Re: An interesting issue wrt CLA

Sarah Allen

Bots can have delegated authority to sign things on behalf of their makers.  It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector.

Thanks for raising this question!


On Tue, Jan 7, 2020 at 10:50 AM Brendan Burns via Lists.Cncf.Io <> wrote:

Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign.

Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue)


Join { to automatically receive all group messages.