Let's hit PAUSE for a moment and think this through. This is not in line with the security reporting guidelines of all the projects I participate in.
This allows security issues to be disclosed in the wild without our getting a chance to address them. I can only see this working if the suggestions are private initially, IOW only viewable PMC members of each specific project, just like a security mailing list. I would not want the world to know about an RCE before I get a chance to address it in a new release and issue a CVE. I would only want to try it with a dummy repository that does not contain a real project. Gary On Mon, Mar 25, 2024 at 7:47 AM Jacques Le Roux <[email protected]> wrote: > > Hi Jarek, All, > > I see no reasons to at least try it > > Jacques > > Le 25/03/2024 à 11:12, Jarek Potiuk a écrit : > > Hello everyone, > > > > Quite recently GitHub enabled Copilot-enabled autofix suggestions for > > everyone. I believe we should be able to just enable it either for > > organizations or individual repos: > > > > https://github.blog/changelog/2024-03-20-code-scanning-now-suggests-ai-powered-autofixes-for-codeql-alerts-in-pull-request-beta/ > > > > I find it as a very powerful tool to prevent security issues creeping in - > > the idea is executed well > > > > * powered by AI learning on a ton of code > > * It's not autofixing, it's "autofix suggestions" - so precisely the right > > time and place, you will get suggestions that you might or might not apply > > as a contributor at the moment your code is not yet even reviewed > > * reviewers will also see the comments and can not only verify it but also > > learn from it > > * it does not submit the code (so it passes all the ASF requirements) - it > > merely adds suggestions to PRs > > > > I would love to enable it for Airflow - and maybe few other people from > > other projects would like to also try it out in their repos if we are > > afraid to enable it at organization level. > > > > Is it possible to enable it (question to Infra). Do others think it's a > > good idea and would like to enable it too? > > > > J > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
