6
Updating third-party libraries automatically
source link: https://groups.google.com/g/mozilla.dev.platform/c/y2IYnOEARc4
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
June Wilde
Jun 14, 2021, 3:34:08 PM
Updatebot can continually:
1. Check upstream for new changes
2. File a bug [1] based on a frequency setting
3. Attempt to vendor in the changes
4. Attach the created patch to a bug
5. Send in a try run [2]
6. Report back on the try run results
7. Last but not least, need-info you to review and (if you want) land the patch
Updatebot can alternately be set to skip the vendoring/patch/try-run steps and only file a bug to alert you when changes happen upstream. So far we've successfully completed this process with three separate libraries (libdav1d, angle, libjxl) and our goal is to over time enable updates for as many libraries as possible.
This all operates on top of changes we've made in `./mach vendor` and metadata stored in a corresponding moz.yaml [3] file for each library telling Updatebot where to pull updates from and how to perform the update in-tree. The Security Infrastructure team would be more than happy to help create these and work with maintainers to get Updatebot operating on your library too!
If you have any questions or want to know more feel free to reply here, ping @jewilde and/or @tjr in #security on Matrix, or reach out to the Security Infrastructure team in #secinf on Slack.
Meta Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1618282
Updatebot Codebase: https://github.com/mozilla-services/updatebot
[1] example: https://bugzilla.mozilla.org/show_bug.cgi?id=1712411
[2] Try run contains all jobs selected via `./mach try auto`
[3] example: https://searchfox.org/mozilla-central/source/media/libdav1d/moz.yaml
Thanks!
- Tom and June
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK