Drupal.org Library Packaging Allowlist

Packaging of drupal-org.make files present in a distribution on Drupal.org ended in September 2023. Because the Allowlist is only relevant when drupalorg_drush is used when running drush make, this Allowlist is no longer maintained. Drupal distributions can provide packaged downloads from alternative sources (ie. GitHub) or point users to documentation about running drush make locally or as part of a build process. Developers who want to manage an Install Profile with Composer are encouraged to get involved in the Distribution Modernization Initiative.

This service was maintained by the Drupal Licensing Working Group (LWG).

When a profile/distribution includes an external library in a project's drush make file, Drupal.org's packaging uses additional validation to check that the url of the library has been allowlisted.

If the license for the library you're interested in is not already listed on our allowlist page, check if it is listed in the FSF list of GPL compatible lisences. If it is, request the license to be added to our allowlist page. Use Use category "Task" and component "Add license". Mention why you want it added to the allowlist, and refer back to FSF evaluation of the license. You will not get an external library added to the allowlist unless its license is already vetted by the LWG and allowlisted.

To get an external library allowlisted:

1. First, check to see if your library is already included in the list of existing allowlist entries. If so, you're set; nothing to do here!
2. If the library is not listed, please search the existing queue to see if someone has already requested that library.
3. If the library has not been allowlisted or requested, ensure the library meets all criteria for inclusion in the allowlist and verify that the license of all code in the library is GPL-2.0 compatible and all non-code assets are "GPL friendly".
4. If all the criteria are met, create an issue to request it. Use category "Task" and component "Allowlist request". The issue should include the following:
   • The official name of the library.
   • A link to the library itself. This must be the primary, public repository that contains the library, e.g. its project page on GitHub.
   • A link to all the licenses used by the library, including git submodules and embedded media assets.
   • All license identifiers, mentioning which version of licenses the library uses. Be specific, use this list to identify the licence.
   • The compressed size of the library.
   • A list of any extensions that currently use the library, or other thinks that documents the need for the library.

Considerations

When evaluating a request, the LWG will consider the following:

• Applicable licenses. Does the library have one or more applicable licenses? In addition to the library's main license the LWG will also consider the licensing of any git submodules, additional libraries, fonts, and/or artworks that uses licenses. All licenses in use must be allowlisted.
• Primary repository. Is the proposed location the primary repository/download?
• Public repository. Is the repository/download publicly accessible?
• Reasonable size. What is the size of the download? The compressed download must be less than 10 Mbytes.
• Documented need. Is there a documented need for the library? Indicators: Links to extensions (modules, themes, and distributions) that use the library, or links to relevant issues.

Template for an allowlist request

Name:
Repository:
License files:
License identifiers:
Size:
Need:

Here is an explantion of what to put in the template:

1. Name: Name of the libray that you request allowlisted.
2. Repository: Link to its primary, public repository:
3. License files: Link to all files in the repository with license information:
4. License identifiers: License identifiers as defined by SPDX.
5. Size: Size of compressed download in Kbytes or Mbytes.
6. Need: Link to extensions that uses the library, or links issues that documents why there is a need for the library.