Instructions for adding a native external library dependency #105045
Conversation
carlossanlop
requested review from
lewing,
directhex,
steveisok,
agocke,
blowdart,
akoeplinger,
jkoritzinsky,
GrabYourPitchforks,
stephentoub,
jkotas,
ViktorHofer,
ericstj,
bartonjs and
hoyosjs
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
src/native/external/README.md
Outdated
| @@ -0,0 +1,72 @@ | |||
| # Native external libraries | |||
|
|
|||
| This folder contains the source code of third party native libraries that are used as dependencies for Runtime. | |||
There was a problem hiding this comment.
| This folder contains the source code of third party native libraries that are used as dependencies for Runtime. | |
| This folder contains the source code of vendored third party native libraries that are used as dependencies for dotnet/runtime. |
There was a problem hiding this comment.
@jkoritzinsky Pardon my ignorance: What does vendored refer to? Why would all these libraries be considered as such?
There was a problem hiding this comment.
"Vendored in" libraries are libraries we include as source in our repository. https://github.com/dotnet/arcade/blob/main/Documentation/UnifiedBuild/VMR-Strategy-For-External-Source.md has the definition.
Other dependencies (like llvm-project), we maintain as a fork. Others we depend on system packages (openssl, our compiler toolchain). In the future, we may download some (test-only) dependencies that aren't needed in source-build scenarios and would only bloat the repo. This README only applies to vendored dependencies.
Co-authored-by: Jeremy Koritzinsky <jkoritzinsky@gmail.com>
Good point. Let me think about this. |
| - Select the "Releases" and "Security alerts" checkboxes | ||
| - Click on "Apply" | ||
|
|
||
| 8. Consult with the .NET Security experts to make sure we meet all of Microsoft's Open Source guidance, especially regarding security updates and timeline expectations. |
There was a problem hiding this comment.
This ought to happen before a new dependency is added, not at the very end :)
There was a problem hiding this comment.
9? (For internal users) Validate that CG detects the dependency.
|
|
||
| - `library-folder/` is where the native source code lives. | ||
| - `library.cmake` is the main cmake file we add to build this library from anywhere in this repo. | ||
| - `library-version.txt` contains all the detailed release information for this library. |
There was a problem hiding this comment.
... and information about any local patches applied to the library.
| - Manual modifications we need to make after copying the source code. For example, deleting unnecessary files or trimming unnecessary code. | ||
| - Important notes about the release, like security fixes. | ||
|
|
||
| 5. Make any necessary cmake changes to properly consume the source code. |
There was a problem hiding this comment.
It is not unusual to make changes in the library sources as part of this step. The information about these changes should be included in ...-version.txt file. The same changes should be proposed for the library upstream so that they are not necessary during the next library update.
Contributes to #101465
General guidance with the essential steps to add or update a native external library.
Each library might have its own specific steps, we can add them later as needed.