Third Party Reviews for Android

Where can third-party code be stored?

Third-party code is any code not under the AOSP Apache 2.0 license.

If you don’t have a really good reason to store the code elsewhere, third party code belongs in platform/external. That said, there are five other places where third-party source also sometimes occurs in Android: toolchain/*, kernel/*, vendor/*, hardware/*, and device/*.

How to add new third party code to Android

Follow the below steps to create a special Gerrit change in the *third-party-removed project*.

NOTE: Different from the normal Gerrit review process, the importer is responsible for preparing/updating a complete repository containing the library to be imported while only the third party plugin is able to create and update the Gerrit change.

After the change is ready. The Licensing, Security, and Platforms teams will +1 the change. The architecture review committee (emailremoved@) will provide their approval. The Android Build Team have the final approval by way of fulfilling the request and creating the project after the other reviewers approve.

Third-party review step by step

  1. Stage the repo you want to add on Git-on-Borg. For example, to fork boringssl from GitHub to Git-on-Borg:

    $ gob-ctl create user/{{USERNAME}}/my-boring -reader all_users -fork

    You can verify your repo was properly staged at link.

  2. Ensure that a LICENSE file exists at the root of the repo with the full text of the project’s license. If this file does not exist, or is named something else like COPYING or LICENSE.txt, add a LICENSE file.

  3. Please create a NOTICE file by copying the LICENSE file.

  4. Please create a MODULE_LICENSE_xyz file, where “xyz” is the license type, for example, MODULE_LICENSE_BSD, MODULE_LICENSE_GPL, or MODULE_LICENSE_APACHE2.

  5. Please create a METADATA file at the root of the repo. See go/thirdparty/metadata for a detailed explanation of the METADATA file and its fields.

  6. Update the staged repository to include the necessary files, e.g. user/{{USERNAME}}/reponame:

    git clone sso://user/$USER/my-boring
    cd my-boring
    # add/change the necessary files
    git add .
    git commit -m "Add metadata files"
    git push origin master
  7. Go here to add third-party code to Android Internal.

    If you are creating the project on more than one instance, such as AOSP and internal, just stage your code on Internal and add a comment in the change about the full set of hosts for project creation as a hint.

  8. Click the Create third-party change button and specify which staged repo to stage for review, which branch, and the name of the destination repo. For example:

    • Source Repository Url: “user/{{USERNAME}}/reponame”
    • Source Branch: “master”
    • Target Repository Name: “test-import-junit”

    NOTE: The “Target Repository Name” will be used directly during the clone. For example, if the expected repository is “platform/third_party/repo”, then the “Target Repository Name” should be exactly the same.

  9. After the change is created, it can be updated with the current content of the source branch of the source repository using the Third-Party: Sync button.

    The target repository can be renamed using the Third-Party: Rename button.

    Third-Party: Sync button location

  10. After the change is ready. Mandatory reviewers will review, and may ask you questions in the change.

    Please hold on to the change until the following 3 reviews are done. If it takes too long on any of these reviews, please follow step 12 to escalate.

    • Android-Architecture-Review
    • Security-Review
    • Third-Party-Review
  11. Once the change and review are ready, please open a issuetracker ticket with component: Android > Android OS & Apps > Build and provide the following information:

    • The change number or URLs of the change
    • The complete external source URLs (example:
    • The name of the source branch (usually is master but not always)
    • The target server(s): internal, AOSP, and/or partner
  12. Escalations: If any reviewers take longer than 48 hours from the time of change creation, ping them.

    Third Party Review: emailremoved@

    Security Review: emailremoved@

    Android Build Team: ping the interrupt person on call

    Anything else: emailremoved@

For issues with this policy or tooling, please email emailremoved@.

Reviewer standards

Please ensure that the repo to be cloned to platform/external only includes files under the following licenses. It is ok if the repo has many licenses as long as they all fall under one of the below.

If you see any other license types, or notice licensing abnormalities, please escalate to emailremoved@. Link to the change.

  • Apache/Apache2
  • BSD
  • MIT
  • Eclipse Public License
  • LGPL 2.1
  • GPL 2.0
  • GPL 3.0
  • LGPL 3.0
  • Python Software Foundation
  • ISC
  • OFL 1.1
  • Clang/LLVM

Except as otherwise noted, the content of this page is licensed under CC-BY-4.0 license. Third-party product names and logos may be the trademarks of their respective owners.