On Thu, May 29, 2014 at 11:05 AM, Chris Steipp csteipp@wikimedia.org wrote:
I'm assuming we'll eventually branch the project repo for each mediawiki release, in so if mediawiki 1.24 relies on one version of a library, and 1.25 another, that will all get handled?
Obligatory security questions:
- Who is going to approve what libraries we use, since we're basically
blessing the version we use? And are we going to require code reviews for all of them?
- Who is going to remain responsible for making sure that security updates
in those dependencies are merged with our repos and new versions of mediawiki tarballs released?
(/me yells "Not it!")
As long as we have strong, ongoing, internal commitment to this, then I don't see a problem.
I just rewrote and sent this email to wikitech-l with the encouragement of Ori. It would probably be good for Chris to share his concerns publically there.
As to these questions, yeah we need to figure this out. I think the cat is already out of the bag on using external libraries. Short of a veto of the concept by this group I think it's down to a question of "how" rather than "when" or "if".
Review should be required to get a new library approved I think certainly. We don't want to open up the floodgates to allow any random code into use by mediawiki/core. As to the level of review needed for any particular library, I'm not sure that I'm qualified to answer this definitively. Maybe any new external library should be subject to the RFC process to plead the case for why it is needed?
Perhaps for the tracking of security issues each library would have an "owner" (probably the original importer) who would be answerable to Chris for tracking and updating the library? Do we have any process today for the various javascript libraries we rely on? /me bets it's something like "Krinkle takes care of that."
Bryan