Allowlist license policy for storing in designated third-party folder

[shubham1172]

Hi, I was reviewing the third-party license policy here CNCF Allowlist License Policy which says

A third-party component under a non-Apache 2.0 license is deemed automatically approved by the Governing Board for inclusion in a CNCF codebase as an exception to the CNCF Intellectual Property Policy, if all of the following apply:

1. It is fully licensable under the approved licenses set forth below under Approved Licenses (including combinations with Apache-2.0); AND
2. It is stored unmodified in a designated third-party folder; AND
3. It has indications of substantial use outside CNCF by satisfying one of the following: i. the component is part of the applicable programming language’s standard library; or ii. the component was created on Github at least 12 months ago and has at least 10 stars or 10 forks.

Can you please clarify point 2? Does it mean that all third-party dependencies under a non-Apache 2.0 license must be stored in a designated folder in the main repository?

For example,

• github.com/kubernetes/kubernetes does have a vendor and third_party directory
• github.com/linkerd/linkerd2 on the other hand does not contain any such folder.