Re: An interesting issue wrt CLA

Home Messages Hashtags Subgroups

Sarah Allen #4043 Bots can have delegated authority to sign things on behalf of their makers. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector. Thanks for raising this question! Sarah toggle quoted message Show quoted text On Tue, Jan 7, 2020 at 10:50 AM Brendan Burns via Lists.Cncf.Io <bburns=microsoft.com@...> wrote: Folks, See: https://github.com/kubernetes-client/javascript/pull/384 Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign. Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue) Thanks --brendan
More All Messages By This Member

Join {cncf-toc@lists.cncf.io to automatically receive all group messages.