On Sun, Jul 1, 2018, at 7:56 PM, Xidorn Quan wrote: > The point is that adding a new crate dependency is too easy > accidentally, and it is very possible for reviewers to overlook that. So > it may make sense to introduce a blacklist-ish thing to avoid that to > happen.
FYI, we had some discussion about the policy and mechanisms of reviewing vendored Rust crates in the recent past. I floated a strawman proposal[1] that didn't seem to upset anyone, but we got thrown off track by the Servo VCS sync needing to do auto-vendoring. AIUI, now that the pace of the stylo work has slowed, the Servo syncing is being done on a manual basis, so it seems like we could revisit that discussion. The TL;DR on my proposal is: "We should make sure that someone has reviewed each new vendored crate in a bug separate from the one with the patch that adds code using it." -Ted 1. https://bugzilla.mozilla.org/show_bug.cgi?id=1322798#c11 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
