Add @allcontributors bot #1126
Comments
|
@all-contributors please add kkrieger85 for docs |
|
|
@kkrieger85 i submitted same request weeks ago (with your PR) ... Want to write a RFC? :P |
|
AFAIK @Flyingmana already added this bot. But now, I'm not sure anymore 🙈 |
|
@kkrieger85 not me, I dont have the permission to add bots/integrations to the Organisation. |
Thought you had full access. If only @LeeSaferite or @drobinson could do that, it would be bad. |
|
Please excuse my ignorance but how can I see more information about what this bot does? The install request doesn’t include any info besides the needed permissions (though it might be due to me looking at the request on mobile).
Which repositories need this bot? Is it just LTS?
- David
… On Jul 29, 2020, at 3:35 PM, sv3n ***@***.***> wrote:
I dont have the permission to add bots/integrations to the Organisation.
Thought you had full access. If only @LeeSaferite or @drobinson could do that, it would be bad.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Also, can anyone speak to the security of this bot? Feels like it needs some validation before we install an app that gets full write access to the repository. |
|
I would (because of the security topic) prefer something, which would work based on PRs (like the dependabot and greenkeeper and similar) |
This is what this bot does.
(https://allcontributors.org/docs/en/bot/overview) Dependabot need same (even more) rights ... All-contributers:
Dependabot:
|
I like the idea behind this bot ... I'd install it for all repos. |
|
I gave up with all-contributors bot. Will add instructions on how to add self to contributors |
|
@drobinson this bot does not harm. It creates PRs to update README.md. |
|
@LeeSaferite @drobinson bump. Can you please grant rights for @Flyingmana to add such things? |
|
Bump. @Flyingmana do you still have any concerns? Either we add this harmles bot or we should remove it from README,md completly ... IMHO I'm happy about every new contributor, every reported issue or PR. This would just be a little change or chance to thank everybody helping here. Please (let) add this bot. |
|
Iam still not the one who has to decide this. but looking at And even as it should just do something harmless, we would give it great power. but I would still like to keep the functionality, which as far as I see consists of filling this file: https://github.com/OpenMage/magento-lts/blob/1.9.4.x/.all-contributorsrc the adding of users with the https://allcontributors.org/docs/en/bot/usage#all-contributors-add could be easy replicated with a a smaller tool using the github graphql api to look for such comments, similar to what I did recently for the changelog generator looking for PullRequests. What other features would we need to keep in mind? |
Me too :(
Don't you want to decide that, or don't you have the permissions to install a bot? The latter would be bad.
Honestly, that sounds paranoid. What is the bot supposed to do? Inject malicious code? There are things that are important, so I'm closing this again now. |
|
IMHO this is a punch in every contributors face. But I will accept the group (non) decision. |
|
@kkrieger85 i wrote emails to @LeeSaferite and @drobinson, but got no response. If @Flyingmana cant/wont decide it, who is responsible for such things? |
|
@sreichel I did not intend to blame you or someone else. In this case: We should ask ourselfes: If people don't respond, how can this work if there is something important to decide. |
Right. But i still do not understand why you want to reinvent the wheel. Also a custom script would requiere write access to create PRs. Can your "changelog-script" directly push to our "main branches"? Where is the difference to that bot? Our branches are protected, direct merges should not be possible and should require reviews. You mentioned dependabot, that exactly works the same way and should also be considered as "harmfull", but this is suggested (and widly used). I agree with @kkrieger85 ... a slap in the face to any contributor. I don't know who has what rights, but when we have to rely on @LeeSaferite or @drobinson who haven't been active for years, something is wrong. From https://github.com/orgs/OpenMage/people it looks like only 3 people have superior permissions. During last weeks we had some urgent PRs (rollbacks, broken packagist), but it took "ages" to get it merged.
No sure. If we can react in time, i guess not. But if we cannot ... |
|
To make it short, giving allcontributors bot write access, opens us up to one more supply chain attack. Should we ever get to be reviewed in context of PCI, this kind of things will go into the risk analysis. By "reinventing the wheel", we can either remove a supply chain for this completely, or can rely on a trusted (trusted in the sense of equal or higher security standards than ours) supply chain (like for example the symfony components) |
|
i can understand your basic thought about security, but i can't follow your argumentation. where is the difference between the bot and your other solution? both need write permissions for the PRs. and neither of them should have write permissions directly. in the end, you seem to have made the decision. if you like to write such a script i would be happy, but i don't really see an advantage until the permission management in git is more granular. |
|
We should know the people we could count on to move forward with this project. If some of them are not responding in a reasonable time it is clear we cannot count on them. Personally I have a bad experience with Turpentine project where the owners abandoned the project even there were many interested to continue it. What a great extension to improve Magento performance. |
|
Ok, as we drift away from the main topic, I will lock this conversation. If you want to decide something on a higher level, or you want to overrule my Veto as a maintainer for this, both can be achieved via an RFC. |
Days ago @kkrieger85 manually added a contributors list (#1069) ... to keep it uo2date someone should install the bot.
Blocks #1099
The text was updated successfully, but these errors were encountered: