justinmclean opened a new issue, #190:
URL: https://github.com/apache/airflow-steward/issues/190
## Summary
The `pr-management-code-review` skill has no check for third-party-licensed
code being added to the project. A PR that includes a file with a MIT, GPL,
or CDDL header — or a third-party copyright line — passes through the review
undetected. The ASF `resolved_licenses` policy categorises third-party
licences as Category A (allowed), B (limited/blocked for source inclusion),
or X (forbidden). Category B and X inclusions should block the merge;
Category A inclusions require the project's `LICENSE` file to be updated in
the same PR.
## Gap in the existing "License headers" check
The "License headers" category added in Issue 4 only asks one question: does
this new source file have an Apache licence header? It does not distinguish
between:
- **Contributor-authored code** with a missing Apache header → fix is to add
the header.
- **Third-party code** with its own (non-Apache) header → fix is to preserve
the original header and update `LICENSE`, not to replace it with an Apache
header.
The current finding language ("add the Apache header") is incorrect for the
second case and needs to be softened to route the reviewer toward the
third-party compliance check when a non-Apache header is detected.
## ASF policy requirements
- `https://www.apache.org/legal/resolved.html` — Category A/B/X
classification of third-party licences.
- `https://www.apache.org/legal/apply-license.html` — how to apply the
Apache licence and handle third-party inclusions (copyright notices, NOTICE
file, LICENSE entry).
## Expected behaviour
### New category: "Third-party license compliance" (Step 4)
Add a new review category to `criteria.md` and `review-flow.md` Step 4.
For each file added or modified in the diff:
1. **Detect non-Apache headers and third-party copyright lines** — scan for
`SPDX-License-Identifier:` values other than `Apache-2.0`, licence header
blocks (MIT, BSD, GPL, LGPL, CDDL, MPL, etc.), and
`Copyright (c) <non-ASF entity>` lines.
2. **Classify the licence** using the ASF `resolved_licenses` policy:
- **Category X** (GPL, AGPL, CDDL, LGPL for source, BUSL, etc.):
`blocking` — cannot be included in an ASF release in any form.
- **Category B** (LGPL binary-only, MPL, EPL, CDDL binary-only, etc.):
`blocking` — cannot be included in source form; requires explicit
justification if included in binary form only.
- **Category A** (MIT, BSD-2, BSD-3, ISC, Apache 2.0, etc.):
check whether `LICENSE`, `LICENSE.txt`, or a file under `licenses/`
was also modified in this PR to acknowledge the inclusion. If not:
`major` finding — attribution is required before shipping.
3. **On Category A with LICENSE updated**: no finding — the inclusion is
correctly attributed. ✅
### Fix to existing "License headers" category
When a new file's first lines contain a non-Apache licence header or a
third-party copyright line, the "License headers" finding should note that
this appears to be third-party code and route toward the "Third-party license
compliance" check rather than simply asking the contributor to add an Apache
header.
### Section anchors (template criteria file)
Add two new rows to
`projects/_template/pr-management-code-review-criteria.md`
→ Section anchors table:
| Section | Anchor URL |
|---|---|
| Third-party license compliance |
`https://www.apache.org/legal/resolved.html` |
| Applying the Apache licence |
`https://www.apache.org/legal/apply-license.html` |
## Affected files
- `.claude/skills/pr-management-code-review/criteria.md` — new
"Third-party license compliance" category; note on "License headers"
routing for non-Apache headers.
- `.claude/skills/pr-management-code-review/review-flow.md` — Step 4
enumeration updated to include the new category; detection and
classification logic documented.
- `projects/_template/pr-management-code-review-criteria.md` — two new
Section anchor rows.
## Out of scope
- Periodic full-tree licence audits (not per-PR, separate concern).
- NOTICE file handling (related but separate from per-PR review).
- Dependency licence checks (`requirements.txt`, `setup.cfg`,
`pyproject.toml`) — third-party packages are handled by CI tooling;
this check covers directly included source files only.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
