[PSA] Changes to management of restricted licenses (GPL, LGPL) in //third_party

[Jordan Brown]

TLDR: 

The review process for using 3P dependencies with Restricted or By-Exception-Only licenses is changing. Owners of dependencies using these types of licenses will be added to an automatically created review bug which will explain any action you need to take.

What is changing?

We’re updating the license review and approval steps for importing third party dependencies. 

Dependencies using licenses classified as ‘restricted’ or ‘by exception only’ must now follow a more structured review process and record the approval in a restrictive_license_approval.textproto. 

Who does this affect?

Changes only impact dependencies which use licenses classified as ‘restricted’ or ‘by exception only’ by the license classifier (Googlers can use go/lican). 

• If you do not own one of these dependencies, you don’t need to do anything. 

• If you are impacted, we’ll soon add you to a licence review bug. This will detail the next steps: a short license review and subsequently populating a textproto and adding it to your third party dependency directory.

• If you want to import one of these dependencies in the future, following the Chromium third party import docs will walk you through the process. 

Why this is changing:

• These use cases were previously managed manually using the license allowlist in depot_tools which did not allow for caveats or special handling.

• To make historic import approvals and allowed use cases easier to find. License review discussions have historically taken place over email, and context is easily lost over time.

• To enable more robust automation in milestone license reviews for Chrome browser releases.

For more information:

• See the Restricted or By-Exception-Only licenses section of the Chromium third party docs.

Thanks,

rop@ - Jordan Brown - Chromium Third Party Dependency Metadata Chief