RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-21 09:57:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc/dev: add Dependabot section to essentials.rst

Browse Source 
This PR adds a section to the Developer Guide chapter
"Essentials" that explains what Dependabot is. This
section is adapted from an email from Ernesto Puerta
to the CLT that was sent on 08 Jul 2022.

Co-authored-by: Ernesto Puerta <epuertat@redhat.com>>
Signed-off-by: Zac Dover <zac.dover@gmail.com>
This commit is contained in:
Zac Dover 2022-07-10 04:05:47 +10:00
parent cc33ff6fef
commit 2711e8de80
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
doc/dev/developer_guide/essentials.rst
View File

@ -304,6 +304,36 @@ The rest (including the actual backporting) will be taken care of by the
.. _`tracker issue`: http://tracker.ceph.com/
.. _`Stable Releases and Backports`: http://tracker.ceph.com/projects/ceph-releases/wiki
Dependabot
----------
Dependabot is a github bot that scans the dependencies in the repositories for
security vulnerabilities (CVEs). If a fix is available for a discovered CVE,
Dependabot creates a pull request to update the dependency.
Dependabot also indicates the compatibility score of the upgrade. This score is
based on the number of CI failures that occur in other Github repositories
where the fix was applied.
With some configuration, Dependabot can perform non-security updates (for
example, it can upgrade to the latest minor version or patch version).
Dependabot supports `several languages and package managers
<https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems>`_.
As of July 2022, the Ceph project receives alerts only from pip (based on the
`requirements.txt` files) and npm (`package*.json`). It is possible to extend
these alerts to git submodules, Golang, and Java. As of July 2022, there is no
support for C++ package managers such as vcpkg, conan, C++20 modules.
Many of the dependencies discovered by Dependabot will best be updated
elsewhere than the Ceph Github repository (distribution packages, for example,
will be a better place to update some of the dependencies). Nonetheless, the
list of new and existing vulnerabilities generated by Dependabot will be
useful.
`Here is an example of a Dependabot pull request.
<https://github.com/ceph/ceph/pull/46998>`_
Guidance for use of cluster log
-------------------------------