License Allowlist and Classification for 3P deps
Adding a section to 'adding to third party' that explains license classifications and the process of adding a new license to the allowlist. I would like feedback and suggestions on what the process should be for someone adding a new license to the allowlist and how it fits into the larger process. You can see a live version of this at https://chromium.googlesource.com/chromium/src/+/refs/changes/14/6113314/13/docs/adding_to_third_party.md#license-classifications Bug: 379977497 Change-Id: I86de920992d6895f567762d3c4f52258c0419d45 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6113314 Reviewed-by: Rachael Newitt <renewitt@google.com> Commit-Queue: Rachael Newitt <renewitt@google.com> Reviewed-by: Jiewei Qian <qjw@chromium.org> Auto-Submit: Jordan Brown <rop@google.com> Cr-Commit-Position: refs/heads/main@{#1405322}
This commit is contained in:
Jordan Brown
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
31540da148
commit
e9acbe7c22
@ -311,10 +311,66 @@ Multiple licenses apply when there are dependencies bundled together, or
|
||||
different parts have different restrictions, these are inherently 'and'. This is
|
||||
very different to a project allowing multiple license options.
|
||||
|
||||
The license field in README.chromium must use a _comma-separated list_ of licenses
|
||||
The `License:` field in README.chromium must use a _comma-separated list_ of licenses
|
||||
that are actively in use. Complex license expressions are not allowed or
|
||||
supported.
|
||||
|
||||
Use SPDX license identifiers (https://spdx.org/licenses/) when possible e.g.
|
||||
['Apache-2.0'](https://spdx.org/licenses/Apache-2.0.html). You can find the full
|
||||
allowlist in
|
||||
[depot_tools/+/main:metadata/fields/custom/license_allowlist.py](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||
If the dependency uses a license that is not in the allowlist, you will need to
|
||||
add it to the
|
||||
[allowlist](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||
This requires approval from the ATLs who will check that the license
|
||||
classification is one of [unencumbered/permissive/notice/reciprocal]. If the
|
||||
license is more restrictive than reciprocal, engage with the ATLs to determine
|
||||
if the dependency is appropriate for Chromium. The license identifier will still
|
||||
need to be added to the restricted list
|
||||
['WITH_PERMISSION_ONLY'](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||
Do not use a license on that list without approval from the ATLs.
|
||||
|
||||
#### License Classifications
|
||||
|
||||
Licenses used in our codebase fall into several categories of increasing
|
||||
restrictiveness, with notice-level and less restrictive licenses being allowed
|
||||
in all projects:
|
||||
|
||||
* **Public Domain/Unencumbered/Permissive Licenses** - These licenses allow
|
||||
you to do almost anything with the code, they may require attribution e.g.:
|
||||
* [CC0-1.0](https://spdx.org/licenses/CC0-1.0.html).
|
||||
* [Unlicense](https://spdx.org/licenses/Unlicense.html).
|
||||
* **Notice Licenses** - (Most open source licenses fall into this category)
|
||||
These licenses are similar to permissive but have additional notice
|
||||
requirements e.g.:
|
||||
* [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html): [`Any modified files
|
||||
must carry prominent notices stating that you changed the
|
||||
files`](https://source.chromium.org/chromium/chromium/src/+/main:third_party/catapult/third_party/coverage/LICENSE.txt;l=98).
|
||||
* [BSD-3-Clause](https://spdx.org/licenses/BSD-3-Clause): [`3. Neither the
|
||||
name of the copyright holder nor the names of its contributors may be
|
||||
used to endorse or promote products derived from this software without
|
||||
specific prior written
|
||||
permission.`](https://source.chromium.org/chromium/chromium/src/+/main:ios/third_party/fishhook/LICENSE;drc=1308ce89bbb959047a73145a0ca4a2f5f7dde894;l=10).
|
||||
|
||||
Additionally, open source projects like Chromium are also allowed to use reciprocal licenses:
|
||||
|
||||
* **Reciprocal Licenses** - These licenses require sharing modifications under
|
||||
the same terms:
|
||||
|
||||
* [MPL-1.1](https://spdx.org/licenses/MPL-1.1.html).
|
||||
* [APSL-2.0](https://spdx.org/licenses/APSL-2.0.html).
|
||||
|
||||
* **Restricted Licenses !Case-by-case Approval Required!** - These licenses
|
||||
have stricter requirements but are allowed in some circumstances. These
|
||||
licenses may require you to publish the code under the same terms and
|
||||
conditions:
|
||||
|
||||
* [LGPL-2.1](https://spdx.org/licenses/LGPL-2.1.html).
|
||||
* [GPL-2.0](https://spdx.org/licenses/GPL-2.0.html).
|
||||
|
||||
Make sure you understand the license terms before checking in a dependency, and
|
||||
when making any local modifications or forks.
|
||||
|
||||
## Get a review
|
||||
|
||||
All third party additions and substantive changes like re-licensing need the
|
||||
|
||||
Reference in New Issue
Block a user