Any objections to moving the code out there that has no other upstream (e.g. src/vendorcode/google/chromeos or src/vendorcode/eltan, I think?) while moving in code from elsewhere in the tree that fits the "it has a foreign upstream" description (e.g. the lzma library)?
Sorry, I just responded to this on https://review.coreboot.org/c/coreboot/+/51827 before I saw this mail.
I think we still need to have a difference between hacky vendor stuff and normal coreboot code. For example, the Eltan mboot stuff is something we didn't really want to have in coreboot in that form, and so they kinda put it in vendorcode as a compromise. We should make sure it remains clear that that code isn't "proper" coreboot code and didn't go through the same level of review.
If you want to separate the two cases, maybe just make a src/vendorcode/mirrored/ subdirectory and put the stuff that was mirrored from a different upstream under there?