To reduce overhead for engineers trying to keep our third party libraries up to date - and to seal the current security patch gap caused by libraries in Mozilla-Central not being updated frequently enough - we've made an automated tool, Updatebot.
Updatebot can continually:
1. Check upstream for new changes
2. File a bug [1] based on a frequency setting
3. Attempt to vendor in the changes
4. Attach the created patch to a bug
5. Send in a try run [2]
6. Report back on the try run results
7. Last but not least, need-info you to review and (if you want) land the patch
Updatebot can alternately be set to skip the vendoring/patch/try-run steps and only file a bug to alert you when changes happen upstream. So far we've successfully completed this process with three separate libraries (libdav1d, angle, libjxl) and our goal is to over time enable updates for as many libraries as possible.
This all operates on top of changes we've made in `./mach vendor` and metadata stored in a corresponding moz.yaml [3] file for each library telling Updatebot where to pull updates from and how to perform the update in-tree. The Security Infrastructure team would be more than happy to help create these and work with maintainers to get Updatebot operating on your library too!
If you have any questions or want to know more feel free to reply here, ping @jewilde and/or @tjr in #security on Matrix, or reach out to the Security Infrastructure team in #secinf on Slack.
Meta Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1618282
Updatebot Codebase:
https://github.com/mozilla-services/updatebot
[1] example:
https://bugzilla.mozilla.org/show_bug.cgi?id=1712411
[2] Try run contains all jobs selected via `./mach try auto`
[3] example:
https://searchfox.org/mozilla-central/source/media/libdav1d/moz.yaml
Thanks!
- Tom and June