Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7EDA5200D33 for ; Wed, 25 Oct 2017 01:27:42 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7D892160BF2; Tue, 24 Oct 2017 23:27:42 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9C2BD1609C8 for ; Wed, 25 Oct 2017 01:27:41 +0200 (CEST) Received: (qmail 98794 invoked by uid 500); 24 Oct 2017 23:27:40 -0000 Mailing-List: contact dev-help@apex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@apex.apache.org Delivered-To: mailing list dev@apex.apache.org Received: (qmail 98781 invoked by uid 99); 24 Oct 2017 23:27:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Oct 2017 23:27:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id B674C1A1630 for ; Tue, 24 Oct 2017 23:27:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.48 X-Spam-Level: ** X-Spam-Status: No, score=2.48 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=datatorrent-com.20150623.gappssmtp.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id ykoCEZu2EsXi for ; Tue, 24 Oct 2017 23:27:37 +0000 (UTC) Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 4D1885FBEA for ; Tue, 24 Oct 2017 23:27:37 +0000 (UTC) Received: by mail-lf0-f51.google.com with SMTP id b190so25772362lfg.9 for ; Tue, 24 Oct 2017 16:27:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=datatorrent-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=uONPP1dXiyNL0rdY5r+vDSpM1Ki9+y6TybN/UzIdH/4=; b=BWu4E8iKXu3J9d6x3B4xq2sEpm9+3d7YujL3B6jafS57AvdzQtIcpx5jzorgOsHpQK W5fqCchS3h6Sav6RfHgOxHnFT8+kzxrh0KeDzKpwwrOhr5A0klAclYMRBMiWDnCxWxnI hA5JrKY7NrOlpv6a1JHmYuAdjmCWYPn2xqc67GaPBdQ8T7z7EOMvyt0TB2gLOtrCCNEd K4a9IV79TlJ8ekaN6/NK/95fhFXXXKq3ocuidN1xxJai26JnaHnRjPIILdKcXxIXX38Q coptN0iUJZYF0JXsjy51w+wqGZrYaEzNe+/MyXTcgb9i3iEtA19SbLFfkTAQJKDNIhS+ KOgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=uONPP1dXiyNL0rdY5r+vDSpM1Ki9+y6TybN/UzIdH/4=; b=JX4ikibI+7CXu5rCH0L46ycaXh5HwxzQAVLSz1EK4uBeN7O2l0To4uqCXiVlKictPf kOMR5kc5bqG8PJ7LmnqbOwVqtOJg17VdD5XQnUNyJNgYsgPK9J1pj5ERPR3CBmEnyFER Rv/hvReAilxm81rQGfJag+bHpUrbwsLdz7BuRvcF+1DjzBd8gOStbbW1okcGaV9r1cIK Qjfd4/mwg1BoPYdLga+6VNwJgSKepmA+9eBA5+7g9Ea+VwjXXUMIVDr2WUSAjLS/Dq+r +cnnjgFblJbSdV5rgIppuPKepw+44Gzav/902gdnu1qBIVjpQF1hT3fvwRUS1Me/m2h4 ivfw== X-Gm-Message-State: AMCzsaXXdkTcXq1HOpvNCGE1ysqDJQcOc0gwSRw1I7S9bl9kwsNj3YLG FovxmJ95zKVwGikhkxpAzP4RgpdJShCZLMjy6v7Y9A== X-Google-Smtp-Source: ABhQp+SYAYhy+mzM00FBYE+M56vBqlGJ2yLDCzXGD9khjxz06N0JP8Zkz7iUwzc+UOBi/hR5xC3r7FG4ABTJY0V3T2E= X-Received: by 10.46.43.145 with SMTP id r17mr7360448ljr.56.1508887656498; Tue, 24 Oct 2017 16:27:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.0.210 with HTTP; Tue, 24 Oct 2017 16:27:05 -0700 (PDT) In-Reply-To: <137f5475-4c3b-30da-81f4-be18d36b4834@apache.org> References: <39e50723-9e96-a1dd-590b-c74394535f88@apache.org> <61435004-3760-6b41-e859-e7dc38a9eae1@apache.org> <69269b43-aa7a-f46a-acec-a884f66e1ca8@apache.org> <1990549a-78c3-8e44-d9f3-a6522d02a998@apache.org> <2e34f475-76ae-c431-137d-bc7b74e930d4@apache.org> <38f17606-cc31-44a7-d616-c8e86e996b3d@apache.org> <137f5475-4c3b-30da-81f4-be18d36b4834@apache.org> From: Pramod Immaneni Date: Tue, 24 Oct 2017 16:27:05 -0700 Message-ID: Subject: Re: checking dependencies for known vulnerabilities To: dev@apex.apache.org Content-Type: multipart/alternative; boundary="94eb2c1c00a6c5a3a2055c534881" archived-at: Tue, 24 Oct 2017 23:27:42 -0000 --94eb2c1c00a6c5a3a2055c534881 Content-Type: text/plain; charset="UTF-8" There was a lot of discussion on this but looks like there was no final agreement. Can you summarize what your PR does? Are we disclosing the actual vulnerabilities as part of the automated build for every PR? That would be a no-no for me. If it is something that requires manual steps, for example as part of a release build, that would be fine. On Mon, Oct 23, 2017 at 1:16 PM, Vlad Rozov wrote: > Please see https://github.com/apache/apex-core/pull/585 and APEXCORE-790. > > Thank you, > > Vlad > > > On 9/14/17 09:35, Vlad Rozov wrote: > >> Do you expect anything else from the community to recognize a >> contribution other than committing it to the code line? Once there is a >> steady flow of quality contributions, the community/PMC will recognize a >> contributor by making that contributor a committer. >> >> Thank you, >> >> Vlad >> >> On 9/12/17 13:05, Sanjay Pujare wrote: >> >>> For a vendor too, quality ought to be as important as security so I don't >>> think we disagree on the cost benefit analysis. But I get your drift. >>> >>> By "creative incentive" I didn't imply any material incentive (although a >>> gift card would be nice :-)) but more along the lines of what a community >>> can do to recognize such contribution. >>> >>> Sanjay >>> >>> On Tue, Sep 12, 2017 at 8:10 AM, Vlad Rozov wrote: >>> >>> I guess we have a different view on the benefit and cost definition. For >>>> me the benefit of fixing CI build, flaky unit test, severe security >>>> issue >>>> is huge for the community and is possibly small (except for a security >>>> issues) for a vendor. >>>> >>>> By "creative" I hope you don't mean that other community members, users >>>> and customers send a contributor a gift cards to compensate for the cost >>>> :). For me PR that is blocked on a failed CI build is sufficiently >>>> incentive for a contributor to look into why it fails and fixing it. >>>> >>>> Thank you, >>>> >>>> Vlad >>>> >>>> On 9/11/17 23:58, Sanjay Pujare wrote: >>>> >>>> I don't want to speak for others and I don't want to generalize. But an >>>>> obvious answer could be "cost-benefit analysis". >>>>> >>>>> In any case we should come up with a creative way to "incentivize" >>>>> members >>>>> to do these tasks. >>>>> >>>>> >> > --94eb2c1c00a6c5a3a2055c534881--