Maintenance Best Practices



Importing in third party is just the beginning, what you imported is likely here to stay for many years to come and as an OWNER you have responsibilities. In particular: maintaining the library with newer versions, responding to security issues and patching in a timely manner.

This can be a difficult task, but does not have to be if you follow these best practices:

  1. automate the import

    • using tools such as Googlify for C/C++, update.go for Go, and others, automate as much as possible the import process
    • remain careful to only download from the trusted source (e.g. https, signatures when available, etc.); if in doubt contact emailremoved@
  2. maintain patches

    • it is easy for someone at Google to send a CL and locally modify the source, however next time you have to upgrade the library, this change will be lost
    • to avoid this, maintain patch files (e.g. in a patches/ directory) that you can re-apply after every update
    • a fresh run of the import and patches should lead to what is on HEAD
    • in other words: every local change is accounted for
  3. continuous testing

    • make use of Presubmit, guitar and other tools we use in google3 to keep the library healthy (building, tests passing, etc.) across updates and changes with presubmit checks, etc.
  4. document

    • it is likely the library has its own quirks, specific maintenance steps, or other things you only know and that might be useful to someone else to maintain it
    • write a playbook documenting the import process, how one can submit changes, maintain patches, test the library or contact the owners; example: go/libxslt

Stepping down

If you no longer wish to be an owner (e.g. switching teams, not enough time for maintenance, etc.), it is your responsibility to hand-off ownership to someone else.

To find a replacement, ask people who contributed and are familiar with the library or the users and teams depending on the library (go/rdeps). Ask if someone is interested to take over ownership, what it means, share your docs and playbook.

If you cannot find a replacement, the library MUST be deleted from third party: it is the contract per go/thirdparty/responsibilities. It is expected that users and teams depending on the library will step in to take ownership otherwise they would be broken.

Except as otherwise noted, the content of this page is licensed under CC-BY-4.0 license. Third-party product names and logos may be the trademarks of their respective owners.