cncf-toc@lists.cncf.io | An interesting issue wrt CLA

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

An interesting issue wrt CLA

Brendan Burns #4042 Folks, See: https://github.com/kubernetes-client/javascript/pull/384 Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign. Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue) Thanks --brendan
More All Messages By This Member
Sarah Allen #4043 Bots can have delegated authority to sign things on behalf of their makers. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector. Thanks for raising this question! Sarah toggle quoted messageShow quoted text On Tue, Jan 7, 2020 at 10:50 AM Brendan Burns via Lists.Cncf.Io <bburns=microsoft.com@...> wrote: Folks, See: https://github.com/kubernetes-client/javascript/pull/384 Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign. Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue) Thanks --brendan
More All Messages By This Member
Matt Farina #4045 Bots can have delegated authority to sign things on behalf of their makers. Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is different from those providing it and the person choosing to use it is a member of the project. Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required This problem only affects those using the CLA. Dependabot appropriately signs for the DCO. The majority of CNCF projects are not affected by this issue. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector. Dependabot creates a PR like any other random person to come along on GitHub. A person with merge access has to merge the PR and the PR has to pass tests and review as if a person were suggesting the same change. https://dependabot.com/#how-it-works What would an attack vector for a bot like this be? If a bot had write access to the code I would be concerned. Any thoughts about the right approach here? A thought for this case... GitHub is a CNCF member and has a signed CLA (I assume) since GitHub employees contribute to Kubernetes. Is there someone there who can add Dependabots account to the CLA? This would be the quick and easy approach. It would not scale to similar services. - Matt Farina On Tue, Jan 7, 2020, at 2:05 PM, Sarah Allen wrote: Bots can have delegated authority to sign things on behalf of their makers. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector. Thanks for raising this question! Sarah On Tue, Jan 7, 2020 at 10:50 AM Brendan Burns via Lists.Cncf.Io <bburns=microsoft.com@...> wrote: Folks, See: https://github.com/kubernetes-client/javascript/pull/384 Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign. Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue) Thanks --brendan
More All Messages By This Member
swinslow@... #4048 Thanks for raising this. In the case of Dependabot, if it is only modifying version numbers and hashes to bump dependency versions, I don't think there is any realistic concern that this bot would be contributing copyrightable content. That might not be the case for other bots but in this case I don't see a concern. Because of that, from the CNCF / LF side I think we would be comfortable with having Dependabot changes not being blocked by the CLA bot. I'm coordinating with the LF IT team to whitelist Dependabot so that it will not be gated for the k8s CLA bot going forward. Thanks, Steve
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms