Skip to content

Remove spotbugs-annotations dependencies (#3984) #3985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: 2.x
Choose a base branch
from
Draft

Remove spotbugs-annotations dependencies (#3984) #3985

wants to merge 1 commit into from
+112 −99

Conversation

@vlsi
Copy link

@vlsi vlsi commented Nov 17, 2025

#3984

Checklist

Before we can review and merge your changes, please go through the checklist below. If you're still working on some items, feel free to submit your pull request as a draft—our CI will help guide you through the remaining steps.

✅ Required checks

  • License: I confirm that my changes are submitted under the Apache License, Version 2.0.

  • Commit signatures: All commits are signed and verifiable. (See GitHub Docs on Commit Signature Verification).

  • Code formatting: The code is formatted according to the project’s style guide.

    How to check and fix formatting
    • To check formatting: ./mvnw spotless:check
    • To fix formatting: ./mvnw spotless:apply

    See the build instructions for details.

  • Build & Test: I verified that the project builds and all unit tests pass.

    How to build the project

    Run: ./mvnw verify

    See the build instructions for details.

🧪 Tests (select one)

  • I have added or updated tests to cover my changes.
  • No additional tests are needed for this change.

📝 Changelog (select one)

  • I added a changelog entry in src/changelog/.2.x.x. (See Changelog Entry File Guide).
  • This is a trivial change and does not require a changelog entry.

@vlsi vlsi force-pushed the spotbugs-annotations branch from dcd1188 to 368e987 Compare November 17, 2025 16:37
@github-actions
Copy link

github-actions bot commented Nov 17, 2025
edited
Loading

Job Requested goals Build Tool Version Build Outcome Build Scan®
build-macos-latest clean install 3.9.8 Build Scan PUBLISHED
build-ubuntu-latest clean install 3.9.8 Build Scan PUBLISHED
build-windows-latest clean install 3.9.8 Build Scan PUBLISHED
Generated by gradle/develocity-actions

@vlsi
Copy link
Author

vlsi commented Nov 17, 2025
edited
Loading

I see there are lots of build failures which I can't easily address. However, I would like to hear from the maintainers regarding the idea of dropping the dependency.

ChatGPT suggests commit signing from external contributors provides friction yet it adds no value: https://chatgpt.com/share/691b516b-0ff4-800f-9ea4-b53358ed3ae9

So in that context, mandatory signing for all PRs usually gives:

  • Extra friction: people struggle with GPG, smartcards, expired keys, email mismatch, etc.
  • Almost no extra assurance: you still review the code and trust the GitHub account/maintainer who presses “Merge”.
    ...
    For external PRs from the community
    Usually no:
  • Friction is huge:
    • They must generate a key, publish it, configure git, bind key to their email, maybe upload to GitHub, learn how to renew/revoke…
  • Security gain is tiny:
    • You still treat them as untrusted until review.
    • You still trust GitHub accounts + review/CI more than their personal crypto-opsec.

Net effect: you’ll lose contributors and gain almost no real protection.
A common compromise is:

  • Do not require signed commits on PRs.
  • But if authors want to sign, you accept them, and your tooling will just show “Verified”.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vlsi