Whether your organization already has a detailed license policy or needs to set one up, we can help you implement and enforce it with the Tidelift Subscription. By choosing to use the license compliance standard, we will ensure that all package releases in your catalog only use a license from your approved list of licenses. With your Tidelift Subscription, you can also get accurate and verified license data from Tidelift’s license-annotated catalogs.
How do I set up license compliance?
You can begin enforcing license compliance from the Catalog > Standards page. If you have not already set up an approved license list, you will be presented with pre-built templates. If your organization does not already have an approved license list, you can select the template most appropriate for your deployment scenario. Otherwise, you can proceed without a template.
You will then be able to make any changes to the following three lists:
- “Approved” – Licenses that are always approved for use in the catalog
- “Uncategorized” – Licenses that will need additional review in the future
- “Denied” – Licenses that are never approved for use in the catalog
Note that each license is listed using its SPDX license expression, so this standard should be used with the 'Releases have an identified license' standard, which will create tasks for any package using a license string that is not in SPDX or not automatically mapped to one by Tidelift. If you have a policy and need support mapping onto the appropriate SPDX identifiers, reach out to your account manager.
IT IS ESSENTIAL to turn on this identified license standard if turning on the “licenses must comply with policy” standard. Packages with no valid license are NOT compared to the policy.
What happens if a package release in my catalog doesn’t comply with the approved license list?
Although a package's license rarely changes, an already-approved release may no longer comply with the license standard if you make changes to your approved license list. In these cases, a task will be generated for the catalog administrator or to notify them about already-approved releases that violate this standard. For each license, the catalog administrator will be able to do one or more of the following:
- Approve the license being used by the already-approved releases
- Deny the releases
What happens when a newly requested package release doesn’t use an approved license?
If a newly requested release uses a license that isn’t on the approved list and the license compliance standard is enabled, the catalog administrator reviewing the request will see that there is a standard violation. The catalog administrator can do any of the following:
- Approve the license for the requested release
- Deny the request
- Approve the request without changing the license status, creating an exception. An exception can be created for either just that specific release or all releases of the package.
What does UNKNOWN license mean and what is the 'identified license standard'?
With an identified license standard, users will be able to start tracking packages that need human review of the license. Tidelift assigns a license to packages when the license is entered with an SPDX style in the license field on the package, and we do additional work to map common non-SPDX style entries to the correct format. However, when Tidelift is not sure, we need a human to review. This can happen because of a typo by the package maintainer, they haven’t entered a license in a common way or at all, or it is an internal package.
When addressing this task, you can determine that there was no license provided at all, and complete the task by assigning the license to be NONE. This license should only be used when someone has confirmed the license did not exist.
Once these types of tasks are addressed, it will be compared to the approved license standard.
This example task for pypi psycopg2-binary exists because the license was entered as a string that is not easily mapped to the proper SPDX expression. The maintainer had listed the license as "LGPL with exceptions or ZPL", which is not mappable to an SPDX expression. Someone will have to research what the appropriate license is and enter the license in this task.
Creating exceptions for specific packages
When a package with an unapproved license is requested, you may not want to globally approve the license for all packages. In this case you have the option to approve the license only for this package or approve the license only for this release of the package. This will create an exception that will allow you to approve the package release even though the license has not been globally approved.
You can view and export all license compliance exceptions by going to Standards > View license compliance standards exceptions.