search

open-quantum-safe / tsc

OQS Technical Steering Committee resources
https://openquantumsafe.org/
Creative Commons Attribution 4.0 International
3 stars 5 forks source link

Automated dependency management #28

Open planetf1 opened 3 months ago

planetf1 commented 3 months ago

We should look at automated (with review) dependency management to mitigate the impact of pinning dependency versions

Tools such as dependabot can assist here, there may be others

          > The work to maintain these distinct pinned versions (which is notable .. for example there's a risk of actually worsening security if an urgent patch isn't fixed up) is to use automated dependency management tools, such as dependabot.

That in turn is something I entirely agree with: Using dependabot would be better -- but it would mean work to deploy and maintain, etc. If you're willing to take this on (or know someone who would), please by all means, do -- I just cannot.

Originally posted by @baentsch in https://github.com/open-quantum-safe/liboqs/issues/1780#issuecomment-2112631010

I can start looking at this if there's agreement it's appropriate.

baentsch commented 1 month ago

I can start looking at this if there's agreement it's appropriate.

If you'd have time that'd be really helpful, @planetf1 -- I have a hunch that pinning will otherwise cause contributors' headaches -- and I'm a big fan of automation anyway :)