Using third party code can save time and is consistent with our values - no need to reinvent the wheel! We put all code that isn't written by Chromium developers into
//third_party (even if you end up modifying just a few functions). We do this to make it easy to track license compliance, security patches, and supply the right credit and attributions. It also makes it a lot easier for other projects that embed our code to track what is Chromium licensed and what is covered by other licenses.
By default, all code should be checked into //third_party, for the reasons given above. Other locations are only appropriate in a few situations and need explicit approval; don‘t assume that because there’s some other directory with third_party in the name it's okay to put new things there.
To make sure the inclusion of a new third_party project makes sense for the Chromium project, you should first obtain Chrome Eng Review approval. Please include the following information in an email to firstname.lastname@example.org:
Googlers can access go/chrome-eng-review and review existing topics in g/chrome-eng-review, and can also come to office hours to ask questions.
The size of Chromium derived executables can impact overall performance of those binaries as they need to run on a wide range of devices including those with extremely limited RAM. Additionally, we have experience from Windows of the binary size impacting successful patch rate of updates as well as constraints from the Android Ecosystem where APKs included in the system image have hard limits on their size due to allocation size of the system partition. For more details and guidelines on size increases see //docs/speed/binary_size/binary_size_explainer.md and Googlers can additionally check go/chrome-binary-size
There are two common ways to depend on third-party code: you can reference a Git repo directly (via entries in the DEPS file) or you can check in a snapshot. The former is preferable in most cases:
Checking in a snapshot is useful if this is effectively taking on maintenance of an unmaintained project (e.g. an ancient library that we‘re going to GN-ify that hasn’t been updated in years). And, of course, if the code you need isn't in a Git repo, then you have to snapshot.
If the code is in a Git repo that you want to mirror, please file an infra git ticket to get the repo mirrored onto chromium.googlesource.com; we don't allow direct dependencies on non-Google-hosted repositories, so that we can still build if an external repository goes down.
Once the mirror is set up, add an entry to //DEPS so that gclient will pull it in. If the code is only needed on some platforms, add a condition to the deps entry so that developers on other platforms don‘t pull in things they don’t need.
As for specifying the path where the library is fetched, a path like
//third_party/<project_name>/src is highly recommended so that you can put the file like OWNERS or README.chromium at
//third_party/<project_name>. If you have a wrong path in DEPS and want to change the path of the existing library in DEPS, please ask the infrastructure team before committing the change.
Lastly, add the new directory to Chromium‘s
//third_party/.gitignore, so that it won’t show up as untracked files when you run
git status on the main repository.
If you are checking in a snapshot, please describe the source in the README.chromium file, described below. For security reasons, please retrieve the code as securely as you can, using HTTPS and GPG signatures if available. If retrieving a tarball, please do not check the tarball itself into the tree, but do list the source and the SHA-512 hash (for verification) in the README.chromium and Change List. The SHA-512 hash can be computed via
openssl dgst -sha512. If retrieving from a git repository, please list the revision that the code was pulled from.
If you are checking the files in directly, you do not need an entry in DEPS and do not need to modify
_Accessible to Googlers only. Non-Googlers can email one of the people in third_party/OWNERS for help.
Your OWNERS file must either list two Chromium developer accounts as the first two lines or include a
file: directive to an OWNERS file within the
third_party directory that itself conforms to this criterion. This will ensure accountability for maintenance of the code over time. While there isn't always an ideal or obvious set of people that should go in OWNERS, this is critical for first-line triage of any issues that crop up in the code.
As an OWNER, you're expected to:
You need a README.chromium file with information about the project from which you're re-using code. See //third_party/README.chromium.template for a list of fields to include. A presubmit check will check this has the right format.
README.chromium files contain a field indicating whether the package is security-critical or not. A package is security-critical if it is compiled into the product and does any of the following:
One of the fields is CPEPrefix. This is used by Chromium and Google systems to spot known upstream security vulnerabilities, and ensure we merge the fixes into our third-party copy. These systems are not foolproof, so as the OWNER, it's up to you to keep an eye out rather than solely relying on these automated systems. But, adding CPEs decreases the chances of us missing vulnerabilities, so they should always be added if possible.
The CPE is a common format shared across the industry; you can look up the CPE for your package here. Please use CPE format 2.2. When searching for a CPE, you may find that there is not yet a CPE for the specific upstream version you‘re using. This is normal, as CPEs are typically allocated only when a vulnerability is found. You should follow the version number convention such that, when that does occur in future, we’ll be notified. If no CPE is available, please specify “unknown”.
If you‘re using a patched or modified version which is halfway between two public versions, please “round downwards” to the lower of the public versions (it’s better for us to be notified of false-positive vulnerabilities than false-negatives).
You need a LICENSE file. Example: //third_party/libjpeg/LICENSE.
//tools/licenses/licenses.py scan; this will complain about incomplete or missing data for third_party checkins. We use
licenses.py credits to generate the about:credits page in Google Chrome builds.
If the library will never be shipped as a part of Chrome (e.g. build-time tools, testing tools), make sure to set “License File” as “NOT_SHIPPED” so that the license is not included in about:credits page (more on this below).
All third party additions and substantive changes like re-licensing need the following sign-offs. Some of these are accessible to Googlers only. Non-Googlers can email one of the people in //third_party/OWNERS for help.
Please send separate emails to the eng review and email@example.com. You can skip the eng review and firstname.lastname@example.org when you are only moving existing directories in Chromium to //third_party/.
Subsequent changes don't normally require third-party-owners or security approval; you can modify the code as much as you want. When you update code, be mindful of security-related mailing lists for the project and relevant CVE to update your package.
As we said at the beginning, it is important that Chrome displays the right credit and attributions for all of the third_party code we use.
To view this in chrome, you can open chrome://credits.
That page displays a resource embedded in the browser as part of the //components/resources/components_resources.grd GRIT file; the actual HTML text is generated in the //components/resources:about_credits build target using a template from the output of the //tools/licenses/licenses.py script. Assuming you‘ve followed the rules above to ensure that you have the proper LICENSE file and it passes the checks, it’ll be included automatically.