-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why not close tickets more aggressivley? #7231
Comments
It is not a conscious decision - more limited time and resources. If I am working on ODC when I see one of these comments (which are helpful! thank you!) I will close them. I recently re-enabled the lock action to prevent people from posting on old closed issues. However, using a bot to close old issues, at least for this project, hasn't felt right to me. Don't get me wrong, I'm all for it - but many of the old tickets might still be valid. However, no one has had time or energy to work on them (there are number of npm related issues). I do think we could come up with some rules:
I know the 2-3 years are a long time span and after looking at the results we might consider going shorter. @aikebah @nhumblot @chadlwilson thoughts on this? I agree with @marcelstoer we likely should do something more automated. |
I do agree with the general sentiment of @marcelstoer - even when I am poking around trying to do some triage I tend to give up after a few instances of coming back to issues I have seen before, or are wontfixes etc. While some automation might help, I would have some of the same concerns as Jeremy on just blatantly closing stuff due to being old. To do that fairly tends to require enough time to reopen issues and mark them as "not stale" etc, which can meet some of the same time/effort bottlenecks on triage as the original problem. I suspect the major bottleneck is perhaps
Personally I feel there is a lot of cruft left open here when waiting for an OP who never responds (given the lack of bot automation to come back and clean up), and the project is perhaps a bit lenient here rather than "probably not an issue, try this, get back to us and will re-open if it doesn't fix the issue". There was an issue I commented on a while ago (which I can't find now) which was an example of this where, @aikebah seemed to indicate he managed issues with filter combinations rather than just closing certain FP Report issues for whatever reason. A few ideas
|
Thank you for the very thoughtful feedback. I sympathize with a lot of the points you both raised. It's not an easy topic and I've had such discussions many times, both in the context of OSS projects and at work. IMO the main goal should be to trim the issue list to a more manageable size and to increase focus. Personally, I am usually discouraged to create an issue for a project whose issue list already is considerably large.
For projects I'm responsible for I usually take the position of "If they don't care, why should I?" when OPs don't respond anymore. A bot that adds a stale flag and leaves a comment to that effect giving OPs a grace period of ~2 weeks helps tremendously to get rid of those sorts of issues.
👍 |
@jeremylong I'd be all up for automated closures on inactive tickets. On my side it's also mostly a lack of time to spend on this project that leaves various older tickets open. When I have very limited time to spend I typically start top-down working my way through newly emerged FPs to get them handled where possible. When I have a bit more time to spend my first priority lies in fixing bugs on the codebase. Closing old ones is lowest on my list of priorities which indeed results in the observed state of long-standing open tickets. On the 'open in won't fix' FP reports as they are a valid CPE attribution and only surface a mismatch between user's expectation and ODC design choices (most won't fix/NVD tickets), vulnerability source policies (OSSIndex has stricter rules on when they consider a vulnerability fixed) or sometimes just a lagging behind in acknowledging fixes in the datasources used: |
@chadlwilson @marcelstoer - I'm all for having others with additional rights to help with the project. The only issue is that we would have to move the repo to https://github.com/dependency-check in order to have more than |
See #7235 |
a suggestion: automatically close tickets tagged with nvd, e.g. #7178 |
Hi 👋 Regarding a bot closing stale tickets automatically. I am personally not sure about it like @chadlwilson stated, some tickets are stale not because they are irrelevant, but because we do not have the time to contribute to it, or lack additional contributions. But I see these bots often used in big OSS projects. It may work in these big projects as they have full-time contributors and maybe because it is less third-party dependent as dependency check. I think it would be great to setup some guidelines on ticket triaging for starters. A bot could still be useful when we append a specific label, like "need for more information" or "unable to reproduce". If you would like to introduce one globally, I wouldn't see this as a big concern though. Regarding the discussion labels, I always saw them as good opportunities to open a PR to improve the documentation, but I always preferred to focus on bug fixing first. Maybe should I reconsider this approach? I didn't focus much time on dependency check lately, I am sorry for that. My work requires a lot of involvement already, doesn't support me in doing open-source, and I prefer to have some time to rest, away of software engineering. I could provide help in the triaging as it can involve shorter commitment time than fixing some difficult to reproduce bugs. I would appreciate any priority list to focus onto the project and help you folks! 🧸 |
Bots closing issues that have been triaged and accepted by maintainers as needing to be done, just because they haven't gotten around to them in two years, is incredibly frustrating. You need a more complex system of "what is this waiting for" in order to do that successfully. |
I regularly come across tickets that are clearly obsolete, duplicates, outdated or already fixed. Whenever I do, I leave a comment, suggesting they be closed (e.g. #4004). Unless the author closes them, they usually stay open.
I wonder if it's a conscious decision by the maintenance team to rely solely on ticket authors to close them in such situations. Are you intentionally not relying on ticket bots to help you clean up the issue list, or is that because the issue has never come up before?
The text was updated successfully, but these errors were encountered: