LibUp

LibUp (aka libraryupgrader) is a mostly automated tool that manages upgrades of libraries and other developer dependencies for repositories hosted on Gerrit. It allows us to ensure consistency across the nearly 1,000 Git repositories we maintain as well as providing prompt security updates for new vulnerabilities. You can view the status of LibUp and the dependencies it tracks at https://libraryupgrader2.wmcloud.org/.

Usage
If you'd like to have your repository be monitored by LibUp for coordinated upgrades and automatic security vulnerability scanning, you can add it to the repositories configuration in the labs/libraryupgrader/config Gerrit repository (see the README for the latest documentation).

To update a library across all repositories, update the releases configuration in the same Gerrit repository. Again, more documentation is available in the README.

Upstream release monitoring
LibUp can also notify you when an upstream project makes a new release. When it detects a new release, it will create a Phabricator task in the projects of your choosing or leave a new comment if a task is already open. See T280474 for an example task. It is up to humans what the action to take is once a task has been filed.

You can see the instructions in the labs/libraryupgrader/config Gerrit repository for how to add a new upstream project or file a bug in the LibUp Phabricator project asking for it to be added.

Behind the scenes LibUp uses release-monitoring.org to check projects for new releases. It supports a bunch of different backends so we don't have to. You will need a Fedora or other OpenID account to add new projects there.

Links

 * Source code (labs/libraryupgrader on Gerrit)
 * Configuration (labs/libraryupgrader/config on Gerrit)
 * Phabricator project
 * Submitted Gerrit changes
 * Web interface