> On Sep 2, 2021, at 4:31 PM, David Jencks <david.a.jen...@gmail.com> wrote:
>
> The difference is whether a non-committer has write access to an Apache repo.
> In this case the non-committer is some code GitHub maintains that we have no
> control over. Why should we trust it not to modify a real branch?
>
> To now argue on the other side of the issue, the git website publishing
> workflow using .asf.yaml allows Jenkins jobs to automatically commit to
> specific branches in Apache repos as part of publishing websites. I can’t
> say I’m all that clear on how the two situations differ. One difference is
> that the Jenkins script is set up and presumably written by an Apache
> committer: also infra restricts which branch(es) the Jenkins script commits
> to.
Websites do not generally fall under the same types of provenance requirements
that Legal has laid out, so the restrictions are not as stringent. The fact
that Dependabot creates a branch -inside an ASF repo- constitutes 3rd party
write access to code by a non-committer, and is in violation of the
requirements of the Foundation. If Dependabot used a forked non-ASF repo to
generate the PR, there would be no problem. Gaining an exception to this policy
for Dependabot would require discussions starting with VP-Infra.
-Chris
ASF Infra
>
> David Jencks
>
>> On Sep 2, 2021, at 4:16 PM, Olivier Lamy <ol...@apache.org> wrote:
>>
>> So what happen here?
>> If I understand correctly dependabot creates a branch in a fork repository
>> with a commit then this commit is merged back to the Apache GitHub repo by
>> a committer.
>>
>> In the previous model dependabot created a branch in the Apache GitHub repo
>> then a committer merged this back to master or any other branch.
>>
>> In both case there is a commit by a bot which has been merged by a
>> committer..
>>
>> What is exactly the difference at the end?
>>
>> On Fri, 3 Sep 2021 at 8:19 am, David Jencks <david.a.jen...@gmail.com>
>> wrote:
>>
>>> After thinking about it for a couple of minutes I’m fully behind Apache
>>> policy forbidding automated commits to an Apache repository. If Eclipse
>>> allows such commits I’d rather suspect they haven’t noticed them.
>>>
>>> Assuming that dependabot can’t deal with making it’s branch in a separate
>>> repo it might be possible to make something like this work:
>>>
>>> 1. Someone fork the apache repo.
>>> 2. Use something like
>>> https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github
>>> to keep this fork up to date with the Apache repo.
>>> 3. Run dependabot on this fork.
>>>
>>> In these circumstances I’m not sure what the target of the dependabot PR
>>> would be or, if it’s the fork, how hard it would be to make a PR to the
>>> Apache repo.
>>> 4. Do something to apply the dependabot PR/changes to the apache repo.
>>>
>>> David Jencks
>>>
>>>> On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote:
>>>>
>>>> Hi,
>>>> Really? This sounds like a productivity killer to remove such feature...
>>>> the bot never write to master branch it just creates a branch and pr
>>> which
>>>> need to be validated/merged by a valid committer.
>>>> FYI eclipse foundation definitely accepts this without problem so I guess
>>>> we have a similar level of source management.
>>>>
>>>>
>>>>
>>>> On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com>
>>> wrote:
>>>>
>>>>> I am missing something here: the whole point of dependabot is that it
>>>>> creates a branch in GitHub, runs a build, and creates a PR. If you like
>>> the
>>>>> results, you can click merge, a huge time saver.
>>>>>
>>>>> I really don't want to loose this killer feature.
>>>>>
>>>>> Gary
>>>>>
>>>>> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote:
>>>>>
>>>>>> Third party write access to code repositories is expressly forbidden by
>>>>>> Foundation policy:
>>>>>>
>>>>>> https://infra.apache.org/repository-access.html <
>>>>>> https://infra.apache.org/repository-access.html>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Infra has worked with GitHub to prevent dependabot from being able to
>>>>>> write to our repos, but it appears that it is still able to under some
>>>>>> circumstances. We will open yet another support case with GitHub
>>>>> regarding
>>>>>> this.
>>>>>>
>>>>>> Here is an example of a third party commit:
>>>>>>
>>>>>> https://github.com/apache/commons-io/pull/264 <
>>>>>> https://github.com/apache/commons-io/pull/264>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E
>>>>>> <
>>>>>>
>>>>>
>>> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E
>>>>>>>
>>>>>>
>>>>>>
>>>>>> This write access to commons-io appears to be in violation of the
>>>>>> aforementioned policy.
>>>>>>
>>>>>> Dependabot's email alerts are currently the only acceptable method for
>>>>>> working with the tool.
>>>>>>
>>>>>>
>>>>>> -Chris
>>>>>> ASF Infra
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> The Apache git repo must be mirrored from Apache to GitHub, for
>>> example
>>>>>>> https://github.com/apache/commons-io, then you add a .github folder
>>>>> and
>>>>>>> files (see above link).
>>>>>>>
>>>>>>> Gary
>>>>>>>
>>>>>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Thanks Gary and Sebb.
>>>>>>>> How do I turn dependabot on? Last time I tried I was informed that
>>> due
>>>>>> to
>>>>>>>> the program requiring write permissions to the repository, it wasn’t
>>>>>>>> possible…
>>>>>>>> This policy must have changed…
>>>>>>>> Thanks for any info.
>>>>>>>> lewismc
>>>>>>>>
>>>>>>>> On 2021/08/29 14:42:00 Gary Gregory wrote:
>>>>>>>>> Most of Apache Common's components' are happy users of Dependabot,
>>>>>> which
>>>>>>>> is
>>>>>>>>> used on our GitHub mirrored repositories.
>>>>>>>>>
>>>>>>>>> Gary
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <
>>> lewi...@apache.org
>>>>>>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi builds@,
>>>>>>>>>> I was advised to ask my question here instead of general@incubator.
>>>>>>>>>> Thanks for any feedback
>>>>>>>>>>
>>>>>>>>>>> I understand that we cannot use automated tooling, specifically
>>>>>>>> Dependbot
>>>>>>>>>> (
>>>>>>>>>>> https://dependabot.com/) because it requests write access to the
>>>>> ASF
>>>>>>>>>>> project source code.
>>>>>>>>>>> I have found this functionality to be really useful and wondered
>>> if
>>>>>>>> there
>>>>>>>>>>> are any suggestions out there for automating the dependency
>>>>>>>> management
>>>>>>>>>>> workflow?
>>>>>>>>>>> Thanks for any feedback.
>>>>>>>>>>> lewismc
>>>>>>>>>> --
>>>>>>>>>> http://home.apache.org/~lewismc/
>>>>>>>>>> http://people.apache.org/keys/committer/lewismc
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Olivier Lamy
>>>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>>
>>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
