That's very cool. If I understand this correctly, these are not automated, there are real contributors behind the PRs, right? Closing the PR would be harsh, so why not simply asking the contributor to create an issue and update the PR?
-Flavio > On 2 Oct 2020, at 17:26, Enrico Olivelli <eolive...@gmail.com> wrote: > > Hey ! > it looks like the Bug bash has brought a few Pull Requests > https://github.com/apache/zookeeper/pulls > > Unfortunately they are not following the contribution guidelines (for > instance there is no associated JIRA) > https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute - > > Most of the PR are about trivial fixes, I am not sure if a JIRA is deserved. > > What should we do? > My proposal is to ping the contributor in order to obey the guide and then > finally accept the patches, as Micheal Han did in this patch > https://github.com/apache/zookeeper/pull/1470 > > I don't want to see that patches remaining on github as low hanging fruit, > so it is better that we decide how to work on them, > another option is to close them as invalid (It would be a pity IMHO) > > Enrico > > > > Il giorno lun 28 set 2020 alle ore 15:03 Tom DuBuisson <to...@muse.dev> ha > scritto: > >> Enrico, >> That sounds great. We'll get the repo activated. >> >> Tom >> >> >> On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli <eolive...@gmail.com> >> wrote: >> >>> Tom >>> Overall I think that we can move forward. >>> >>> This thread has been around for a while, there are no objections, every >>> question has been answered. >>> >>> Thank you very much >>> >>> I hope this activity will help in growing Zookeeper project both in code >>> quality and with more contributions, that is to help the community to >> grow. >>> >>> Best regards >>> >>> Enrico >>> >>> Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev> ha scritto: >>> >>>> Norbert, >>>> >>>> Yes, you understand that correctly. And those analyzers are >> FindSecBugs, >>>> Error Prone and Infer. All open source and in moderate to wide use >>>> already. Only find sec bugs is security specific - Infer and Error >> Prone >>>> might find security bugs but they are more general purpose in nature. >>>> >>>> -Tom >>>> >>>> On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar >>>> <nkal...@cloudera.com.invalid> >>>> wrote: >>>> >>>>> Hello Tom, >>>>> >>>>> +1 on the initiative, thanks for bringing this to our attention. >>>>> >>>>> If I understand correctly, there will be no disclosed security issues >>>> which >>>>> cannot be found with open source static analyzers. >>>>> >>>>> Regards, >>>>> Norbert >>>>> >>>>> >>>>> On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté < >>>>> szalay.beko.m...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello Guys, >>>>>> >>>>>> In general I like the idea, but unfortunately I can not really >>>>> participate >>>>>> (either in the coding or in the review) as I have a few important >>>>> projects >>>>>> close to deadline at the moment. >>>>>> >>>>>> My only concern is with the security bugs, which I don't like to be >>>>> openly >>>>>> reported before publishing a release with the fix. But for any >> other >>>> kind >>>>>> of bugfixes / improvements, I am very positive with the initiative. >>>>>> >>>>>> >>>>>> Best regards, >>>>>> Mate >>>>>> >>>>>> On Sun, Sep 27, 2020, 07:06 Tom DuBuisson <to...@muse.dev> wrote: >>>>>> >>>>>>> Enrico et al, >>>>>>> >>>>>>> Are there other thoughts on this? It would be great to get setup >>>>> before >>>>>>> the bash actually begins. Enrico, lacking other voices would you >>>> like >>>>> to >>>>>>> make a final call? >>>>>>> >>>>>>> -Tom >>>>>>> >>>>>>> On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli < >>> eolive...@gmail.com >>>>> >>>>>>> wrote: >>>>>>> >>>>>>>> Tom, >>>>>>>> Personally I am +1 with this proposal. Thanks for your >>>>> clarifications. >>>>>>>> >>>>>>>> But we should ear opinions from other people in this list >>>>>>>> >>>>>>>> >>>>>>>> Enrico >>>>>>>> >>>>>>>> Il giorno mer 23 set 2020 alle ore 23:51 Tom DuBuisson < >>>>> to...@muse.dev >>>>>>> >>>>>>> ha >>>>>>>> scritto: >>>>>>>> >>>>>>>>> Enrico, >>>>>>>>> >>>>>>>>> On the topic security issues and reporting: Muse's default >>>>>>> configuration >>>>>>>>> is open source tools and here it is run on open source >>> projects. >>>>> The >>>>>>>>> results are thus already available publicly (in this case >> from >>>> FSB, >>>>>>>> Infer, >>>>>>>>> and Error Prone). Muse doesn't post anything to GitHub >> except >>> in >>>>> the >>>>>>>> case >>>>>>>>> of pull requests and then only if the bug is deemed to have >>> been >>>>>>>>> "introduced" as part of the PR - meaning it shouldn't be a >>>>>>> vulnerability >>>>>>>> in >>>>>>>>> currently shipped software. >>>>>>>>> >>>>>>>>> If there are desires or proposals about more control over bug >>>>> reports >>>>>>> in >>>>>>>> a >>>>>>>>> convenient, configurable, manner then we'd really like to dig >>> in >>>>> and >>>>>>> hear >>>>>>>>> how to help. In case there is more discussion on this point >>> I'm >>>>>> CCing >>>>>>>>> Andrew who leads Muse's product design. >>>>>>>>> >>>>>>>>> -Tom >>>>>>>>> >>>>>>>>> On Wed, Sep 23, 2020 at 1:09 PM Enrico Olivelli < >>>>> eolive...@gmail.com >>>>>>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Il Mer 23 Set 2020, 19:02 Tom DuBuisson <to...@muse.dev> >> ha >>>>>> scritto: >>>>>>>>>> >>>>>>>>>>> Enrico, >>>>>>>>>>> >>>>>>>>>>> The Muse App requires two main abilities. First is >> events, >>>>> such >>>>>> as >>>>>>>>>>> notification when pull requests are opened or updated. >>>> Second >>>>> is >>>>>>>>>>> permission to post comments (which is always possible for >>>>> humans >>>>>>> but >>>>>>>>> more >>>>>>>>>>> tightly controlled when the poster authenticates as a >>> github >>>>>>>>>> application). >>>>>>>>>>> The repository being public has allowed us to run the app >>> and >>>>>>> observe >>>>>>>>>>> ErrorProne, Infer, and FindSecBugs all run out of the box >>> and >>>>>>> without >>>>>>>>>>> custom configuration. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Makes sense. >>>>>>>>>> >>>>>>>>>> One last question from my side >>>>>>>>>> What about security issues? >>>>>>>>>> Our policy is to have them reported to >>>>>> secur...@zookeeper.apache.org >>>>>>>>>> before >>>>>>>>>> public disclosure >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Enrico >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Cheers, >>>>>>>>>>> Tom >>>>>>>>>>> >>>>>>>>>>> On Wed, Sep 23, 2020 at 6:35 AM Enrico Olivelli < >>>>>>> eolive...@gmail.com >>>>>>>>> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Il Mer 23 Set 2020, 00:44 Tom DuBuisson < >> to...@muse.dev> >>>> ha >>>>>>>> scritto: >>>>>>>>>>>> >>>>>>>>>>>>> Zookeeper Developers, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> As part of our sponsorship of ApacheCon, our company >>>>> MuseDev >>>>>> is >>>>>>>>>> doing a >>>>>>>>>>>> Bug >>>>>>>>>>>>> Bash for select Apache projects. We'll bring members >> of >>>> the >>>>>>>>> ApacheCon >>>>>>>>>>>>> community together to find and fix a range of >> security >>>> and >>>>>>>>>> performance >>>>>>>>>>>> bugs >>>>>>>>>>>>> during the conference, and gameify the experience >> with >>>>>> teams, a >>>>>>>>>>>>> leaderboard, and prizes. The bash is open to everyone >>>>> whether >>>>>>>>>> attending >>>>>>>>>>>> the >>>>>>>>>>>>> conference or not, and our whole dev team will also >> be >>>>>>>>> participating >>>>>>>>>> to >>>>>>>>>>>>> help fix as many bugs as we can. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> We're seeding the bug list with results from Muse, >> our >>>> code >>>>>>>>> analysis >>>>>>>>>>>>> platform, which runs as a Github App and comments on >>>>> possible >>>>>>>> bugs >>>>>>>>> as >>>>>>>>>>>> part >>>>>>>>>>>>> of the pull request workflow. Here's an example of >>> what >>>> it >>>>>>> looks >>>>>>>>>> like: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>> https://github.com/curl/curl/pull/5971#discussion_r490252196 >>>>>>>>>>>>> <https://github.com/curl/curl/pull/5971> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> We explored a number of Apache projects and are >>> reaching >>>>> out >>>>>>>>> because >>>>>>>>>>> our >>>>>>>>>>>>> analysis through Muse found some interesting bugs >> that >>>>> could >>>>>> be >>>>>>>>> fixed >>>>>>>>>>>>> during the Bash. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> We're writing to see if you'd be interested in having >>>> your >>>>>>>> project >>>>>>>>>>>> included >>>>>>>>>>>>> in the Bash. Everything is set up on our end, and if >>>> you're >>>>>>>>>> interested, >>>>>>>>>>>> we >>>>>>>>>>>>> would need you to say yes on this listserv, and we’ll >>>> work >>>>>> with >>>>>>>> the >>>>>>>>>>>> Apache >>>>>>>>>>>>> Infrastructure team to grant Muse access to your >> Github >>>>>> mirror. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> It is a public repo, which kind of access does it need? >>>>>>>>>>>> >>>>>>>>>>>> Enrico >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> We'll then >>>>>>>>>>>>> make sure it's all set-up and ready for the Bash. And >>> of >>>>>>> course, >>>>>>>>>>> everyone >>>>>>>>>>>>> on the project is most welcome to join the Bash and >>> help >>>> us >>>>>>> smash >>>>>>>>>> some >>>>>>>>>>>>> bugs. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -Tom >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>
