upvote
It’s largely used for syncing external open source projects with the monorepo. Policy is to require source code imports over built artifacts. Though you can get exceptions.

Some projects are also developed in the monorepo and exported via Copybara.

My team also uses it to version Starlark rule sets internally.

reply
I suppose it mitigates the potential risk of libraries being poisoned?
reply
Well kind of, or you just end up copying the poisoned version directly into your repo rather than having it as a dependency. Same outcome.

I suppose if you're running some security analysis on code in your own repo, the fact that you've copied the code in means that it'll run on your third party dependencies too, since they no longer appear to be third party.

reply
Source code imports versus artifacts really neither here nor there. Go is source code imports too.

The key part for Copybara is that Google will make changes to the OSS projects from within the internal repo and everyone else will make changes to the OSS projects.

reply
It's for when you have a monorepo internally, and want to publish parts of it as open source to the world. They still need to live in the monorepo, so this is the solution.

Having a public repo as a dependency for your private corporate repo is a pain in the ass development-wise. Having a tree of such dependencies is a migraine.

reply
It can also be used if you want part of your monorepo to track something open source from the world.

Say, to rebase upstream MySQL changes onto a fork in the monorepo (in a random, non-specific example)

reply
Yeah, that's the fun part. Probably built first for exporting monolith slices to OSS, but the reverse direction is more interesting to me. Tracking an upstream or keeping a private fork in sync. That's what makes Copybara useful well beyond the monorepo use case.
reply
Copybara can do that but I think it will be annoying and tedious to use it that way. More annoying than the problem of extracting a library or shoving some files in a separate repo.
reply