On Fri, May 30, 2014 at 3:56 PM, Bryan Davis <bd808(a)wikimedia.org> wrote:
There is still some ongoing internal discussion about the best way to
verify that included libraries are needed and that security patches
are watched for and applied from upstream. Chris Steipp is awesome,
but it would be quite an additional burden to hang these thousands of
new lines of code around his neck as yet another burden to bear. One
current theory is that need should be determined by the RFC process
and security support would need to be provided by a "sponsor" of the
library.
As long as those libraries are installed via Composer, and well-maintained,
something like VersionEye <https://www.versioneye.com/> could take on a big
part of that burden.