Update Chromium third party docs for minified and obfuscated code.
Provide some guidance which says this isn't a good idea for security reasons and for understandability. Bug: b/290296620 Change-Id: I0f6bd0aba1c614b8f8cd3e41513ce345cd33a5ac Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4864623 Reviewed-by: Adrian Taylor <adetaylor@google.com> Commit-Queue: Rachael Newitt <renewitt@google.com> Cr-Commit-Position: refs/heads/main@{#1197660}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
57930ba997
commit
15546991cf
@ -88,6 +88,30 @@ guidelines on size increases see
|
||||
[//docs/speed/binary_size/binary_size_explainer.md](speed/binary_size/binary_size_explainer.md) and Googlers can
|
||||
additionally check [go/chrome-binary-size](https://goto.google.com/chrome-binary-size)
|
||||
|
||||
### Binaries, obfuscated or minified code
|
||||
|
||||
The addition of third-party dependencies that contain binaries, obfuscated
|
||||
code, or minified code is strongly discouraged. Code review is an important
|
||||
part of reducing risk to Chromium and a reviewer asked to approve a change
|
||||
that contains any of these has no way to determine the legitimacy of what
|
||||
they are approving. Minification for performance optimization is
|
||||
[usually not necessary](speed/binary_size/optimization_advice.md), and the
|
||||
trade-off in terms of understandability and security is rarely worth
|
||||
it.
|
||||
|
||||
Where your dependency will form part of a release binary where size is a concern,
|
||||
there are existing tools which handle [compression for distribution](speed/binary_size/optimization_advice.md).
|
||||
|
||||
You should not check in any pre-built binaries where there is an alternate,
|
||||
supported solution for getting them. If you need to compile from source,
|
||||
consider using [CIPD](cipd_and_3pp.md) instead.
|
||||
|
||||
_Accessible to Googlers only. Non-Googlers can email one of the people in
|
||||
third_party/OWNERS for help.
|
||||
|
||||
See [Chrome Code Policy](https://goto.google.com/chrome-code-policy)
|
||||
|
||||
|
||||
## Get the code
|
||||
|
||||
There are two common ways to depend on third-party code: you can reference a
|
||||
@ -261,7 +285,7 @@ about:credits page in Google Chrome builds.
|
||||
|
||||
If the library will never be shipped as a part of Chrome (e.g. build-time tools,
|
||||
testing tools), make sure to set the "Shipped" field to "no" so that the license
|
||||
is not included in about:credits page ([more on this below](#credits)).
|
||||
is not included in about:credits page ([more on this below](#credits)).
|
||||
|
||||
## Get a review
|
||||
|
||||
|
Reference in New Issue
Block a user