| # Adding third_party Libraries |
| |
| [TOC] |
| |
| Using third party code can save time and is consistent with our values - no need |
| to reinvent the wheel! We put all code that isn't written by Chromium developers |
| into src/third_party (even if you end up modifying just a few functions). We do |
| this to make it easy to track license compliance, security patches, and supply |
| the right credit and attributions. It also makes it a lot easier for other |
| projects that embed our code to track what is Chromium licensed and what is |
| covered by other licenses. |
| |
| ## Get the Code |
| |
| When you find code you want to use, get it. This often means downloading: from |
| Sourceforge, from the hosting feature of Google Code, or from somewhere else. |
| Sometimes it can mean negotiating a license with another company and receiving |
| the code another way. Please describe the source in the README.chromium file, |
| described below. For security reasons, please retrieve the code as securely as |
| you can, using HTTPS and GPG signatures if available. If retrieving a tarball, |
| please do not check the tarball itself into the tree, but do list the source and |
| the SHA-512 hash (for verification) in the README.chromium and Change List. The |
| SHA-512 hash can be computed via the `shasum (sha512sum)` or `openssl` |
| utilities. If retrieving from a git repository, please list the SHA-512 hash. |
| |
| ## Put the Code in (the right) third_party |
| |
| By default, all code should be checked into |
| [src/third_party](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/). |
| It is OK to have third_party subdirectories that are not top-level (e.g. |
| src/net/third_party), but don't add more third_party directories than necessary. |
| |
| ## Document the Code's Context |
| |
| ### Add OWNERS |
| |
| Your OWNERS file must include 2 Chromium developer accounts. This will ensure |
| accountability for maintenance of the code over time. While there isn't always |
| an ideal or obvious set of people that should go in OWNERS, this is critical for |
| first-line triage of any issues that crop up in the code. |
| |
| As an OWNER, you're expected to: |
| |
| * Remove the dependency when/if it is no longer needed |
| * Update the dependency when a security or stability bug is fixed upstream |
| * Help ensure the Chrome feature that uses the dependency continues to use the |
| dependency in the best way, as the feature and the dependency change over |
| time. |
| |
| ### Add a README.chromium |
| |
| You need a README.chromium file with information about the project from which |
| you're re-using code. See |
| [README.chromium.template](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/README.chromium.template) |
| for a list of fields to include. A presubmit check will check this has the right |
| format. |
| |
| ### Add a LICENSE file and run related checks |
| |
| You need a LICENSE file. Example: |
| [third_party/libjpeg/LICENSE](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libjpeg/LICENSE?revision=42288&view=markup). |
| |
| Run the following scripts: |
| |
| * `src/tools/licenses.py scan` - This will complain about incomplete or missing |
| data for third_party checkins. We use 'licenses.py credits' to generate the |
| about:credits page in Google Chrome builds. |
| * `src/tools/checklicenses/checklicenses.py` - See below for info on how to |
| handle possible failures. |
| |
| See the ["Odds n' Ends"](adding_to_third_party.md#Odds-n_Ends) Section below if |
| you run into any failures running these. |
| |
| If the library will never be shipped as a part of Chrome (e.g. build-time tools, |
| testing tools), make sure to set "License File" as "NOT_SHIPPED" so that the |
| license is not included in about:credits page. |
| |
| ### Modify DEPS |
| |
| If the code is applicable and will be compiled on all supported Chromium |
| platforms (Windows, Mac, Linux, Chrome OS, iOS, Android), check it in to |
| [src/third_party](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/). |
| |
| If the code is only applicable to certain platforms, check it in to |
| [src/third_party](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/) |
| and add an entry to the |
| [DEPS](http://src.chromium.org/viewvc/chrome/trunk/src/DEPS) file that causes |
| the code to be checked out from src/third_party into src/third_party by gclient. |
| |
| _Explanation: Checking it into src/third_party causes all developers to need to |
| check out your code. This wastes disk space cause syncing to take longer for |
| developers that don't need your code. When all platforms really do need the |
| code, checking it in to src/third_party allows some slight improvements over |
| DEPS._ |
| |
| As for specifying the path where the library is fetched, a path like |
| `src/third_party/<project_name>/src` is highly recommended so that you can put |
| the file like OWNERS or README.chromium at `third_party/<project_name>`. If you |
| have a wrong path in DEPS and want to change the path of the existing library in |
| DEPS, please ask the infrastructure team before committing the change. |
| |
| ### Checking in large files |
| _Accessible to Googlers only. Non-Googlers can email one of the people in |
| third_party/OWNERS for help._ |
| |
| See [Moving large files to Google Storage](https://goto.google.com/checking-in-large-files) |
| |
| ## Setting up ignore |
| |
| If your code is synced via DEPS, you should add the new directory to Chromium's |
| `.gitignore`. This is necessary because Chromium's main git repository already |
| contains |
| [src/third_party](http://src.chromium.org/viewvc/chrome/trunk/src/third_party/) |
| and the project synced via DEPS is nested inside of it and its files regarded as |
| untracked. That is, anyone running `git status` from `src/` would see a clutter. |
| Your project's files are tracked by your repository, not Chromium's, so make |
| sure the directory is listed in Chromium's `.gitignore`. |
| |
| ## Get a Review |
| |
| All third party additions and substantive changes like re-licensing need the |
| following sign-offs. Some of these are accessible to Googlers only. Non-Googlers |
| can email one of the people in third_party/OWNERS for help. |
| |
| * Chrome Eng Review. Googlers should see go/chrome-eng-review (please include information about the additional checkout size, build times, and binary sizes. Please also make sure that the motivation for your project is clear, e.g., a design doc has been circulated). |
| * [email protected] (ping the list with relevant |
| details and a link to the CL). |
| * [email protected] (ping the list with relevant details and a link to the |
| CL). |
| |
| Please send separate emails to the three lists. |
| |
| Third party code is a hot spot for security vulnerabilities. When adding a new |
| package that could potentially carry security risk, make sure to highlight risk |
| to [email protected]. You may be asked to add a README.security or, in |
| dangerous cases, README.SECURITY.URGENTLY file. When you update your code, be |
| mindful of security-related mailing lists for the project and relevant CVE to |
| update your package. |
| |
| Subsequent changes don't require third-party-owners approval; you can modify the |
| code as much as you want. |
| |
| ## Ask the infrastructure team to add a git mirror for the dependency (or |
| configure the git repo, if using googlesource.com) |
| |
| Before committing the DEPS, you need to ask the infra team to create a git |
| mirror for your dependency. [Create a |
| ticket](https://bugs.chromium.org/p/chromium/issues/entry?template=Infra-Git) |
| for infra and ask the infra team. |
| |
| If you are using a git repo from googlesource.com then you must ensure that the |
| repository is configured to give the build bots unlimited quota, or else the |
| builders will fail to checkout with an "Over Quota" error. [Create a |
| ticket](https://bugs.chromium.org/p/chromium/issues/entry?template=Infra-Git) |
| for infra and ask the infra team what needs to be done. Note that you'll need |
| unlimited quota for at least two role accounts. See the quota status of |
| `boringssl` as an example. |
| |
| ## Odds n' Ends |
| |
| ### Handling `licenses_check (checklicenses.py)` failures |
| |
| This is needed for [Issue |
| 28291](http://code.google.com/p/chromium/issues/detail?id=28291): Pass the |
| Ubuntu license check script: |
| |
| __If the failure looks like ... ... the right action is to ... __ |
| |
| * 'filename' has non-whitelisted license 'UNKNOWN' |
| * Ideally make the licensecheck.pl script recognize the license of that |
| file. Often this requires __adding a license header__. Does it have |
| license header? If it's third party code, ask the upstream project to make |
| sure all their files have license headers. If the license header is there |
| but is not recognized, we should try to patch licensecheck.pl. If in |
| doubt please contact [email protected] |
| * 'filename' has non-whitelisted license 'X' and X is BSD-compatible |
| * Add the license X to WHITELISTED_LICENSES in checklicenses.py . Make sure |
| to respect the OWNERS of that file. You must get an approval before |
| landing. CLs violating this requirement may be reverted. |
| * 'filename' has non-whitelisted license 'X' and X is not BSD-compatible (i.e. |
| GPL) |
| * Do you really need to add those files? Chromium is BSD-licensed so the |
| resulting binaries can't use GPL code. Ideally we just shouldn't have |
| those files at all in the tree. If in doubt, please ask [email protected] |
| |
