Re: Did you see dependabot?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Did you see dependabot?

Tibor Digana
The dependabot looks interesting, cli has more possibilities than a pure
button on GUI.
>> does anyone enabled it
I am all the ear how it can be enabled.

On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli <[hidden email]> wrote:

> Hey guys,
> Did you see dependabot on our repos?
>
> Like this automatic PR
>
> https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692
>
> I feel this is very useful, but... does anyone enabled it?
>
> Do we have to set a policy, this suggestions are security related fixes, we
> could give them some kind of high priority?
>
> Enrico
>
Reply | Threaded
Open this post in threaded view
|

Re: Did you see dependabot?

Enrico Olivelli
I see value in it.
But from a legal point of view....there is no human who sends the PR, so in
theory we cannot accept such patches, can we?

Enrico

Il sab 19 ott 2019, 20:26 Tibor Digana <[hidden email]> ha scritto:

> The dependabot looks interesting, cli has more possibilities than a pure
> button on GUI.
> >> does anyone enabled it
> I am all the ear how it can be enabled.
>
> On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli <[hidden email]>
> wrote:
>
> > Hey guys,
> > Did you see dependabot on our repos?
> >
> > Like this automatic PR
> >
> >
> https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692
> >
> > I feel this is very useful, but... does anyone enabled it?
> >
> > Do we have to set a policy, this suggestions are security related fixes,
> we
> > could give them some kind of high priority?
> >
> > Enrico
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Did you see dependabot?

Martijn Dashorst
On Sat, Oct 19, 2019 at 8:51 PM Enrico Olivelli <[hidden email]> wrote:
>
> I see value in it.
> But from a legal point of view....there is no human who sends the PR, so in
> theory we cannot accept such patches, can we?

I'm not a lawyer, nor a scientist, but this paper sounds like a
compelling read on this subject:

http://arno.uvt.nl/show.cgi?fid=145318

Martijn

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Did you see dependabot?

Martijn Dashorst
The conclusion of the paper itself is 3 pages (no paragraphs, so it
might be written by an AI ;-).

- Dutch (and international) copyright law don't require a copyright
holder to be human
- so the work itself needs to be evaluated, two criteria that factor
into this; requirement of reflecting an original expression and the
carrying of a personal imprint
- original expression is feasible for AIs (according to author)

The author lost me at the reasoning for "personal imprint".

Martijn

On Tue, Oct 29, 2019 at 11:18 AM Paul Hammant <[hidden email]> wrote:
>
> Summary ?



--
Become a Wicket expert, learn from the best: http://wicketinaction.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Did you see dependabot?

Martijn Dashorst
In reply to this post by Enrico Olivelli
Now there's a LEGAL ticket for that:

https://issues.apache.org/jira/browse/LEGAL-491

With a comment from Mark Thomas that this is no different than a
committer running a local tool, reviewing the commit and pushing it.

Read his comment on the ticket for more information and advice.

Martijn

On Sat, Oct 19, 2019 at 8:51 PM Enrico Olivelli <[hidden email]> wrote:

>
> I see value in it.
> But from a legal point of view....there is no human who sends the PR, so in
> theory we cannot accept such patches, can we?
>
> Enrico
>
> Il sab 19 ott 2019, 20:26 Tibor Digana <[hidden email]> ha scritto:
>
> > The dependabot looks interesting, cli has more possibilities than a pure
> > button on GUI.
> > >> does anyone enabled it
> > I am all the ear how it can be enabled.
> >
> > On Fri, Oct 18, 2019 at 3:32 PM Enrico Olivelli <[hidden email]>
> > wrote:
> >
> > > Hey guys,
> > > Did you see dependabot on our repos?
> > >
> > > Like this automatic PR
> > >
> > >
> > https://github.com/apache/maven-plugins/pull/147#pullrequestreview-303889692
> > >
> > > I feel this is very useful, but... does anyone enabled it?
> > >
> > > Do we have to set a policy, this suggestions are security related fixes,
> > we
> > > could give them some kind of high priority?
> > >
> > > Enrico
> > >
> >



--
Become a Wicket expert, learn from the best: http://wicketinaction.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]