licenses: Clarify that all deps need a license.

This protects us against license issues by proving we were able to
use the dependency when we brought it in and also helps us with
shared dependency usage in the future where someone else may include
it in something that's included in a final binary and it appears in
the SBOM.

Bug: b/360994901
Change-Id: Iaee1beaa4becd75a93d56ad17d8937f188bae1be
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5881835
Reviewed-by: Rick Byers <rbyers@chromium.org>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Cr-Commit-Position: refs/heads/main@{#1360344}

docs/adding_to_third_party.md

@@ -281,9 +281,9 @@ false-negatives).
 Your README.chromium should also specify whether your third party dependency
 will be shipped as part of a final binary. The "Shipped" field replaces the now
 deprecated special value of "NOT_SHIPPED" which was previously allowed in the
-"License File" field. This use is no longer supported and if your third party
-dependency includes a license you should also use the "Licence File" field to
-reference it, regardless of whether it is shipped or not.
+"License File" field. This use is no longer supported and all third party
+dependencies must include a valid license regardless of whether it is shipped
+or not.
 
 
 **Multiple packages**
@@ -298,7 +298,12 @@ README.chromium, use the below line to separate the data for each package:
 ### Add a LICENSE file and run related checks
 
 You need a LICENSE file. Example:
-[//third_party/libjpeg/LICENSE](../third_party/libjpeg/LICENSE).
+[//third_party/libjpeg/LICENSE](../third_party/libjpeg/LICENSE). Dependencies
+should not be added without a license file and license type, even if they are
+not shipped in a final product. Existing dependencies without a license file or
+license type are currently being cleaned up as part of the metadata uplift
+effort. If you are an OWNER of a dependency missing license fields, there will
+soon be a bug filed to fix it.
 
 Run `//tools/licenses/licenses.py scan`; this will complain about incomplete or missing
 data for third_party checkins. We use `licenses.py credits` to generate the

third_party/README.chromium.template

@@ -5,7 +5,7 @@ Version: A searchable version number for the package (if the package does not ve
 Date: (OPTIONAL if Version or Revision is supplied) The date that the package was updated, in format YYYY-MM-DD.
 Revision: (REQUIRED for dependencies which have a git repository as an upstream, OPTIONAL if the upstream is not a git repository and Version or Date is supplied)
 License: The license under which the package is distributed. Standard forms are only accepted, eg MIT/X11/BSD/Apache 2.0/GPL/LGPL. See ANDROID_ALLOWED_LICENSES in PRESUBMIT.py for allowed patterns.
-License File: A file path from //third_party or a relative path from the README.chromium to a child directory, whichever makes more sense for your dependency. The file should contain a copy of the package's license and correspond to the License provided above. For packages which are shipped this is a mandatory inclusion to ensure the accuracy of about:credits.
+License File: A file path from //third_party or a relative path from the README.chromium to a child directory, whichever makes more sense for your dependency. The file should contain a copy of the package's license and correspond to the License provided above. All packages should contain a valid license, regardless of whether it is shipped or not.
 Shipped: Either yes or no depending on whether this package should be included in about:credits. Anything shipped as part of a release or by component-updater should be credited.
 Security Critical: Either yes or no. Information on what classifies a package as security critical can be found at https://chromium.googlesource.com/chromium/src/+/HEAD/docs/adding_to_third_party.md#add-a-readme_chromium
 License Android Compatible: (OPTIONAL if the package is not shipped or uses a standard form license) Either yes or no depending on whether the package uses a license compatible with Android.