Clarify external packages must have source code published

[emontnemery]

Proposed change

Clarify external packages must have source code published

We could also extend this with:

• Require source code is published on github or some other similar service
• Require source code on github matches the source distribution published on PyPi (except for publishing actions such as injecting version tag etc.)
• Require that the package has a public and transparent release management process on the CI of the package

Type of change

• Document existing features within Home Assistant
• Document new or changing features which there is an existing pull request elsewhere
• Spelling or grammatical corrections, or rewording for improved clarity
• Changes to the backend of this documentation
• Removed stale or deprecated documentation

Additional information

• This PR fixes or closes issue: fixes #
• Link to relevant existing code or pull request:

[frenck]

PS: I would agree on adding all suggested extensions in the PR description.

[joostlek]

Would it be good to clarify a migration path? Because not every dependency has the transparent CI, and I think its a good thing if we start requiring it at some point

[frenck]

Would it be good to clarify a migration path?

We don't have too. We can start applying the rules to new integrations / new dependencies as of now and encourage others to do so.

[bdraco]

Should we also list that it needs an OSI approved license?

[rytilahti]

Should we also list that it needs an OSI approved license?

That'd make sense, IMO, as it gives clarity for the reason we want to have the source code available. I would think that the potential extensions mentioned in the description, e.g., a requirement for an open issue tracker (esp. for homeassistant-only libraries), having a repository hosted at service X, or requiring specific build & release procedures would be much more controversial than requiring an OSI-approved license :-)