You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@singa.apache.org by GitBox <gi...@apache.org> on 2020/08/18 20:20:34 UTC

[GitHub] [singa] moazreyad opened a new pull request #780: Adding dependabot support

moazreyad opened a new pull request #780:
URL: https://github.com/apache/singa/pull/780


   Dependabot is a native tool in github that automatically checks the dependencies of the project and creates pull requests for outdated or insecure dependencies. See how it works from [here](https://dependabot.com/#how-it-works).
   
   Currently it will analyze only the dependencies defined in [pom.xml ](https://github.com/apache/singa/blob/master/java/pom.xml)in SINGA because other dependencies are hard coded in configuration or shell scripts which are not supported by this tool. In future commits, the dependencies will be moved to standard files such as python requirements.txt so that they become available to dependabot and similar tools.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [singa] nudles commented on pull request #780: Adding dependabot support

Posted by GitBox <gi...@apache.org>.

nudles commented on pull request #780:
URL: https://github.com/apache/singa/pull/780#issuecomment-699596994


   let's consider this PR in the next version.
   Now we support both conda and pip.
   One potential issue is that protocol buffer (PB) is not backward compatible. 
   If there is a new version of PB, we may have to update many dependent libs to remove the warnings from the dependent bot.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [singa] moazreyad commented on pull request #780: Adding dependabot support

Posted by GitBox <gi...@apache.org>.

moazreyad commented on pull request #780:
URL: https://github.com/apache/singa/pull/780#issuecomment-683448386


   Both java and python dependencies are enabled now. Dependabot will check python daily and java monthly. It will create a PR for upgrade insecure or outdated dependencies in SINGA like this [java PR](https://github.com/moazreyad/singa/pull/19) and this [python PR](https://github.com/moazreyad/singa/pull/21).
   
   notes:
   - Dependabot works only on the master branch. It will be enabled after merging with master.
   - The proposed requirements.txt for python is not complete. Later we need to add all the requirements for all the configurations.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [singa] moazreyad commented on pull request #780: Adding dependabot support

Posted by GitBox <gi...@apache.org>.

moazreyad commented on pull request #780:
URL: https://github.com/apache/singa/pull/780#issuecomment-683406091


   > shall we move all CI functions from travis to github to avoid the duplicated testing?
   
   Yes, I will create another PR for the work in progress on replacing travis with github actions.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [singa] moazreyad commented on pull request #780: Adding dependabot support

Posted by GitBox <gi...@apache.org>.

moazreyad commented on pull request #780:
URL: https://github.com/apache/singa/pull/780#issuecomment-699624036


   > let's consider this PR in the next version.
   
   Ok. Although we can at least enable the dependabot support and badge, even though we don't resolve the problems that dependabot report. Just like we enabled lgtm but we don't have to fix all its errors, and we enabled codecov but we don't have to test with 100% coverage. 
   
   > One potential issue is that protocol buffer (PB) is not backward compatible.
   > If there is a new version of PB, we may have to update many dependent libs to remove the warnings from the dependent bot.
   
   We don't have to update immediately all the dependencies that dependabot found obsolete or insecure. At least we can have the results of the dependency analysis and the singa team can decide the work priorities. The PB team are working now on a release candidate for version 4 and planning to upgrade singa PB to at least version 3 can be useful.
   
   > Now we support both conda and pip.
   
   We don't support machine readable requirements that can be found by Github tools. The instructions to installing singa dependencies with pip is only human readable in the web site documentation, or in the conda scripts. We need to extract these dependencies into something like requirements.txt so that Github (and other tools) can find them.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [singa] nudles commented on pull request #780: Adding dependabot support

Posted by GitBox <gi...@apache.org>.

nudles commented on pull request #780:
URL: https://github.com/apache/singa/pull/780#issuecomment-683370315


   shall we move all CI functions from travis to github to avoid the duplicated testing?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org