I've spoken to glob about this offline; but just wanted to note: Our fledgling 'Third Party Library Audit' project is planning on using this metadata (even if the library itself isn't completely vendored) for checking for security issues in upstream and auto-filing bugs.
-tom On Mon, Apr 9, 2018 at 11:25 PM, glob <g...@mozilla.com> wrote: > mozilla-central contains code vendored from external sources. Currently > there is no standard way to document and update this code. In order to > facilitate automation around auditing, vendoring, and linting we intend to > require all vendored code to be annotated with an in-tree YAML file, and for > the vendoring process to be standardised and automated. > > > The plan is to create a YAML file for each library containing metadata such > as the homepage url, vendored version, bugzilla component, etc. See > https://goo.gl/QZyz4x for the full specification. > > > We will work with teams to add moz.yaml files where required, as well as > adding the capability for push-button vendoring of new revisions. > > > Please address comments to the dev-platform list. > > -- > glob — engineering workflow — moz://a > > > _______________________________________________ > firefox-dev mailing list > firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/firefox-dev > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform