After thinking about this for a while, I think Eric's original proposal of using git submodules is the most suitable for now. It doesn't require an external tool and gives us all the features we need. The only downside is that we will have to maintain git mirrors of third party repositories if they don't use git, but that's easy enough to do. It simultaneously also allows us to use patched versions of third party libraries if necessary, since we would control the git repository ourselves. One thing to keep in mind with git submodules is that one can only use an entire repository as a submodule and not some subdirectory of another repository like svn:externals. However if we really only want to include a subdirectory of a third party repository we might as well maintain a subtree split branch of that directory (see http://help.github.com/subtree-merge/
Oleg wrote:The requirements for a solution are:
1. It must address how developers would install the package(s) into their development tree.
git submodule init
git submodule update
Oleg wrote:2. It must bundle the package(s) with phpbb when phpbb packages are built, so that our users do not need to download/install anything extra.
Packages will continue to be built the same way, as long as git submodule update was run before building, all checked out third party code will be included in the package.
Oleg wrote:3. It must have an update policy: when we update our copy of the external project, which versions of the external project we are tracking in which versions of phpbb, how do we handle the case when a security issue is found in the external project and it is not fixed in the version that we are tracking (i.e. we must upgrade to a higher major version to get the security fix).
This policy will have to be decided on a case-by-case basis. Git submodules make it clear which version is tracked in which revision of phpbb code, so all we need to do for each library is determine when/how we want to update to which version.
Oleg wrote:Additionally we have the following nice to haves:
1. We would like to not have huge amounts of third-party code in our tree.
With git submodules we won't have third party code in our tree.
Oleg wrote:2. We should consider whether it is possible for the user to run a different version of the third-party package (i.e. newer, older or patched) with phpbb, and how this would work.
Yes would work as explained in the beginning.
Oleg wrote:3. If it is possible to have the third-party package installed systemwide, phpbb should be able to use the systemwide copy.
I disagree with this one, because I think it's more important to have a consistent phpBB system with precisely the correct version than to save a few bytes of disk space to reuse some system wide installed library. The git submodules solution wouldn't offer this, and you already only marked it as "nice to have". So I think skipping this one should be ok.