Update Chromium third party docs for minified and obfuscated code.
Provide some guidance which says this isn't a good idea for security reasons and for understandability. Bug: b/290296620 Change-Id: I0f6bd0aba1c614b8f8cd3e41513ce345cd33a5ac Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4864623 Reviewed-by: Adrian Taylor <adetaylor@google.com> Commit-Queue: Rachael Newitt <renewitt@google.com> Cr-Commit-Position: refs/heads/main@{#1197660}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
57930ba997
commit
15546991cf
@@ -88,6 +88,30 @@ guidelines on size increases see
|
|||||||
[//docs/speed/binary_size/binary_size_explainer.md](speed/binary_size/binary_size_explainer.md) and Googlers can
|
[//docs/speed/binary_size/binary_size_explainer.md](speed/binary_size/binary_size_explainer.md) and Googlers can
|
||||||
additionally check [go/chrome-binary-size](https://goto.google.com/chrome-binary-size)
|
additionally check [go/chrome-binary-size](https://goto.google.com/chrome-binary-size)
|
||||||
|
|
||||||
|
### Binaries, obfuscated or minified code
|
||||||
|
|
||||||
|
The addition of third-party dependencies that contain binaries, obfuscated
|
||||||
|
code, or minified code is strongly discouraged. Code review is an important
|
||||||
|
part of reducing risk to Chromium and a reviewer asked to approve a change
|
||||||
|
that contains any of these has no way to determine the legitimacy of what
|
||||||
|
they are approving. Minification for performance optimization is
|
||||||
|
[usually not necessary](speed/binary_size/optimization_advice.md), and the
|
||||||
|
trade-off in terms of understandability and security is rarely worth
|
||||||
|
it.
|
||||||
|
|
||||||
|
Where your dependency will form part of a release binary where size is a concern,
|
||||||
|
there are existing tools which handle [compression for distribution](speed/binary_size/optimization_advice.md).
|
||||||
|
|
||||||
|
You should not check in any pre-built binaries where there is an alternate,
|
||||||
|
supported solution for getting them. If you need to compile from source,
|
||||||
|
consider using [CIPD](cipd_and_3pp.md) instead.
|
||||||
|
|
||||||
|
_Accessible to Googlers only. Non-Googlers can email one of the people in
|
||||||
|
third_party/OWNERS for help.
|
||||||
|
|
||||||
|
See [Chrome Code Policy](https://goto.google.com/chrome-code-policy)
|
||||||
|
|
||||||
|
|
||||||
## Get the code
|
## Get the code
|
||||||
|
|
||||||
There are two common ways to depend on third-party code: you can reference a
|
There are two common ways to depend on third-party code: you can reference a
|
||||||
@@ -261,7 +285,7 @@ about:credits page in Google Chrome builds.
|
|||||||
|
|
||||||
If the library will never be shipped as a part of Chrome (e.g. build-time tools,
|
If the library will never be shipped as a part of Chrome (e.g. build-time tools,
|
||||||
testing tools), make sure to set the "Shipped" field to "no" so that the license
|
testing tools), make sure to set the "Shipped" field to "no" so that the license
|
||||||
is not included in about:credits page ([more on this below](#credits)).
|
is not included in about:credits page ([more on this below](#credits)).
|
||||||
|
|
||||||
## Get a review
|
## Get a review
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user