You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "Roman Shaposhnik (Jira)" <ji...@apache.org> on 2022/01/01 04:33:00 UTC

[jira] [Commented] (LEGAL-589) Can it be allowed Dependabot to create branches within a repo

    [ https://issues.apache.org/jira/browse/LEGAL-589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17467358#comment-17467358 ] 

Roman Shaposhnik commented on LEGAL-589:
----------------------------------------

I'm definitely saying that I see no problem with designating a series of branches in a repo where non-human/non-commiter actors can write. I just don't see any downside to that provided that what actually goes into a release ALWAYS flows through a set of protected branches where only commiters can write to.

> What aspects of branch protection are Legal looking for?

Group-level ACLs that would designate commiters from everyone else

> Can it be allowed Dependabot to create branches within a repo
> -------------------------------------------------------------
>
>                 Key: LEGAL-589
>                 URL: https://issues.apache.org/jira/browse/LEGAL-589
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Martijn Visser
>            Priority: Major
>
> Dependabot is tool owned and provided by Github. This tool scans dependencies that are used in a repository and can create either alerts or help by creating a PR in case you're using a dependency that has a security vulnerability. 
> More information about alerts can be found at https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies and more information about creating a PR can be found at https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates
> The way Dependabot works when it comes to creating a PR, is that it creates branches inside the repository and then opens up a PR. Since March 1st of 2021, these PRs are specifically created with read only permissions and therefore the PRs are treated as they were coming from a repository fork. This can be found at https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
> When asking Infra to enable option for Dependabot to create an automatic PR for a repository, this was rejected because the current policy is that we don't allow 3rd party write access to ASF Project repositories. I have been reading up on past tickets, I've only came across https://issues.apache.org/jira/browse/LEGAL-491 in the Legal Jira tickets. 
> I think enabling Dependabot can help ASF Projects to deal with supply chain security and help with fixing vulnerable dependencies. Can it be allowed that Dependabot creates branches inside a repo, so that ASF Projects can use Dependabot for creating Alerts (which is currently already possible) and for creating PRs for outdated/vulnerable dependencies (which is currently not allowed), especially now that these PRs are created with read only permissions and therefore are treated as coming from a repository fork? 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org