rustls-platform-verifier icon indicating copy to clipboard operation
rustls-platform-verifier copied to clipboard

Published 20 hours ago verified publisher icon rustls

ci: disable dependabot cargo updates

Open cpu opened this issue 1 year ago • 7 comments
trafficstars

Until we have a better sense of how to handle the update PRs it produces let's turn this off for now. I think I was premature in enabling it. Inspired by discussion in this PR thread.

cpu avatar Aug 05 '24 19:08 cpu

Until we have a better sense of how to handle the update PRs it produces let's turn this off for now.

Did you want to discuss that in this PR or would it be better to open a followup issue where the topic can happen? I don't mind either way.

complexspaces avatar Aug 05 '24 19:08 complexspaces

Did you want to discuss that in this PR

WFM!

I think there's two topics:

  1. whether it's worth maintaining Cargo.lock updates for compatible updates. We do it in the other Rustls repos, but I don't think I can articulate a very meaningful argument for why we should do it here.
  2. how they should be reviewed (edit: and how many reviews should there be before merge). In the other Rustls repos we don't (at least as I understand things) do more than a cursory review of the update. When we were using Dependabot I would review the updates in https://diff.rs and pay particular attention to things like build.rs updates, but for large deps like aws-lc-rs/aws-lc-sys I certainly don't review every changed line. I also haven't been keeping up with that practice since switching to Renovate. How are other folks handling these?

cpu avatar Aug 05 '24 19:08 cpu

I generally scroll through the Cargo.lock changes looking for any new dependencies, but I don't look at the actual changes made in semver-compatible upstream versions.

djc avatar Aug 05 '24 20:08 djc

A potential third topic for discussion: being more explicit about ownership. So far I think we've mostly deferred to @complexspaces on any half-way nuanced changes, but the downside is that @complexspaces has pretty limited bandwidth certainly compared to the other rustls org maintainers. Maybe we can get to a tweaked proposed governance model?

djc avatar Aug 05 '24 20:08 djc

Should we also disable this for github-actions?

These seem infrequent enough that I was OK leaving it on, but happy to revisit.

cpu avatar Aug 05 '24 20:08 cpu

Hey folks, @complexspaces directly reports to me currently (I'm director of seceng at 1Password); I don't feel particularly strongly one way or another as to what the governance model of this library/project should look like, but I am open to discussion as to how/where we can adjust or increase 1Password involvement/support. :)

Let's bring this discussion into another issue?

worldwise001 avatar Aug 11 '24 22:08 worldwise001

Hey folks, @complexspaces directly reports to me currently (I'm director of seceng at 1Password); I don't feel particularly strongly one way or another as to what the governance model of this library/project should look like, but I am open to discussion as to how/where we can adjust or increase 1Password involvement/support. :)

Let's bring this discussion into another issue?

Opened https://github.com/rustls/rustls-platform-verifier/issues/125 for this.

djc avatar Aug 19 '24 12:08 djc