On 04/08/16 18:46, Gregory Szorc wrote: > I want to say yes. However, even defining "code that ships as part of > Firefox" under the same policy could be difficult.
You are right. However, you make a good case for why it's a worthy endeavour. > We've always had 3rd party code like libbzip2 and more recently libraries > like ICU and WebRTC vendored in mozilla-central. These were projects where > Mozilla didn't really do much upstream work or at least weren't in the > driver's seat: we just periodically dumped upstream changes into > mozilla-central. I'm not sure we can do much about that; getting Mozilla people to ramp up on each of these codebases sufficiently to review the incoming changes for maliciously-introduced security bugs would be a massive effort. :-| > I can make the argument that there should be a governance module covering > the rules for what gets shipped to Firefox [for Android/Desktop] users (not > necessarily limited to the mozilla-central bits) and how that is reviewed, > audited, etc. The commit access policy would be under purview of that > module. That sounds like a wise idea. The person in charge would effectively be the "Firefox Architect" - responsible for the big picture about how we go about building the features defined by the product team. Gerv _______________________________________________ governance mailing list governance@lists.mozilla.org https://lists.mozilla.org/listinfo/governance
