//third_party Owners' and Users' Responsibilities
//third_party is a shared codebase. This means that we expect folks to work
together in maintaining the health of the repository. As such, there are certain
rules that we expect you to follow.
Teams that do not want any of these responsibilities should avoid using open source code at Google. If you have any questions or concerns about these policies, please contact emailremoved@.
Do not expect to check in open source code at Google and never have to touch it
or maintain it. Do not expect to completely control the destiny of various
//third_party, even if you checked it in. They are shared
resources for all of Google.
As an owner, these are your responsibilities:
Follow Security Policy: You must follow security policy, especially the Non-Google Software Installation Guidelines.
Contact the Information Security Engineering (ISE) Team: You need to ping emailremoved@ if you have any questions or concerns about the security of your package, or you mention it in a launch security review.
Monitor Vulnerabilities: You need to monitor upstream source code for security vulnerabilities. For example, by reading security announcement mailing lists or setting up go/vomit.
Patch Vulnerabilities: You need to patch vulnerabilities in
//third_partyin response to security notifications in a timely manner.
Maintain Library: You must keep up with supported versions so that your library is not unmaintained by upstream. We expect libraries to be regularly upgraded when necessary to keep within whatever the support horizon of upstream is. Unmaintained or unsupported versions of libraries are not acceptable in
//third_partyexcept by special exception.
Review & accept maintenance changes: You must be ready to accept local changes that are approved through the LSC process, as they are crucial to moving google3 forward and keeping it secure. It is your responsibility to respond to such approved LSC reviews within 5 business days. You cannot put additional burden on LSC authors that are outside the google3 reviewer policy for LSC changes. For example, if the library has an external source of truth, it is your responsibility to upstream these changes if you do not want to maintain a local fork.
For the majority of third-party projects this will be limited to:
- language related changes (e.g. making code compile after compiler changes)
- security related changes (e.g. global fixes to known security problems)
- build system related changes (e.g. adaption of BUILD files related to changes in build rules)
Inter-Team Cooperation: You need to work with other teams to upgrade when you or other teams need newer versions of libraries. This is true even if that upgrade provides you or your team no personal value.
Stepping Down: If you no longer wish to be an owner (e.g. switching teams, not enough time for maintenance, etc.), it is your responsibility to hand-off ownership to someone else. If you cannot find a replacement, the library MUST be deleted from third party.
The line between being a third party user and an owner is intentionally thin. If you rely on third party software, you may be asked to step up and help maintain it.
In particular, teams who use third party software are expected to have to spend time occasionally upgrading their code base to work with newer versions of third party libraries. This is a non-negotiable part of the contract of using open source code at Google.
What does this mean?
Teams should have tests that visibly break for Presubmit Global Presubmit (go/tgp) when their code base is incompatible with incoming updates to third party software. If an upgrade breaks your project, but does not break Presubmit Global Presubmit, it is unlikely that the changelist will be rolled back.
Even if tests do visibly break when an incoming update to third party software is tested, users are responsible for fixing their projects in a timely manner. When practical, third party updaters/owners are encouraged to help. The default position is that it should be possible to submit working third party upgrades with 30 days notice.
If you need more time than that, or the upgrade causes substantial toil for users, you will need a temporary exception from the One Version Rule, allowing you to provide the new and old versions in //third_party/, giving users more time to upgrade.
Except as otherwise noted, the content of this page is licensed under CC-BY-4.0 license. Third-party product names and logos may be the trademarks of their respective owners.