1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32

third_party / README.chromium.template [blame]

Name: Descriptive name of the package.
Short Name (OPTIONAL): Name the package is distributed under (ex. libxml, openssl, etc).
URL: The URL where the package lives.
Version: A searchable version number for the package (if the package does not version or is versioned by date or revision this field should be "N/A" and the revision, or date should be enumerated in the appropriate field).
Date: (OPTIONAL if Version or Revision is supplied) The date that the package was updated, in format YYYY-MM-DD.
Revision: (REQUIRED for dependencies which have a git repository as an upstream, OPTIONAL if the upstream is not a git repository and Version or Date is supplied)
License: The license/s under which the package is distributed. See ALLOWED_SPDX_LICENSES in depot_tools for the full list of allowed licenses https://source.chromium.org/chromium/chromium/tools/depot_tools/+/main:metadata/fields/custom/license_allowlist.py. If your dependency has multiple licenses, see https://chromium.googlesource.com/chromium/src/+/main/docs/adding_to_third_party.md#add-a-license-file-and-run-related-checks for guidance on how supply multiple entries or choose the best fit.
License File: A file path from //third_party or a relative path from the README.chromium to a child directory, whichever makes more sense for your dependency. The file should contain a copy of the package's license and correspond to the License provided above. All packages should contain a valid license, regardless of whether it is shipped or not.
Shipped: Either yes or no depending on whether this package should be included in about:credits. Anything shipped as part of a release or by component-updater should be credited.
Security Critical: Either yes or no. Information on what classifies a package as security critical can be found at https://chromium.googlesource.com/chromium/src/+/HEAD/docs/adding_to_third_party.md#add-a-readme_chromium
License Android Compatible: (OPTIONAL if the package is not shipped or uses a standard form license) Either yes or no depending on whether the package uses a license compatible with Android.
CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.3 (preferred) or 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown". If you're using a patched or modified version which is halfway between two public versions, please "round downwards" to the lower of the public versions (it's better for us to be notified of false-positive vulnerabilities than false-negatives).

Description:
A short description of what the package is and is used for.

Local Modifications:
Enumerate any changes that have been made locally to the package from the
shipping version listed above.

If the files from the third party package (e.g. fetched during a git checkout)
aren't modified, put "None" here (without enclosing quotes).

Note: Files required for Chromium tooling integration don't count as local
modifications. Examples include: BUILD.gn, OWNERS file, DIR_METADATA, LICENSE,
README.chromium.

# It is preferred each package has its own README.chromium. However, if
# this is not possible and the information for multiple packages must be
# placed in a single README.chromium, use the below line to separate the
# data for each package:
-------------------- DEPENDENCY DIVIDER --------------------