 29 Dec 2021 at 14:36, Rob Tompkins wrote: > > > > > > Why not just run dependabot weekly. We move slowly enough that weekly > > currently works. Until we can get more hands on the

Re: can we get rid of dependabot?

On Wed, 29 Dec 2021 at 15:32, Romain Manni-Bucau wrote: > > BTW: we always think about "commons" but there is not really a "commons" > but there are commons so why not letting each project "lead" - the people > actually working on the project which means it can change later - handling > it. While

Re: can we get rid of dependabot?

BTW: we always think about "commons" but there is not really a "commons" but there are commons so why not letting each project "lead" - the people actually working on the project which means it can change later - handling it. While it is a toggle to enable in asf.yaml or as easy as that I think it

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021, 9:21 AM Mark Thomas wrote: > On 29/12/2021 15:04, Gary Gregory wrote: > > On Wed, Dec 29, 2021 at 9:37 AM Rob Tompkins wrote: > > > >> Why not just run dependabot weekly. We move slowly enough that weekly > >> currently works. Until we can get more hands on the project,

Re: can we get rid of dependabot?

@Gary thing is it is not one email per period but a much email as upgrades per period with dependabot, there is no bulk email feature Romain Manni-Bucau @rmannibucau | Blog | Old Blog |

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021 at 9:45 AM sebb wrote: > On Wed, 29 Dec 2021 at 14:36, Rob Tompkins wrote: > > > > Why not just run dependabot weekly. We move slowly enough that weekly > currently works. Until we can get more hands on the project, slower comms > are indeed reasonable…right? > > Weekly

Re: can we get rid of dependabot?

@Rob: not sure dependabot would get commits permissions anytime soon, it is really an automotion thing on one side - we already had since years before dependabot was a thing BTW - and it would be a poor committer on another side, since it does changes without validating them or reviewing its

Re: can we get rid of dependabot?

On 29/12/2021 15:04, Gary Gregory wrote: On Wed, Dec 29, 2021 at 9:37 AM Rob Tompkins wrote: Why not just run dependabot weekly. We move slowly enough that weekly currently works. Until we can get more hands on the project, slower comms are indeed reasonable…right? I would be OK with it

Re: can we get rid of dependabot?

Guys….let us blind our eyes to the source. We are taking about kicking our most excited contributor. Are we not? If dependabot were a person they would likely have gotten commit rights and be in the PMC. Granted, they’d have taken some advice and slowed down a bit and maybe with some steering

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021 at 9:37 AM Rob Tompkins wrote: > Why not just run dependabot weekly. We move slowly enough that weekly > currently works. Until we can get more hands on the project, slower comms > are indeed reasonable…right? > I would be OK with it once a week. Gary > > -Rob > > > On

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021 at 9:42 AM sebb wrote: > On Wed, 29 Dec 2021 at 14:18, Gary Gregory wrote: > > > > On Wed, Dec 29, 2021 at 9:07 AM sebb wrote: > > > > > On Wed, 29 Dec 2021 at 13:54, Gary Gregory > wrote: > > > > > > > > One critical feature is that dependabot does all the builds for you

Re: can we get rid of dependabot?

On Wed, 29 Dec 2021 at 14:36, Rob Tompkins wrote: > > Why not just run dependabot weekly. We move slowly enough that weekly > currently works. Until we can get more hands on the project, slower comms are > indeed reasonable…right? Weekly runs won't reduce the number of emails, except where a

Re: can we get rid of dependabot?

On Wed, 29 Dec 2021 at 14:18, Gary Gregory wrote: > > On Wed, Dec 29, 2021 at 9:07 AM sebb wrote: > > > On Wed, 29 Dec 2021 at 13:54, Gary Gregory wrote: > > > > > > One critical feature is that dependabot does all the builds for you on > > > GitHub Actions, this is an enormous time and

Re: can we get rid of dependabot?

Why not just run dependabot weekly. We move slowly enough that weekly currently works. Until we can get more hands on the project, slower comms are indeed reasonable…right? -Rob > On Dec 29, 2021, at 9:31 AM, Romain Manni-Bucau wrote: > > Saving dev/human resources is about having a CI, all

Re: can we get rid of dependabot?

Saving dev/human resources is about having a CI, all mentionned plugins of the thread support it properly while cronned. Difference is the scope of the checks: CVE only, all deps, plugins and code (which is where most people don't like since it is trivial to have false positive and dependabot

Re: can we get rid of dependabot?

On Wed, Dec 29, 2021 at 9:07 AM sebb wrote: > On Wed, 29 Dec 2021 at 13:54, Gary Gregory wrote: > > > > One critical feature is that dependabot does all the builds for you on > > GitHub Actions, this is an enormous time and resource saver! > > Not at all. > Just the reverse. > > It does NOT

Re: can we get rid of dependabot?

On Wed, 29 Dec 2021 at 13:54, Gary Gregory wrote: > > One critical feature is that dependabot does all the builds for you on > GitHub Actions, this is an enormous time and resource saver! Not at all. Just the reverse. It does NOT save resources, because it runs builds for updates that are not

Re: can we get rid of dependabot?

> On Dec 29, 2021, at 8:54 AM, Gary Gregory wrote: > > One critical feature is that dependabot does all the builds for you on > GitHub Actions, this is an enormous time and resource saver! > Ding ding ding ding….we have a winner. We just don’t yet know how to implement. > Gary > >> On

Re: can we get rid of dependabot?

One critical feature is that dependabot does all the builds for you on GitHub Actions, this is an enormous time and resource saver! Gary On Wed, Dec 29, 2021, 08:51 Rob Tompkins wrote: > > > > On Dec 29, 2021, at 8:45 AM, Romain Manni-Bucau > wrote: > > > > @Rob: dependabot is mainly about

Re: can we get rid of dependabot?

@Rob: dependabot is mainly about dependencies upgrades and it is also why it is so chatty and has so much false positives. If you want to focus on CVE then setting up on the CI https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more efficient and accurate (basically when it fails you

Re: can we get rid of dependabot?

Guys. I think dependabot is our greatest advantage in the work against security problems. I know she has her failings and is chatty. But, I think we should open a line of thinking about how best she can help. The reason she’s a pain in the ass is that we don’t have enough hands on the project

Re: can we get rid of dependabot?

> On Dec 28, 2021, at 1:57 PM, Gary Gregory wrote: > > Please no. Dependabot is a key tool for me. Inbox rules should be able to > help you depending on your client. Huge +1 I think we need to help GitHub figure out how to make it better. -Rob > > Someone had suggested creating a new

Re: can we get rid of dependabot?

Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl a écrit : > > +1 > Thank you, Phil. This thing is a P.I.T.A. In effect, from day one: https://markmail.org/message/2vutc4p3b3eqv73f Basically, the argument is that * the (dependabot) feature is too important to be disabled * the annoyed people

Re: can we get rid of dependabot?

+1 Thank you, Phil. This thing is a P.I.T.A. > Am 28.12.2021 um 19:20 schrieb Phil Steitz : > > I can no longer effectively monitor commits@ due to the spam generated by > this tool. I am afraid my eyeballs aren't the only ones going missing here > and that is a problem much more severe than

Re: can we get rid of dependabot?

> XenoAmess > > > > > > From: Xeno Amess > > > Sent: Wednesday, December 29, 2021 6:01:58 AM > > > To: Commons Developers List > > > Subject: Re: can we get rid of dependabot? > > > > > > junit 5 r

Re: can we get rid of dependabot?

; > > I think most people like me actually do not hate dependabot but hate the > > email flood and notification flood it brings... > > > > XenoAmess > > > > From: Xeno Amess > > Sent: Wednesday, December 29, 2021 6:

Re: can we get rid of dependabot?

Von: sebb Gesendet: Wednesday, December 29, 2021 12:52:39 AM An: Commons Developers List Betreff: Re: can we get rid of dependabot? +1, I agree that dependabot (rhymes with spamalot) should disabled entirely. Unfortunately moving the notification emails

Re: can we get rid of dependabot?

____ > > > From: Xeno Amess > > > Sent: Wednesday, December 29, 2021 6:01:58 AM > > > To: Commons Developers List > > > Subject: Re: can we get rid of dependabot? > > > > > > junit 5 rc for example > > > > > >

Re: can we get rid of dependabot?

> > From: Xeno Amess > > Sent: Wednesday, December 29, 2021 6:01:58 AM > > To: Commons Developers List > > Subject: Re: can we get rid of dependabot? > > > > junit 5 rc for example > > > > XenoAmess > > ___

Re: can we get rid of dependabot?

: Wednesday, December 29, 2021 6:01:58 AM > To: Commons Developers List > Subject: Re: can we get rid of dependabot? > > junit 5 rc for example > > XenoAmess > > From: Xeno Amess > Sent: Wednesday, December 29, 2021 6:01:35 AM > To:

Re: can we get rid of dependabot?

of dependabot? junit 5 rc for example XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:01:35 AM To: Commons Developers List Subject: Re: can we get rid of dependabot? versions maven plugin's problem is it will bring you latest release，even rc release

Re: can we get rid of dependabot?

junit 5 rc for example XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:01:35 AM To: Commons Developers List Subject: Re: can we get rid of dependabot? versions maven plugin's problem is it will bring you latest release，even rc release

Re: can we get rid of dependabot?

versions maven plugin's problem is it will bring you latest release，even rc release... XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:00:40 AM To: Commons Developers List Subject: Re: can we get rid of dependabot? dependabot is useful

Re: can we get rid of dependabot?

dependabot is useful but dependabot email is annoying. can we find a solution and kill the dependabot emails？ XenoAmess From: Mark Thomas Sent: Wednesday, December 29, 2021 5:52:54 AM To: dev@commons.apache.org Subject: Re: can we get rid of dependabot? +1

Re: can we get rid of dependabot?

+1 And it isn't just the notifications an upgrade is available. The associated GitHub emails are just as much of a problem. The Versions Maven Plugin would be a much better solution to this problem. - Run it once as part of the pre-release process. - One commit to apply all pending updates. -

Re: can we get rid of dependabot?

Le mar. 28 déc. 2021 à 19:57, Gary Gregory a écrit : > > Please no. Dependabot is a key tool for me. Inbox rules should be able to > help you depending on your client. > > Someone had suggested creating a new mailing lists for bots/tools a while > back but it never happened. It was more than a

Re: can we get rid of dependabot?

Please no. Dependabot is a key tool for me. Inbox rules should be able to help you depending on your client. Someone had suggested creating a new mailing lists for bots/tools a while back but it never happened. Gary On Tue, Dec 28, 2021 at 1:20 PM Phil Steitz wrote: > I can no longer

Re: can we get rid of dependabot?

+1, a lot of false positives and useless noise so the gain is rather not positive for me too (and we revew deps before a release anyway...when there are some important ones) Romain Manni-Bucau @rmannibucau | Blog | Old Blog

can we get rid of dependabot?

I can no longer effectively monitor commits@ due to the spam generated by this tool.  I am afraid my eyeballs aren't the only ones going missing here and that is a problem much more severe than any value provided by this tool, IMO. Phil