//third_party Owners' and Users' Responsibilities

//third_party is a shared codebase. This means that we expect folks to work together in maintaining the health of the repository. As such, there are certain rules that we expect you to follow.

Teams that do not want any of these responsibilities should avoid using open source code at Google. If you have any questions or concerns about these policies, please contact emailremoved@.

//third_party owner

Do not expect to check in open source code at Google and never have to touch it or maintain it. Do not expect to completely control the destiny of various libraries in //third_party, even if you checked it in. They are shared resources for all of Google.

As an owner, these are your responsibilities:

  1. Follow Security Policy: You must follow security policy, especially the Non-Google Software Installation Guidelines.

  2. Contact the Information Security Engineering (ISE) Team: You need to ping emailremoved@ if you have any questions or concerns about the security of your package, or you mention it in a launch security review.

  3. Monitor Vulnerabilities: You need to monitor upstream source code for security vulnerabilities. For example, by reading security announcement mailing lists or setting up go/vomit.

  4. Patch Vulnerabilities: You need to patch vulnerabilities in //third_party in response to security notifications in a timely manner.

  5. Maintain Library: You must keep up with supported versions so that your library is not unmaintained by upstream. We expect libraries to be regularly upgraded when necessary to keep within whatever the support horizon of upstream is. Unmaintained or unsupported versions of libraries are not acceptable in //third_party except by special exception.

  6. Inter-Team Cooperation: You need to work with other teams to upgrade when you or other teams need newer versions of libraries. This is true even if that upgrade provides you or your team no personal value.

//third_party user

On the flipside, teams who use third party software are expected to have to spend time occasionally upgrading their code base to work with newer versions of third party libraries. This is a non-negotiable part of the contract of using open source code at Google.

Additionally, teams should have tests that visibly break for Presubmit Global Presubmit (go/tgp) when their code base is incompatible with incoming updates to third party software. If an upgrade breaks your project, but does not break Presubmit Global Presubmit, it is unlikely that the changelist will be rolled back.

Except as otherwise noted, the content of this page is licensed under CC-BY-4.0 license. Third-party product names and logos may be the trademarks of their respective owners.