Re: [ALL] pom.xml should not contain RM details

2023-10-04 Thread Phil Steitz
On Tue, Oct 3, 2023 at 1:26 AM sebb  wrote:
>
> The properties are used by the release plugin.
>
> But since they are unique to the user, they do not belong in the shared pom.

So they should be blank in the component pom?  Why do they need to be
there at all?  Can't they just be provided on the command line?  I
detest settings.xml, btw.  Not under source control, throw-back to the
old special local voodoo build days.

Phil
>
> On Tue, 3 Oct 2023 at 02:33, Phil Steitz  wrote:
> >
> > +1 but why then are those properties there?
> >
> > Phil
> >
> > > On Oct 2, 2023, at 3:58 PM, sebb  wrote:
> > >
> > > As the subject says, please do not use the pom to store RM details such 
> > > as
> > >
> > > commons.releaseManagerName
> > > commons.releaseManagerKey
> > >
> > > These properties are personal to the user, and should be defined in
> > > ~/.m2/settings.xml.
> > > See https://commons.apache.org/proper/commons-release-plugin/index.html
> > >
> > > Or you can define them on the command line.
> > >
> > > If the RM details are stored in the pom, then it is all too easy for
> > > the wrong values to be used.
> > >
> > > Thanks,
> > > Sebb
> > >
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > > For additional commands, e-mail: dev-h...@commons.apache.org
> > >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org



Re: [all] stopping dependabot and security analyses on dormant components

2023-10-04 Thread Phil Steitz
On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg  wrote:
>
> Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit :
> > Same for me, I prefer to know ahead of time if there are any issues with
> > dependencies.
>
> But the Commons components are mostly dependency-less, we are flooded by
> dependabot requests to update non code related dependencies (Maven
> plugins, GitHub actions) for non critical purposes. It would be better
> to have such notifications for CVEs only.

I also hate the noise, but I share the pay-as-you-go mentality that
Gary and Bruno express.  Shoving too many updates in the runup to the
release can make things harder and cause things to be missed.  I was
bitten badly some years back by a plugin update that caused release
jars to be borked.  I would have more likely caught it if the update
had happened sooner.   I think sebb's suggestion of decreasing check
frequency is practical.

Phil
>
> Emmanuel Bourg
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org