Not sure if this is going to be a more formal TechCom-RFC or just a decision made within the security team.
This has been brought up by T191638 and the security team wondering if time can be better spent on other tasks
Currently, when people want to add new third party the rules say the library needs security review.
This is looking to change this if the library meets some conditions, and security review can be skipped:
- Library is actively maintained, by a well known group or developer (like Symfony) with known security policies (things like Symfonys Security Policy are advantageous) and responsive developers
- Library has no known security issue (disclosed but not fixed)
- Whoever adds the library has some responsibility for maintaining it in the MediaWiki ecosystem (if there is a security release, updating the usages in your code, and bumping it in MediaWiki-Vendor as necessary)
- Requests for smaller sections of code (part of larger libraries) to be reviewed, due to specific concerns
If things like the above cannot be resolved, we should look to fork the library if we can't get patches back in upstream (which we have done in some cases in the past). Or, where appropriate, use something else
We should look at getting things like T180278 implemented to remove some of the human intervention. And then updating documentation like https://www.mediawiki.org/wiki/Manual:External_libraries as appropriate