On Fri, 3 Sept 2021 at 01:09, Olivier Lamy <ol...@apache.org> wrote: > > On Fri, 3 Sept 2021 at 09:57, David Jencks <david.a.jen...@gmail.com> wrote: > > > I’m afraid I don’t understand your “the result is the same” argument. > > > > result == Apache committer merging the bot commit >
But that is not the only change to the repo. The repo also has a branch containing code committed by the 3rd party. We cannot allow 3rd parties to add code directly to our repos. > > > > Let's say a company has 2 employees, Arthur, who is not an Apache > > committer on project X, and Bernadette who is. Arthur writes some code and > > submits a PR to project X. In scenario 1, Bernadette merges the PR and in > > scenario 2 Arthur does. The result is the same!! (at least the resulting > > code is the same, there will be some difference in the fields in the > > commit) So should we allow scenario 2? > > > > except in our case Arthur (i.e the bot never merge his pr but only Apache > committer merge to master/main branches) > > > > > > > David Jencks > > > > > On Sep 2, 2021, at 4:42 PM, Olivier Lamy <ol...@apache.org> wrote: > > > > > > I perfectly understand this. > > > But my point was at the end the result is the same! > > > If we follow such reasoning, why do we use github as we do not control > > what > > > is happening there? > > > but yeah I'm having an already lost discussion :) > > > > > > On Fri, 3 Sept 2021 at 09:32, David Jencks <david.a.jen...@gmail.com> > > wrote: > > > > > >> The difference is whether a non-committer has write access to an Apache > > >> repo. In this case the non-committer is some code GitHub maintains > > that we > > >> have no control over. Why should we trust it not to modify a real > > branch? > > >> > > >> To now argue on the other side of the issue, the git website publishing > > >> workflow using .asf.yaml allows Jenkins jobs to automatically commit to > > >> specific branches in Apache repos as part of publishing websites. I > > can’t > > >> say I’m all that clear on how the two situations differ. One > > difference is > > >> that the Jenkins script is set up and presumably written by an Apache > > >> committer: also infra restricts which branch(es) the Jenkins script > > commits > > >> to. > > >> > > >> David Jencks > > >> > > >>> On Sep 2, 2021, at 4:16 PM, Olivier Lamy <ol...@apache.org> wrote: > > >>> > > >>> So what happen here? > > >>> If I understand correctly dependabot creates a branch in a fork > > >> repository > > >>> with a commit then this commit is merged back to the Apache GitHub repo > > >> by > > >>> a committer. > > >>> > > >>> In the previous model dependabot created a branch in the Apache GitHub > > >> repo > > >>> then a committer merged this back to master or any other branch. > > >>> > > >>> In both case there is a commit by a bot which has been merged by a > > >>> committer.. > > >>> > > >>> What is exactly the difference at the end? > > >>> > > >>> On Fri, 3 Sep 2021 at 8:19 am, David Jencks <david.a.jen...@gmail.com> > > >>> wrote: > > >>> > > >>>> After thinking about it for a couple of minutes I’m fully behind > > Apache > > >>>> policy forbidding automated commits to an Apache repository. If > > Eclipse > > >>>> allows such commits I’d rather suspect they haven’t noticed them. > > >>>> > > >>>> Assuming that dependabot can’t deal with making it’s branch in a > > >> separate > > >>>> repo it might be possible to make something like this work: > > >>>> > > >>>> 1. Someone fork the apache repo. > > >>>> 2. Use something like > > >>>> > > >> > > https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github > > >>>> to keep this fork up to date with the Apache repo. > > >>>> 3. Run dependabot on this fork. > > >>>> > > >>>> In these circumstances I’m not sure what the target of the dependabot > > PR > > >>>> would be or, if it’s the fork, how hard it would be to make a PR to > > the > > >>>> Apache repo. > > >>>> 4. Do something to apply the dependabot PR/changes to the apache repo. > > >>>> > > >>>> David Jencks > > >>>> > > >>>>> On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote: > > >>>>> > > >>>>> Hi, > > >>>>> Really? This sounds like a productivity killer to remove such > > >> feature... > > >>>>> the bot never write to master branch it just creates a branch and pr > > >>>> which > > >>>>> need to be validated/merged by a valid committer. > > >>>>> FYI eclipse foundation definitely accepts this without problem so I > > >> guess > > >>>>> we have a similar level of source management. > > >>>>> > > >>>>> > > >>>>> > > >>>>> On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com> > > >>>> wrote: > > >>>>> > > >>>>>> I am missing something here: the whole point of dependabot is that > > it > > >>>>>> creates a branch in GitHub, runs a build, and creates a PR. If you > > >> like > > >>>> the > > >>>>>> results, you can click merge, a huge time saver. > > >>>>>> > > >>>>>> I really don't want to loose this killer feature. > > >>>>>> > > >>>>>> Gary > > >>>>>> > > >>>>>> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > > >>>>>> > > >>>>>>> Third party write access to code repositories is expressly > > forbidden > > >> by > > >>>>>>> Foundation policy: > > >>>>>>> > > >>>>>>> https://infra.apache.org/repository-access.html < > > >>>>>>> https://infra.apache.org/repository-access.html> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> Infra has worked with GitHub to prevent dependabot from being able > > to > > >>>>>>> write to our repos, but it appears that it is still able to under > > >> some > > >>>>>>> circumstances. We will open yet another support case with GitHub > > >>>>>> regarding > > >>>>>>> this. > > >>>>>>> > > >>>>>>> Here is an example of a third party commit: > > >>>>>>> > > >>>>>>> https://github.com/apache/commons-io/pull/264 < > > >>>>>>> https://github.com/apache/commons-io/pull/264> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>> > > >>>> > > >> > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E > > >>>>>>> < > > >>>>>>> > > >>>>>> > > >>>> > > >> > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E > > >>>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> This write access to commons-io appears to be in violation of the > > >>>>>>> aforementioned policy. > > >>>>>>> > > >>>>>>> Dependabot's email alerts are currently the only acceptable method > > >> for > > >>>>>>> working with the tool. > > >>>>>>> > > >>>>>>> > > >>>>>>> -Chris > > >>>>>>> ASF Infra > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory < > > garydgreg...@gmail.com> > > >>>>>>> wrote: > > >>>>>>>> > > >>>>>>>> The Apache git repo must be mirrored from Apache to GitHub, for > > >>>> example > > >>>>>>>> https://github.com/apache/commons-io, then you add a .github > > folder > > >>>>>> and > > >>>>>>>> files (see above link). > > >>>>>>>> > > >>>>>>>> Gary > > >>>>>>>> > > >>>>>>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney < > > >> lewi...@apache.org> > > >>>>>>> wrote: > > >>>>>>>> > > >>>>>>>>> Thanks Gary and Sebb. > > >>>>>>>>> How do I turn dependabot on? Last time I tried I was informed > > that > > >>>> due > > >>>>>>> to > > >>>>>>>>> the program requiring write permissions to the repository, it > > >> wasn’t > > >>>>>>>>> possible… > > >>>>>>>>> This policy must have changed… > > >>>>>>>>> Thanks for any info. > > >>>>>>>>> lewismc > > >>>>>>>>> > > >>>>>>>>> On 2021/08/29 14:42:00 Gary Gregory wrote: > > >>>>>>>>>> Most of Apache Common's components' are happy users of > > Dependabot, > > >>>>>>> which > > >>>>>>>>> is > > >>>>>>>>>> used on our GitHub mirrored repositories. > > >>>>>>>>>> > > >>>>>>>>>> Gary > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney < > > >>>> lewi...@apache.org > > >>>>>>> > > >>>>>>>>> wrote: > > >>>>>>>>>> > > >>>>>>>>>>> Hi builds@, > > >>>>>>>>>>> I was advised to ask my question here instead of > > >> general@incubator. > > >>>>>>>>>>> Thanks for any feedback > > >>>>>>>>>>> > > >>>>>>>>>>>> I understand that we cannot use automated tooling, > > specifically > > >>>>>>>>> Dependbot > > >>>>>>>>>>> ( > > >>>>>>>>>>>> https://dependabot.com/) because it requests write access to > > >> the > > >>>>>> ASF > > >>>>>>>>>>>> project source code. > > >>>>>>>>>>>> I have found this functionality to be really useful and > > wondered > > >>>> if > > >>>>>>>>> there > > >>>>>>>>>>>> are any suggestions out there for automating the dependency > > >>>>>>>>> management > > >>>>>>>>>>>> workflow? > > >>>>>>>>>>>> Thanks for any feedback. > > >>>>>>>>>>>> lewismc > > >>>>>>>>>>> -- > > >>>>>>>>>>> http://home.apache.org/~lewismc/ > > >>>>>>>>>>> http://people.apache.org/keys/committer/lewismc > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>> > > >>>>> > > >>>>> > > >>>>> -- > > >>>>> Olivier Lamy > > >>>>> http://twitter.com/olamy | http://linkedin.com/in/olamy > > >>>> > > >>>> -- > > >>> Olivier Lamy > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy > > >> > > >> > > > > > > -- > > > Olivier Lamy > > > http://twitter.com/olamy | http://linkedin.com/in/olamy > > > > > > -- > Olivier Lamy > http://twitter.com/olamy | http://linkedin.com/in/olamy
