Maintenance Best Practices


Importing in third party is just the beginning, what you imported is likely here to stay for many years to come and as an OWNER you have responsibilities. In particular: maintaining the library with newer versions, responding to security issues and patching in a timely manner.

This can be a difficult task, but does not have to be if you follow these best practices:

  1. automate the import

    • using tools such as Googlify for C/C++, update.go for Go, and others, automate as much as possible the import process
    • remain careful to only download from the trusted source (e.g. https, signatures when available, etc.); if in doubt contact emailremoved@
  2. maintain patches

    • it is easy for someone at Google to send a CL and locally modify the source, however next time you have to upgrade the library, this change will be lost
    • to avoid this, maintain patch files (e.g. in a patches/ directory) that you can re-apply after every update
    • a fresh run of the import and patches should lead to what is on HEAD
    • in other words: every local change is accounted for
  3. continuous testing

    • make use of Presubmit, guitar and other tools we use in google3 to keep the library healthy (building, tests passing, etc.) across updates and changes with presubmit checks, etc.
  4. document

    • it is likely the library has its own quirks, specific maintenance steps, or other things only you know but that might be useful to someone else to maintain it
    • write a playbook documenting the import process, how one can submit changes, maintain patches, test the library or contact the owners; example: go/libxslt

Stepping down

If you no longer wish to be an owner (e.g. switching teams, not enough time for maintenance, etc.), it is your responsibility to hand-off ownership to someone else.

To find a replacement, ask people who contributed and are familiar with the library or the users and teams depending on the library (go/rdeps). Ask if someone wants to take over ownership, and make sure they know what that means. Share your docs and playbook with potential new owners.

If you cannot find a replacement, the library MUST be deleted from third party: it is the contract per go/thirdparty/responsibilities. It is expected that users and teams depending on the library will step in to take ownership otherwise they would be broken.

Except as otherwise noted, the content of this page is licensed under CC-BY-4.0 license. Third-party product names and logos may be the trademarks of their respective owners.