Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated dependency management #28

Open
planetf1 opened this issue May 16, 2024 · 1 comment
Open

Automated dependency management #28

planetf1 opened this issue May 16, 2024 · 1 comment
Labels
Medium priority Should be dealt with in the foreseeable future

Comments

@planetf1
Copy link
Contributor

planetf1 commented May 16, 2024
edited
Loading

We should look at automated (with review) dependency management to mitigate the impact of pinning dependency versions

Tools such as dependabot can assist here, there may be others

          > The work to maintain these distinct pinned versions (which is notable .. for example there's a risk of actually worsening security if an urgent patch isn't fixed up) is to use automated dependency management tools, such as dependabot.

That in turn is something I entirely agree with: Using dependabot would be better -- but it would mean work to deploy and maintain, etc. If you're willing to take this on (or know someone who would), please by all means, do -- I just cannot.

Originally posted by @baentsch in open-quantum-safe/liboqs#1780 (comment)

I can start looking at this if there's agreement it's appropriate.
@planetf1 planetf1 changed the title > The work to maintain these distinct pinned versions (which is notable .. for example there's a risk of actually worsening security if an urgent patch isn't fixed up) is to use automated dependency management tools, such as dependabot. Automated dependency management May 16, 2024
@baentsch
Copy link
Member

baentsch commented Jul 1, 2024

I can start looking at this if there's agreement it's appropriate.

If you'd have time that'd be really helpful, @planetf1 -- I have a hunch that pinning will otherwise cause contributors' headaches -- and I'm a big fan of automation anyway :)

@baentsch baentsch added the Medium priority Should be dealt with in the foreseeable future label Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Medium priority Should be dealt with in the foreseeable future
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@planetf1 @baentsch