Adding third_party Libraries

Using third party code can save time and is consistent with our values - no need to reinvent the wheel! We put all code that isn't written by Chromium developers into src/third_party (even if you end up modifying just a few functions). We do this to make it easy to track license compliance, security patches, and supply the right credit and attributions. It also makes it a lot easier for other projects that embed our code to track what is Chromium licensed and what is covered by other licenses.

Get the Code

When you find code you want to use, get it. This often means downloading: from Sourceforge, from the hosting feature of Google Code, or from somewhere else. Sometimes it can mean negotiating a license with another company and receiving the code another way. Please describe the source in the README.chromium file, described below. For security reasons, please retrieve the code as securely as you can, using HTTPS and GPG signatures if available. If retrieving a tarball, please do not check the tarball itself into the tree, but do list the source and the SHA-512 hash (for verification) in the README.chromium and Change List. The SHA-512 hash can be computed via the shasum (sha512sum) or openssl utilities. If retrieving from a git repository, please list the SHA-512 hash.

Put the Code in (the right) third_party

By default, all code should be checked into src/third_party. It is OK to have third_party subdirectories that are not top-level (e.g. src/net/third_party), but don't add more third_party directories than necessary.

Document the Code's Context


Your OWNERS file must include 2 Chromium developer accounts. This will ensure accountability for maintenance of the code over time. While there isn't always an ideal or obvious set of people that should go in OWNERS, this is critical for first-line triage of any issues that crop up in the code.

As an OWNER, you're expected to:

  • Remove the dependency when/if it is no longer needed
  • Update the dependency when a security or stability bug is fixed upstream
  • Help ensure the Chrome feature that uses the dependency continues to use the dependency in the best way, as the feature and the dependency change over time.

Add a README.chromium

You need a README.chromium file with information about the project from which you're re-using code. See README.chromium.template for a list of fields to include. A presubmit check will check this has the right format.

Add a LICENSE file and run related checks

You need a LICENSE file. Example: third_party/libjpeg/LICENSE.

Run the following scripts:

  • src/tools/ scan - This will complain about incomplete or missing data for third_party checkins. We use ‘ credits’ to generate the about:credits page in Google Chrome builds.

If the library will never be shipped as a part of Chrome (e.g. build-time tools, testing tools), make sure to set “License File” as “NOT_SHIPPED” so that the license is not included in about:credits page.

Modify DEPS

If the code is applicable and will be compiled on all supported Chromium platforms (Windows, Mac, Linux, Chrome OS, iOS, Android), check it in to src/third_party.

If the code is only applicable to certain platforms, check it in to src/third_party and add an entry to the DEPS file that causes the code to be checked out from src/third_party into src/third_party by gclient.

Explanation: Checking it into src/third_party causes all developers to need to check out your code. This wastes disk space cause syncing to take longer for developers that don't need your code. When all platforms really do need the code, checking it in to src/third_party allows some slight improvements over DEPS.

As for specifying the path where the library is fetched, a path like src/third_party/<project_name>/src is highly recommended so that you can put the file like OWNERS or README.chromium at third_party/<project_name>. If you have a wrong path in DEPS and want to change the path of the existing library in DEPS, please ask the infrastructure team before committing the change.

Checking in large files

Accessible to Googlers only. Non-Googlers can email one of the people in third_party/OWNERS for help.

See Moving large files to Google Storage

Setting up ignore

If your code is synced via DEPS, you should add the new directory to Chromium‘s .gitignore. This is necessary because Chromium’s main git repository already contains src/third_party and the project synced via DEPS is nested inside of it and its files regarded as untracked. That is, anyone running git status from src/ would see a clutter. Your project‘s files are tracked by your repository, not Chromium’s, so make sure the directory is listed in Chromium's .gitignore.

Get a Review

All third party additions and substantive changes like re-licensing need the following sign-offs. Some of these are accessible to Googlers only. Non-Googlers can email one of the people in third_party/OWNERS for help.

  • Chrome Eng Review. Googlers should see go/chrome-eng-review (please include information about the additional checkout size, build times, and binary sizes. Please also make sure that the motivation for your project is clear, e.g., a design doc has been circulated).
  • (ping the list with relevant details and a link to the CL).
  • (ping the list with relevant details and a link to the CL).

Please send separate emails to the three lists.

Third party code is a hot spot for security vulnerabilities. When adding a new package that could potentially carry security risk, make sure to highlight risk to You may be asked to add a or, in dangerous cases, README.SECURITY.URGENTLY file. When you update your code, be mindful of security-related mailing lists for the project and relevant CVE to update your package.

Subsequent changes don't require third-party-owners approval; you can modify the code as much as you want.

Ask the infrastructure team to add a git mirror for the dependency (or

configure the git repo, if using

Before committing the DEPS, you need to ask the infra team to create a git mirror for your dependency. Create a ticket for infra and ask the infra team.

If you are using a git repo from then you must ensure that the repository is configured to give the build bots unlimited quota, or else the builders will fail to checkout with an “Over Quota” error. Create a ticket for infra and ask the infra team what needs to be done. Note that you'll need unlimited quota for at least two role accounts. See the quota status of boringssl as an example.