https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
Mark Thomas <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #1 from Mark Thomas <[email protected]> --- I see where this is coming from but this appears to be adding complexity for no benefit as far as the Tomcat project is concerned. Note that: - No automated tools have write access to Tomcat repositories - We only use GitHub provided actions - We only use GitHub provided runners If the sort of attack these changes are designed to mitigate was successful then that would require compromise of the GitHub infrastructure and the impact would be limited to the GitHub infrastructure. In short, there is no benefit to the Tomcat project to making our action dependencies harder to manage. We don't use Dependabot as it is generally noisy and has a high false positive rate when raising security alerts (it tends to raise security issues for things like test dependencies). If we started to use 3rd-party actions then I can see the benefit in using hashes and using Depdendabot to simplify keeping them updated. Currently, we reference the major version tag which keeps us up to date anyway. I am leaning towards closing this as WONTFIX but I'll leave it open for now so others can comment. Moving it to the NEEDINFO state although "needs justification else will get closed" would be a better description. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
