On 2017-03-18 3:22 PM, Daniel Veditz wrote: > On Fri, Mar 17, 2017 at 3:26 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com > <mailto:ehsan.akhg...@gmail.com>> wrote: > > We have library imports that are forks, for example > > dom/media/webaudio/blink, as the README file explains. That should > probably be removed from that list. > > > Forks are tricky. Just because we can't directly import the upstream > doesn't mean we're not affected by security vulnerabilities found and > fixed in the upstream. We still need to track it, but it will take more > work > > and it will require a tracking system that can record "we're using 3.2.1 > base > + patches > ; we've > got what we needed up to 3.7.8; current upstream is 3.7.9"
Yes, that's a good point. It also depends on how much fuzzing and maintenance the code is otherwise receiving now, and how much it's diverging (sometimes such "forked" code is mostly static, and that's the real pragmatic reason behind the fork.) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
