Re: Third Party Library Alert Service

2017-03-26 Thread Ehsan Akhgari
On 2017-03-18 3:22 PM, Daniel Veditz wrote: > On Fri, Mar 17, 2017 at 3:26 PM, Ehsan Akhgari > wrote: > > We have library imports that are forks, for example > ​ ​ > dom/media/webaudio/blink, as the README file explains. That should > probably be r

Re: Third Party Library Alert Service

2017-03-18 Thread Daniel Veditz
On Fri, Mar 17, 2017 at 3:26 PM, Ehsan Akhgari wrote: > We have library imports that are forks, for example > ​ ​ > dom/media/webaudio/blink, as the README file explains. That should > probably be removed from that list. > ​Forks are tricky. Just because we can't directly import the upstream do

Re: Third Party Library Alert Service

2017-03-17 Thread Ehsan Akhgari
We have library imports that are forks, for example dom/media/webaudio/blink, as the README file explains. That should probably be removed from that list. On 2017-03-17 2:30 PM, Tom Ritter wrote: > As part of a broader initiative to perform a security review of the > third party libraries we use,

Re: Third Party Library Alert Service

2017-03-17 Thread Tom Ritter
On Fri, Mar 17, 2017 at 3:26 PM, Sylvestre Ledru wrote: > > > Le 17/03/2017 à 19:40, trit...@mozilla.com a écrit : >> On Friday, March 17, 2017 at 1:35:15 PM UTC-5, Sylvestre Ledru wrote: >>> Looks like we are duplicating some contents and efforts with: >>> https://dxr.mozilla.org/mozilla-central/

Re: Third Party Library Alert Service

2017-03-17 Thread Sylvestre Ledru
Le 17/03/2017 à 19:40, trit...@mozilla.com a écrit : > On Friday, March 17, 2017 at 1:35:15 PM UTC-5, Sylvestre Ledru wrote: >> Looks like we are duplicating some contents and efforts with: >> https://dxr.mozilla.org/mozilla-central/source/tools/rewriting/ThirdPartyPaths.txt >> Any plan to "merge

Re: Third Party Library Alert Service

2017-03-17 Thread Michael Layzell
I also want this information programmatically for the clang plugin at some point. It will be useful for many of the checks which we can't enforce on third party code due to not being able to / wanting to modify them directly. Right now we have a decent number of check-specific whitelists which coul

Re: Third Party Library Alert Service

2017-03-17 Thread Ted Mielczarek
On Fri, Mar 17, 2017, at 02:40 PM, trit...@mozilla.com wrote: > On Friday, March 17, 2017 at 1:35:15 PM UTC-5, Sylvestre Ledru wrote: > > Looks like we are duplicating some contents and efforts with: > > https://dxr.mozilla.org/mozilla-central/source/tools/rewriting/ThirdPartyPaths.txt > > Any plan

Re: Third Party Library Alert Service

2017-03-17 Thread tritter
On Friday, March 17, 2017 at 1:35:15 PM UTC-5, Sylvestre Ledru wrote: > Looks like we are duplicating some contents and efforts with: > https://dxr.mozilla.org/mozilla-central/source/tools/rewriting/ThirdPartyPaths.txt > Any plan to "merge" them? There is now! (Or, well, there will be one.) =) If

Re: Third Party Library Alert Service

2017-03-17 Thread Sylvestre Ledru
Le 17/03/2017 à 19:30, Tom Ritter a écrit : > As part of a broader initiative to perform a security review of the > third party libraries we use, there is now a semi-automated service > that can file bugs when upstream libraries are newer than the one we > embed. > > Closely tracking upstream can

Third Party Library Alert Service

2017-03-17 Thread Tom Ritter
As part of a broader initiative to perform a security review of the third party libraries we use, there is now a semi-automated service that can file bugs when upstream libraries are newer than the one we embed. Closely tracking upstream can ensure we don't inherit publicly known vulnerabilities.