License Allowlist and Classification for 3P deps
Adding a section to 'adding to third party' that explains license classifications and the process of adding a new license to the allowlist. I would like feedback and suggestions on what the process should be for someone adding a new license to the allowlist and how it fits into the larger process. You can see a live version of this at https://chromium.googlesource.com/chromium/src/+/refs/changes/14/6113314/13/docs/adding_to_third_party.md#license-classifications Bug: 379977497 Change-Id: I86de920992d6895f567762d3c4f52258c0419d45 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6113314 Reviewed-by: Rachael Newitt <renewitt@google.com> Commit-Queue: Rachael Newitt <renewitt@google.com> Reviewed-by: Jiewei Qian <qjw@chromium.org> Auto-Submit: Jordan Brown <rop@google.com> Cr-Commit-Position: refs/heads/main@{#1405322}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
31540da148
commit
e9acbe7c22
@@ -311,10 +311,66 @@ Multiple licenses apply when there are dependencies bundled together, or
|
|||||||
different parts have different restrictions, these are inherently 'and'. This is
|
different parts have different restrictions, these are inherently 'and'. This is
|
||||||
very different to a project allowing multiple license options.
|
very different to a project allowing multiple license options.
|
||||||
|
|
||||||
The license field in README.chromium must use a _comma-separated list_ of licenses
|
The `License:` field in README.chromium must use a _comma-separated list_ of licenses
|
||||||
that are actively in use. Complex license expressions are not allowed or
|
that are actively in use. Complex license expressions are not allowed or
|
||||||
supported.
|
supported.
|
||||||
|
|
||||||
|
Use SPDX license identifiers (https://spdx.org/licenses/) when possible e.g.
|
||||||
|
['Apache-2.0'](https://spdx.org/licenses/Apache-2.0.html). You can find the full
|
||||||
|
allowlist in
|
||||||
|
[depot_tools/+/main:metadata/fields/custom/license_allowlist.py](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||||
|
If the dependency uses a license that is not in the allowlist, you will need to
|
||||||
|
add it to the
|
||||||
|
[allowlist](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||||
|
This requires approval from the ATLs who will check that the license
|
||||||
|
classification is one of [unencumbered/permissive/notice/reciprocal]. If the
|
||||||
|
license is more restrictive than reciprocal, engage with the ATLs to determine
|
||||||
|
if the dependency is appropriate for Chromium. The license identifier will still
|
||||||
|
need to be added to the restricted list
|
||||||
|
['WITH_PERMISSION_ONLY'](https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py).
|
||||||
|
Do not use a license on that list without approval from the ATLs.
|
||||||
|
|
||||||
|
#### License Classifications
|
||||||
|
|
||||||
|
Licenses used in our codebase fall into several categories of increasing
|
||||||
|
restrictiveness, with notice-level and less restrictive licenses being allowed
|
||||||
|
in all projects:
|
||||||
|
|
||||||
|
* **Public Domain/Unencumbered/Permissive Licenses** - These licenses allow
|
||||||
|
you to do almost anything with the code, they may require attribution e.g.:
|
||||||
|
* [CC0-1.0](https://spdx.org/licenses/CC0-1.0.html).
|
||||||
|
* [Unlicense](https://spdx.org/licenses/Unlicense.html).
|
||||||
|
* **Notice Licenses** - (Most open source licenses fall into this category)
|
||||||
|
These licenses are similar to permissive but have additional notice
|
||||||
|
requirements e.g.:
|
||||||
|
* [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html): [`Any modified files
|
||||||
|
must carry prominent notices stating that you changed the
|
||||||
|
files`](https://source.chromium.org/chromium/chromium/src/+/main:third_party/catapult/third_party/coverage/LICENSE.txt;l=98).
|
||||||
|
* [BSD-3-Clause](https://spdx.org/licenses/BSD-3-Clause): [`3. Neither the
|
||||||
|
name of the copyright holder nor the names of its contributors may be
|
||||||
|
used to endorse or promote products derived from this software without
|
||||||
|
specific prior written
|
||||||
|
permission.`](https://source.chromium.org/chromium/chromium/src/+/main:ios/third_party/fishhook/LICENSE;drc=1308ce89bbb959047a73145a0ca4a2f5f7dde894;l=10).
|
||||||
|
|
||||||
|
Additionally, open source projects like Chromium are also allowed to use reciprocal licenses:
|
||||||
|
|
||||||
|
* **Reciprocal Licenses** - These licenses require sharing modifications under
|
||||||
|
the same terms:
|
||||||
|
|
||||||
|
* [MPL-1.1](https://spdx.org/licenses/MPL-1.1.html).
|
||||||
|
* [APSL-2.0](https://spdx.org/licenses/APSL-2.0.html).
|
||||||
|
|
||||||
|
* **Restricted Licenses !Case-by-case Approval Required!** - These licenses
|
||||||
|
have stricter requirements but are allowed in some circumstances. These
|
||||||
|
licenses may require you to publish the code under the same terms and
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
* [LGPL-2.1](https://spdx.org/licenses/LGPL-2.1.html).
|
||||||
|
* [GPL-2.0](https://spdx.org/licenses/GPL-2.0.html).
|
||||||
|
|
||||||
|
Make sure you understand the license terms before checking in a dependency, and
|
||||||
|
when making any local modifications or forks.
|
||||||
|
|
||||||
## Get a review
|
## Get a review
|
||||||
|
|
||||||
All third party additions and substantive changes like re-licensing need the
|
All third party additions and substantive changes like re-licensing need the
|
||||||
|
Reference in New Issue
Block a user