Upcoming changes to BUILD license rules

What is happening?

This year (2021) Opensource Compliance Eng. will begin migrating the licenses() rules inside BUILD files to a new Starlark-based definition.

tl;dr We're migrating from this:

# Foo, a framework for frobbing widgets.
package(default_visibility = ["//visibility:public"])



# ...other build rules (or perhaps none if you aren't using the build system)...

To this:

# Foo, a framework for frobbing widgets.

load("//tools/build_defs/license:license.bzl", "license")

    default_applicable_licenses = [":license"],
    default_visibility = ["//visibility:public"],

license(name = "license")

# ...other build rules (or perhaps none if you aren't using the build system)...

This new rule allows for using the LICENSE file to determine the appropriate license conditions for the package

New requirements

The example above shows what a BUILD file would look like with these new requirements implemented.

  1. All BUILD files need a package() rule.

    This is necessary since default_applicable_licenses is an attribute of package, so this rule needs to exist.

    Some open source projects use Bazel scripts to generate their package rules. This is discouraged by the Bazel team (https://github.com/bazelbuild/bazel/issues/5939) but we are aware it happens. ComplianceLint exceptions for those projects will be granted on a case-by-case basis, but those Bazel scripts will need to be modified to support licensing needs.

  2. All BUILD files package() rules must define default_applicable_licenses and default_visibility attributes.

    default_applicable_licenses is mandatory since it defines the licensing for all targets in the package. In the very specialized case that an individual target has an alternate license, it can be specified using the 'applicable_licenses' attribute on a target.

    (http://linkremoved/) At this time, the Blaze documentation for this feature has not been written.

    Our previous guidance has been that populating the default_visibility attribute has been encouraged, but not required. We are now making default_visibility mandatory. A library that is open to //visibility:public means anyone can depend on it, and they are affected by the future of that library, but not necessarily invested in the ownership of that library. This can create problems when version maintenance is needed. By carefully restricting visibility up-front, it's easier to maintain the code by making sure all users of the code are properly aware of their ownership of the library and the responsibilities as documented in (go/thirdparty/responsibilities) and utilized by (go/floorcloth)

When is this happening?

Soon (2021H2)! We'll begin migrating users automatically starting with the LSC documented at go/third-party-removed.

Do I need to do anything?

No, not yet. We will update the BUILD specific documentation for third party (go/thirdparty/documentation#build) when it's time to switch over.

At some point later we will also begin enforcing these new license rules via go/compliancelint.

  • go/license-checking-v2 is the original design doc for the new rules.
  • go/third-party-removed is the first LSC (//third_party/golang/... only)
  • //piper/.../license.bzl is the Starlark definitions