[VOTE] Add Dependabot to Drill

[Charles Givre <cg...@gmail.com>]

Hello all, 
I'd like to propose adding Dependabot to our commit process.  If you aren't familiar with Dependabot, it scans dependencies and alerts you to dependencies that have vulnerabilities.  I ran dependabot on Drill's source, and found several rather serious CVEs associated with dependencies, hence the PRs to update Guava, JUnit, and a few others.  

I know that these automated code quality tests aren't always the best in terms of producing false positives, but I do think it is in general a good thing to at least be aware of these kinds of issues so that we can resolve them if they are deemed worthy.  

So... I'd like to call a vote.  Would you like to add dependabot to Drill's github repo?  Please vote yes or no by Thursday.

Thanks and Keep on Drilling!
-- C

Re: [VOTE] Add Dependabot to Drill

[luoc <lu...@apache.org>]

Hi,
  +1. Yes, let's do it.

> 在 2021年5月17日，02:34，Ted Dunning <te...@gmail.com> 写道：
> 
> I love dependabot.
> 
> I do minimal maintenance on several dozen demo projects and having a bot
> check the dependencies for vulnerabilities is a god-send.
> 
> There is no downside. Yes, I get a bunch of pull requests when somebody
> digs up another obscure problem with Jackson, but that isn't a problem.  I
> have to worry about dependencies anyway, so why not make it relatively easy
> to do?

Re: [VOTE] Add Dependabot to Drill

[Ted Dunning <te...@gmail.com>]

I love dependabot.

I do minimal maintenance on several dozen demo projects and having a bot
check the dependencies for vulnerabilities is a god-send.

There is no downside. Yes, I get a bunch of pull requests when somebody
digs up another obscure problem with Jackson, but that isn't a problem.  I
have to worry about dependencies anyway, so why not make it relatively easy
to do?

On Sun, May 16, 2021, 7:40 AM Charles Givre <cg...@gmail.com> wrote:

> Hello all,
> I'd like to propose adding Dependabot to our commit process.  If you
> aren't familiar with Dependabot, it scans dependencies and alerts you to
> dependencies that have vulnerabilities.  I ran dependabot on Drill's
> source, and found several rather serious CVEs associated with dependencies,
> hence the PRs to update Guava, JUnit, and a few others.
>
> I know that these automated code quality tests aren't always the best in
> terms of producing false positives, but I do think it is in general a good
> thing to at least be aware of these kinds of issues so that we can resolve
> them if they are deemed worthy.
>
> So... I'd like to call a vote.  Would you like to add dependabot to
> Drill's github repo?  Please vote yes or no by Thursday.
>
> Thanks and Keep on Drilling!
> -- C
>
>

回复：Re: [VOTE] Add Dependabot to Drill

["王腾飞(飞腾)" <fe...@cainiao.com>]

+1 

from 阿里邮箱 macOS------------------------------------------------------------------
发件人：Ankush Kapur<an...@gmail.com>
日　期：2021年05月17日 19:38:27
收件人：<de...@drill.apache.org>
主　题：Re: [VOTE] Add Dependabot to Drill

+1

On Mon, May 17, 2021, 6:21 AM Martin Tzvetanov Grigorov <
mgrigorov@apache.org> wrote:

> Hi,
>
> +1
>
> Regards,
> Martin
>
> On 2021/05/16 14:40:46, Charles Givre <cg...@gmail.com> wrote:
> > Hello all,
> > I'd like to propose adding Dependabot to our commit process.  If you
> aren't familiar with Dependabot, it scans dependencies and alerts you to
> dependencies that have vulnerabilities.  I ran dependabot on Drill's
> source, and found several rather serious CVEs associated with dependencies,
> hence the PRs to update Guava, JUnit, and a few others.
> >
> > I know that these automated code quality tests aren't always the best in
> terms of producing false positives, but I do think it is in general a good
> thing to at least be aware of these kinds of issues so that we can resolve
> them if they are deemed worthy.
> >
> > So... I'd like to call a vote.  Would you like to add dependabot to
> Drill's github repo?  Please vote yes or no by Thursday.
> >
> > Thanks and Keep on Drilling!
> > -- C
> >
> >
>

Re: [VOTE] Add Dependabot to Drill

[Ankush Kapur <an...@gmail.com>]

+1

On Mon, May 17, 2021, 6:21 AM Martin Tzvetanov Grigorov <
mgrigorov@apache.org> wrote:

> Hi,
>
> +1
>
> Regards,
> Martin
>
> On 2021/05/16 14:40:46, Charles Givre <cg...@gmail.com> wrote:
> > Hello all,
> > I'd like to propose adding Dependabot to our commit process.  If you
> aren't familiar with Dependabot, it scans dependencies and alerts you to
> dependencies that have vulnerabilities.  I ran dependabot on Drill's
> source, and found several rather serious CVEs associated with dependencies,
> hence the PRs to update Guava, JUnit, and a few others.
> >
> > I know that these automated code quality tests aren't always the best in
> terms of producing false positives, but I do think it is in general a good
> thing to at least be aware of these kinds of issues so that we can resolve
> them if they are deemed worthy.
> >
> > So... I'd like to call a vote.  Would you like to add dependabot to
> Drill's github repo?  Please vote yes or no by Thursday.
> >
> > Thanks and Keep on Drilling!
> > -- C
> >
> >
>

Re: [VOTE] Add Dependabot to Drill

[Martin Tzvetanov Grigorov <mg...@apache.org>]

Hi,

+1

Regards,
Martin

On 2021/05/16 14:40:46, Charles Givre <cg...@gmail.com> wrote: 
> Hello all, 
> I'd like to propose adding Dependabot to our commit process.  If you aren't familiar with Dependabot, it scans dependencies and alerts you to dependencies that have vulnerabilities.  I ran dependabot on Drill's source, and found several rather serious CVEs associated with dependencies, hence the PRs to update Guava, JUnit, and a few others.  
> 
> I know that these automated code quality tests aren't always the best in terms of producing false positives, but I do think it is in general a good thing to at least be aware of these kinds of issues so that we can resolve them if they are deemed worthy.  
> 
> So... I'd like to call a vote.  Would you like to add dependabot to Drill's github repo?  Please vote yes or no by Thursday.
> 
> Thanks and Keep on Drilling!
> -- C
> 
>