> On Sep 2, 2021, at 4:31 PM, David Jencks <david.a.jen...@gmail.com> wrote:
> 
> The difference is whether a non-committer has write access to an Apache repo. 
>  In this case the non-committer is some code GitHub maintains that we have no 
> control over.  Why should we trust it not to modify a real branch?
> 
> To now argue on the other side of the issue, the git website publishing 
> workflow using .asf.yaml allows Jenkins jobs to automatically commit to 
> specific branches in Apache repos as part of publishing websites.  I can’t 
> say I’m all that clear on how the two situations differ.  One difference is 
> that the Jenkins script is set up and presumably written by an Apache 
> committer: also infra restricts which branch(es) the Jenkins script commits 
> to.


Websites do not generally fall under the same types of provenance requirements 
that Legal has laid out, so the restrictions are not as stringent. The fact 
that Dependabot creates a branch -inside an ASF repo- constitutes 3rd party 
write access to code by a non-committer, and is in violation of the 
requirements of the Foundation. If Dependabot used a forked non-ASF repo to 
generate the PR, there would be no problem. Gaining an exception to this policy 
for Dependabot would require discussions starting with VP-Infra.

-Chris
ASF Infra




> 
> David Jencks
> 
>> On Sep 2, 2021, at 4:16 PM, Olivier Lamy <ol...@apache.org> wrote:
>> 
>> So what happen here?
>> If I understand correctly dependabot creates a branch in a fork repository
>> with a commit then this commit is merged back to the Apache GitHub repo by
>> a committer.
>> 
>> In the previous model dependabot created a branch in the Apache GitHub repo
>> then a committer merged this back to master or any other branch.
>> 
>> In both case there is a commit by a bot which has been merged by a
>> committer..
>> 
>> What is exactly the difference at the end?
>> 
>> On Fri, 3 Sep 2021 at 8:19 am, David Jencks <david.a.jen...@gmail.com>
>> wrote:
>> 
>>> After thinking about it for a couple of minutes I’m fully behind Apache
>>> policy forbidding automated commits to an Apache repository. If Eclipse
>>> allows such commits I’d rather suspect they haven’t noticed them.
>>> 
>>> Assuming that dependabot can’t deal with making it’s branch in a separate
>>> repo it might be possible to make something like this work:
>>> 
>>> 1. Someone fork the apache repo.
>>> 2. Use something like
>>> https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github
>>> to keep this fork up to date with the Apache repo.
>>> 3. Run dependabot on this fork.
>>> 
>>> In these circumstances I’m not sure what the target of the dependabot PR
>>> would be or, if it’s the fork, how hard it would be to make a PR to the
>>> Apache repo.
>>> 4. Do something to apply the dependabot PR/changes to the apache repo.
>>> 
>>> David Jencks
>>> 
>>>> On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote:
>>>> 
>>>> Hi,
>>>> Really? This sounds like a productivity killer to remove such feature...
>>>> the bot never write to master branch it just creates a branch and pr
>>> which
>>>> need to be validated/merged by a valid committer.
>>>> FYI eclipse foundation definitely accepts this without problem so I guess
>>>> we have a similar level of source management.
>>>> 
>>>> 
>>>> 
>>>> On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com>
>>> wrote:
>>>> 
>>>>> I am missing something here: the whole point of dependabot is that it
>>>>> creates a branch in GitHub, runs a build, and creates a PR. If you like
>>> the
>>>>> results, you can click merge, a huge time saver.
>>>>> 
>>>>> I really don't want to loose this killer feature.
>>>>> 
>>>>> Gary
>>>>> 
>>>>> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote:
>>>>> 
>>>>>> Third party write access to code repositories is expressly forbidden by
>>>>>> Foundation policy:
>>>>>> 
>>>>>> https://infra.apache.org/repository-access.html <
>>>>>> https://infra.apache.org/repository-access.html>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Infra has worked with GitHub to prevent dependabot from being able to
>>>>>> write to our repos, but it appears that it is still able to under some
>>>>>> circumstances. We will open yet another support case with GitHub
>>>>> regarding
>>>>>> this.
>>>>>> 
>>>>>> Here is an example of a third party commit:
>>>>>> 
>>>>>> https://github.com/apache/commons-io/pull/264 <
>>>>>> https://github.com/apache/commons-io/pull/264>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E
>>>>>> <
>>>>>> 
>>>>> 
>>> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> This write access to commons-io appears to be in violation of the
>>>>>> aforementioned policy.
>>>>>> 
>>>>>> Dependabot's email alerts are currently the only acceptable method for
>>>>>> working with the tool.
>>>>>> 
>>>>>> 
>>>>>> -Chris
>>>>>> ASF Infra
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com>
>>>>>> wrote:
>>>>>>> 
>>>>>>> The Apache git repo must be mirrored from Apache to GitHub, for
>>> example
>>>>>>> https://github.com/apache/commons-io, then you add a .github folder
>>>>> and
>>>>>>> files (see above link).
>>>>>>> 
>>>>>>> Gary
>>>>>>> 
>>>>>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org>
>>>>>> wrote:
>>>>>>> 
>>>>>>>> Thanks Gary and Sebb.
>>>>>>>> How do I turn dependabot on? Last time I tried I was informed that
>>> due
>>>>>> to
>>>>>>>> the program requiring write permissions to the repository, it wasn’t
>>>>>>>> possible…
>>>>>>>> This policy must have changed…
>>>>>>>> Thanks for any info.
>>>>>>>> lewismc
>>>>>>>> 
>>>>>>>> On 2021/08/29 14:42:00 Gary Gregory wrote:
>>>>>>>>> Most of Apache Common's components' are happy users of Dependabot,
>>>>>> which
>>>>>>>> is
>>>>>>>>> used on our GitHub mirrored repositories.
>>>>>>>>> 
>>>>>>>>> Gary
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <
>>> lewi...@apache.org
>>>>>> 
>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>>> Hi builds@,
>>>>>>>>>> I was advised to ask my question here instead of general@incubator.
>>>>>>>>>> Thanks for any feedback
>>>>>>>>>> 
>>>>>>>>>>> I understand that we cannot use automated tooling, specifically
>>>>>>>> Dependbot
>>>>>>>>>> (
>>>>>>>>>>> https://dependabot.com/) because it requests write access to the
>>>>> ASF
>>>>>>>>>>> project source code.
>>>>>>>>>>> I have found this functionality to be really useful and wondered
>>> if
>>>>>>>> there
>>>>>>>>>>> are any suggestions out there for automating the dependency
>>>>>>>> management
>>>>>>>>>>> workflow?
>>>>>>>>>>> Thanks for any feedback.
>>>>>>>>>>> lewismc
>>>>>>>>>> --
>>>>>>>>>> http://home.apache.org/~lewismc/
>>>>>>>>>> http://people.apache.org/keys/committer/lewismc
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> Olivier Lamy
>>>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>> 
>>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> 

Reply via email to