On Fri, May 30, 2014 at 3:56 PM, Bryan Davis bd808@wikimedia.org wrote:
There is still some ongoing internal discussion about the best way to verify that included libraries are needed and that security patches are watched for and applied from upstream. Chris Steipp is awesome, but it would be quite an additional burden to hang these thousands of new lines of code around his neck as yet another burden to bear. One current theory is that need should be determined by the RFC process and security support would need to be provided by a "sponsor" of the library.
As long as those libraries are installed via Composer, and well-maintained, something like VersionEye https://www.versioneye.com/ could take on a big part of that burden.