Whether your organization already has a detailed license policy or needs to set one up, the Tidelift Subscription can help you implement and enforce it. By choosing to use the license compliance standard, Releases use approved licenses, Tidelift ensures that all package releases in your catalog only use a license from your approved list of licenses. With the Tidelift Subscription, you can also get accurate and verified license data from Tidelift’s license-annotated catalogs.
How do I set up license compliance?
You can begin enforcing license compliance by
- Click on Catalog
- Select Standards
- Navigate to Releases use approved licenses
- Select Configure standard
- If you have not already set up an approved license list, you will be presented with pre-built templates. (If you want to edit your template(s), select change your licensing template.)
- If your organization does not already have an approved license list, you can select the template most appropriate for your deployment scenario. By default, the Mobile App/Hardware template will be selected. Otherwise, you can proceed without a template.
- You will then be able to make any changes to the following three lists:
- Approved Licenses that are always approved for use in the catalog
- Uncategorized Licenses that will need additional review in the future
- Denied Licenses that are never approved for use in the catalog
Note about SPDX
Note that each license is listed using its SPDX license expression, so this standard should be used with the Releases have an identified license standard, which will create tasks for any package using a license string that is not in SPDX or not automatically mapped to one by Tidelift. If you have a policy and need support mapping onto the appropriate SPDX identifiers, reach out to your account manager.
It is essential to turn on this identified license standard if turning on the “licenses must comply with policy” standard. Packages with no valid license are NOT compared to the policy.
What happens if a package release in my catalog doesn’t comply with the approved license list?
Although a package's license rarely changes, an already-approved release may no longer comply with the license standard if changes are made to your approved license list. In these cases, a task will be generated for the catalog administrator, notifying them about already-approved releases that violate this standard.
For each license, the catalog administrator will be able to do one or more of the following:
- Approve the license being used by the already-approved releases
- Deny the releases
What happens when a newly requested package release doesn’t use an approved license?
If a newly requested release uses a license that isn’t on the approved list and the Releases use approved licenses standard is enabled, the catalog administrator reviewing the request will see that there is a standard violation.
The catalog administrator can do any of the following:
- Approve the license for the requested release
- Deny the request
- Approve the request without changing the license status, creating an exception. An exception can be created for either just that specific release or all releases of the package.
What is the 'Releases have an identified license' standard?
With the Releases have an identified license standard, users will be able to start tracking packages that need human review of the license. Tidelift assigns a license to packages when the license is entered with an SPDX style in the license field on the package. Tidelift also does additional work to map common non-SPDX style entries to the correct format.
However, there are cases where this requires human review. This can happen because of a typo by the package maintainer, a package manager not having entered a license in a common way (or at all), or if the package is an internal package.
When addressing this task, you can determine that there was no license provided at all and complete the task by assigning the license to be NONE. This license should only be used when someone has confirmed the license did not exist. Once these types of tasks are addressed, it will be compared to the Releases use approved licenses standard.
An example: This task for 'pypi/psycopg2-binary' exists because the license was entered as a string that is not easily mapped to the proper SPDX expression. The maintainer had listed the license as "LGPL with exceptions or ZPL", which is not mappable to an SPDX expression. Someone will have to research what the appropriate license is and enter the license in this task.
Creating exceptions for specific packages
When a package with an unapproved license is requested, you may not want to globally approve the license for all packages. In this case you have the option to approve the license only for this package or approve the license only for this release of the package. This will create an exception that will allow you to approve the package release even though the license has not been globally approved.
You can view and export all license compliance exceptions:
- Go to Catalogs
- Select Standards
- Click on Configure standard under the Releases use approved licenses standard
- Navigate to View exceptions on the right
- From here you can add new, edit, and export as .csv.