From 9748dcdb1a3d1c4d16d2dc9ed56348c1f8f7e91a Mon Sep 17 00:00:00 2001 From: Jordan Brown Date: Mon, 20 Jan 2025 16:22:19 -0800 Subject: [PATCH] Add clear documentation to license_allowlist.py The documentation aims to cover how to make, and review changes to this file. Change-Id: I887ce938df71119f5d04f7cec30350beddcdef47 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6168292 Commit-Queue: Jordan Brown Reviewed-by: Nico Weber Reviewed-by: Rick Byers --- metadata/LICENSE_OWNERS | 7 +++- metadata/fields/custom/license_allowlist.py | 45 ++++++++++++++++++--- 2 files changed, 45 insertions(+), 7 deletions(-) diff --git a/metadata/LICENSE_OWNERS b/metadata/LICENSE_OWNERS index 17dbeeab9..75364a331 100644 --- a/metadata/LICENSE_OWNERS +++ b/metadata/LICENSE_OWNERS @@ -1,7 +1,12 @@ -# ATLs are responsible for approving new licenses. +# ATLs and chromium-third-party@google.com are responsible for +# approving new licenses. # TODO(b/379562012) Replace with file:/ATL_OWNERS. rbyers@chromium.org thakis@chromium.org +# Automatic round-robin assignment of reviewer for third-party licenses. +# No one receives email to this list, just use it as a reviewer. +chromium-third-party@google.com + # TODO(b/379223095) Remove security team once transition to spdx allow list is complete. file:SECURITY_TEAM_OWNERS \ No newline at end of file diff --git a/metadata/fields/custom/license_allowlist.py b/metadata/fields/custom/license_allowlist.py index 9c4c59bd3..b7d76e05a 100644 --- a/metadata/fields/custom/license_allowlist.py +++ b/metadata/fields/custom/license_allowlist.py @@ -5,18 +5,51 @@ # These licenses are used to verify that code imported to Android complies with # their licensing requirements. Do not add entries to this list without approval. -# Any licenses added should be a valid SPDX Identifier. For the full list of +# SPDX Identifiers are preferred when available. For the full list of # identifiers; see https://spdx.org/licenses/. -# Licenses below are grouped by restrictiveness level and then alphabetically. +# Licenses are grouped by their classification (restrictiveness level) and then alphabetically. +# +# The classifications are based on the license classifier tool available at: +# https://github.com/google/licenseclassifier/blob/main/license_type.go +# Unfortunately, this open source version is no longer maintained. +# These are the differrent classifications we identify, ordered by restrictiveness level: +# * unencumbered, permissive, notice, reciprocal, restricted, by_exception_only, forbidden. +# +# 'by_exception_only' and 'forbidden' should never enter Chromium, reach out to +# product counsel if the need arises. +# +# REVIEW INSTRUCTIONS FOR chromium-third-party@google.com (and a guide to contributing to this file): +# 1. Paste the contents of the license to be classified into +# https://opensource.corp.google.com/license/analyze. This will provide the ID +# and the classification. Command line alternatives are documented at +# go/license-classifier, but work on entire files only. +# 1.1 'unencumbered', 'permissive', or 'notice' are allowed ✅. +# 1.2 'reciprocal' are allowed, but only in open source projects e.g. Chromium. +# See OPEN_SOURCE_SPDX_LICENSES below. +# 1.3 >='restricted' are handled on a case-by-case basis and require individual approval +# from opensource-licensing@google.com and chromium-third-party@google.com. Be sure to include +# the license and relevant details in the email. It can be helpful to +# identify existing dependencies that have already been approved. +# +# 2. Check spdx.org/licenses to see if the license has an SPDX identifier. +# 2.1 If it does: Use this value instead of the license classifier output, +# and add it to ALLOWED_SPDX_LICENSES. +# 2.2 If does not: Add the id provided by the license classifier +# to EXTENDED_LICENSE_CLASSIFIERS. +# +# 3. Ensure that it is added under the correct classification +# e.g. '# notice', and then sorted alphabetically asscending. +# +# 4. If you are uncertain whether a given third-party library can be included in +# Chromium, please email opensource-licensing@google.com with the library's +# license documentation, and explain where and how the component is going to +# be used. ALLOWED_SPDX_LICENSES = frozenset([ - # other_ignorable. - # go/keep-sorted start case=no - "LZMA-SDK-9.22", - # go/keep-sorted end # unencumbered. # go/keep-sorted start case=no "blessing", "CC0-1.0", + "LZMA-SDK-9.22", "Unlicense", # go/keep-sorted end # permissive.