mirror of
https://github.com/microsoft/vscode.git
synced 2026-04-18 07:47:23 +01:00
35 lines
1.3 KiB
Markdown
35 lines
1.3 KiB
Markdown
---
|
|
applyTo: '{ThirdPartyNotices.txt,cli/ThirdPartyNotices.txt,cglicenses.json,cgmanifest.json}'
|
|
---
|
|
|
|
# OSS License Review
|
|
|
|
When reviewing changes to these files, verify:
|
|
|
|
## ThirdPartyNotices.txt
|
|
|
|
- Every new entry has a license type header (e.g., "MIT License", "Apache License 2.0")
|
|
- License text is present and non-empty for every entry
|
|
- License text matches the declared license type (e.g., MIT-declared entry actually contains MIT license text, not Apache)
|
|
- Removed entries are cleanly removed (no leftover fragments)
|
|
- Entries are sorted alphabetically by package name
|
|
|
|
## cglicenses.json
|
|
|
|
- New overrides have a justification comment
|
|
- No obviously stale entries for packages no longer in the dependency tree
|
|
|
|
## cgmanifest.json
|
|
|
|
- Package versions match what's actually installed
|
|
- Repository URLs are valid and point to real source repositories
|
|
- Newly added license identifiers should use SPDX format where possible
|
|
- License identifiers match the corresponding ThirdPartyNotices.txt entries
|
|
|
|
## Red Flags
|
|
|
|
- Any **newly added** copyleft license (GPL, LGPL, AGPL) — flag immediately (existing copyleft entries like ffmpeg are pre-approved)
|
|
- Any "UNKNOWN" or placeholder license text
|
|
- License text that appears truncated or corrupted
|
|
- A package declared as MIT but with Apache/BSD/other license text (or vice versa)
|