intermediate changes

ref:cde9a383711a11544ce7e107a78147fb96cc4029

1 files changed, 193 insertions, 0 deletions

diff --git a/build/rules/contrib_restricted.policy b/build/rules/contrib_restricted.policy
new file mode 100644
index 0000000000..a83ead1904
--- /dev/null
+++ b/build/rules/contrib_restricted.policy
@@ -0,0 +1,193 @@
+# == Rules for contrib/restricted section ==
+#
+# NOTE: rules should be ordered from specific to generic (first matching rule is used)
+# See rule syntax docs: https://wiki.yandex-team.ru/devrules/overall/peerdirprohibition/
+
+# scale_ipp filter for ffmpeg use Intel IPP hence it is nonfree
+ALLOW strm/cv/ffmpeg_adcv/toshik_filters -> contrib/restricted/ffmpeg-3-scale-ipp
+
+# CityHash-1.0.2 is a specific version hardwired into ClickHouse public interface
+ALLOW clickhouse -> contrib/restricted/cityhash-1.0.2
+ALLOW library/cpp/clickhouse -> contrib/restricted/cityhash-1.0.2
+ALLOW saas/library/hash_to_block_mode -> contrib/restricted/cityhash-1.0.2
+
+# dragonbox is a specific library for float formatting
+ALLOW clickhouse -> contrib/restricted/dragonbox
+
+# same rules for restricted set of sources in YQL
+ALLOW ydb/library/yql/udfs/common/clickhouse/client -> contrib/restricted/cityhash-1.0.2
+ALLOW ydb/library/yql/udfs/common/clickhouse/client -> contrib/restricted/boost
+ALLOW ydb/library/yql/udfs/common/clickhouse/client -> contrib/restricted/dragonbox
+ALLOW ydb/library/yql/udfs/common/clickhouse/client -> contrib/restricted/fast_float
+
+# fast_float is a faster alternative to double-conversion for float parsing.
+# ClickHouse uses the best libraries for performance, that's why it changes them with insane speed.
+# Arcadia is not ready for this, that's why we added this library in restricted.
+ALLOW clickhouse -> contrib/restricted/fast_float
+
+# ClickHouse uses hash-table from abseil-cpp for better performance in CacheDictionaries and SSDCacheDictionaries,
+# because it the best best open source hash table framework (swiss hash tables, hash functions)
+ALLOW clickhouse -> contrib/restricted/abseil-cpp
+
+# TurboBase64 is a fast vectorized library for encoding/decoding base64.
+ALLOW clickhouse -> contrib/restricted/turbo_base64
+
+# For HBase client: CONTRIB-1790
+ALLOW passport/infra -> contrib/restricted/thrift
+
+# keyutils is LGPL: CONTRIB-2236
+ALLOW passport/infra -> contrib/restricted/keyutils
+
+# For Apache Arrow: CONTRIB-1662
+ALLOW mds -> contrib/restricted/uriparser
+
+# https://st.yandex-team.ru/CONTRIB-2020
+ALLOW weather -> contrib/restricted/range-v3
+
+# ALSA library is LGPL
+ALLOW yandex_io -> contrib/restricted/alsa-lib
+ALLOW smart_devices -> contrib/restricted/alsa-lib
+
+# Avahi is LGPL
+ALLOW yandex_io -> contrib/restricted/avahi
+
+# GLib is LGPL
+ALLOW maps/libs/img -> contrib/restricted/glib
+ALLOW maps/renderer/libs/svgrenderer -> contrib/restricted/glib
+ALLOW market/cataloger -> contrib/restricted/glib
+ALLOW market/idx/feeds/feedparser -> contrib/restricted/glib
+ALLOW metrika/core/libs/statdaemons -> contrib/restricted/glib
+ALLOW metrika/core/libs/strconvert -> contrib/restricted/glib
+ALLOW yandex_io -> contrib/restricted/glib
+
+# GStreamer is LGPL
+ALLOW yandex_io -> contrib/restricted/gstreamer
+ALLOW yandex_io -> contrib/restricted/gst-plugins-base
+ALLOW yandex_io -> contrib/restricted/gst-plugins-good
+ALLOW yandex_io -> contrib/restricted/gst-plugins-bad
+ALLOW yandex_io -> contrib/restricted/patched/gst-libav
+
+# mpg123 is LGPL
+ALLOW extsearch/audio/kernel/recoglib -> contrib/restricted/mpg123
+
+# OpenAL Soft is LGPL
+ALLOW yandex_io -> contrib/restricted/openal-soft
+ALLOW speechkit -> contrib/restricted/openal-soft
+
+# rubberband is a GPL audio stretching library
+ALLOW dict/mt/video -> contrib/restricted/rubberband
+
+# Allowed subset of abseil is exported via library/
+ALLOW library/cpp/containers/absl_flat_hash -> contrib/restricted/abseil-cpp/absl/container
+ALLOW library/cpp/containers/absl_tstring_flat_hash -> contrib/restricted/abseil-cpp-tstring/y_absl/container
+
+# spdlog is just yet another best logging engine
+# The best logging engine, however, is to be designed in CPPCOM-20
+ALLOW quasar/backend/src/base -> contrib/restricted/spdlog
+ALLOW crypta/lib/native/log -> contrib/restricted/spdlog
+ALLOW yandex_io -> contrib/restricted/spdlog
+ALLOW smart_devices/tools/launcher2 -> contrib/restricted/spdlog
+ALLOW smart_devices/tools/updater -> contrib/restricted/spdlog
+
+# cmph is a limited-use library
+ALLOW ads/yacontext -> contrib/restricted/cmph
+
+# http-parser is a low-level parser for http bytestream.
+# Consider using high-level alternatives.
+ALLOW mds -> contrib/restricted/http-parser
+ALLOW taxi/uservices -> contrib/restricted/http-parser
+ALLOW yt/yt/core/http -> contrib/restricted/http-parser
+ALLOW yweb/robot/fetcher/fetcher/user/http -> contrib/restricted/http-parser
+
+# Prefer using skynet for data distribution
+ALLOW maps/infra/ecstatic -> contrib/restricted/libtorrent
+
+# Consider using util / library/cpp/digest versions instead of a raw murmurhash functions.
+#
+# strm/common/go/pkg/murmur3 is a CGO binding to murmurhash, thus dependency is allowed
+ALLOW strm/common/go/pkg/murmur3 -> contrib/restricted/murmurhash
+ALLOW clickhouse -> contrib/restricted/murmurhash
+
+# exiv2 is GPL-licensed. Only small subset of our libraries can use it.
+ALLOW extsearch/images/chunks/exiftags -> contrib/restricted/exiv2
+ALLOW maps/wikimap/mapspro/services/mrc/libs/common -> contrib/restricted/exiv2
+ALLOW yweb/disk/ocraas -> contrib/restricted/exiv2
+
+# Only allow boost in yandex projects listed below
+ALLOW adfox -> contrib/restricted/boost
+ALLOW ads -> contrib/restricted/boost
+ALLOW advq -> contrib/restricted/boost
+ALLOW alice/nlu -> contrib/restricted/boost
+ALLOW alice/vins_contrib/crfsuitex -> contrib/restricted/boost
+ALLOW clickhouse -> contrib/restricted/boost
+ALLOW devtools -> contrib/restricted/boost
+ALLOW extsearch/geo/poi_service/tools/storage_reader -> contrib/restricted/boost
+ALLOW infra/contrib/pdns -> contrib/restricted/boost
+ALLOW juggler/pongerd -> contrib/restricted/boost
+ALLOW lbs/locator -> contrib/restricted/boost
+ALLOW library/cpp/testing/boost_test$ -> contrib/restricted/boost/libs/test
+ALLOW library/cpp/testing/boost_test_main$ -> contrib/restricted/boost/libs/test
+ALLOW library/cpp/testing/gtest_boost_extensions -> contrib/restricted/boost
+ALLOW logbroker/pipe-parser -> contrib/restricted/boost
+ALLOW mail -> contrib/restricted/boost
+ALLOW maps -> contrib/restricted/boost
+ALLOW market/idx/feeds/feedparser -> contrib/restricted/boost
+ALLOW market/idx/stats/src -> contrib/restricted/boost
+ALLOW mds -> contrib/restricted/boost
+ALLOW metrika -> contrib/restricted/boost
+ALLOW netsys/tiles-vcdiff/gen-tiles -> contrib/restricted/boost
+ALLOW orgvisits/dwellplaces -> contrib/restricted/boost
+ALLOW orgvisits/heuristics -> contrib/restricted/boost
+ALLOW orgvisits/library/soc -> contrib/restricted/boost
+ALLOW quasar/backend -> contrib/restricted/boost
+ALLOW regulargeo/research -> contrib/restricted/boost
+ALLOW rem/python/geobase30 -> contrib/restricted/boost
+ALLOW drive/contrib/cpp/telemetry -> contrib/restricted/boost
+ALLOW smart_devices -> contrib/restricted/boost
+ALLOW statbox/libstatbox -> contrib/restricted/boost
+ALLOW taxi/uservices -> contrib/restricted/boost
+ALLOW tools/idl -> contrib/restricted/boost
+ALLOW voicetech/tools -> contrib/restricted/boost
+ALLOW weather/archive/grid_api/lib -> contrib/restricted/boost
+ALLOW yabs/telephony -> contrib/restricted/boost
+ALLOW yandex_io -> contrib/restricted/boost
+ALLOW yweb/robot/js -> contrib/restricted/boost
+ALLOW market/access/server/env -> contrib/restricted/boost
+ALLOW sdg/library/cpp/ros_msg_parser -> contrib/restricted/boost
+ALLOW search/meta/scatter/ant -> contrib/restricted/boost
+ALLOW search/meta/scatter/ut -> contrib/restricted/boost
+
+# use GTEST target in ya.make instead of PEERDIRing contrib/restricted/googletest
+# and include <library/cpp/testing/gtest.h> instead of <gtest/gtest.h> (<gmock/gmock.h>)
+ALLOW contrib -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gmock_in_unittest -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gtest -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gtest_boost_extensions -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gtest_extensions -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gtest_main -> contrib/restricted/googletest
+ALLOW library/cpp/testing/gtest_protobuf -> contrib/restricted/googletest
+ALLOW library/python/testing/gtest/test/gtest -> contrib/restricted/googletest
+# TODO remove this lines after they will switch to library/cpp/testing/gtest
+ALLOW mail -> contrib/restricted/googletest
+ALLOW maps/mobile/libs -> contrib/restricted/googletest
+ALLOW maps/mobile/bundle -> contrib/restricted/googletest
+ALLOW mds -> contrib/restricted/googletest
+# A mere proxy to allow using gmock in libraries without being bound to specific test framework
+# See IGNIETFERRO-1827 for details.
+ALLOW library/cpp/testing/gmock -> contrib/restricted/googletest/googlemock
+
+# allow usage of MIT part
+ALLOW .* -> contrib/restricted/librseq/headeronly
+
+# we use nfs-ganesha for Network File Store gateway
+ALLOW cloud/filestore/gateway/nfs -> contrib/restricted/nfs_ganesha
+
+ALLOW yandex_io -> contrib/restricted/patched/hostap_client
+
+# Default policies:
+#
+# Do not restrict contrib
+# All peerdirs to contrib/restricted from outside are prohibited
+#
+ALLOW contrib -> contrib/restricted
+DENY .* -> contrib/restricted