1. Tidelift
  2. Documentation
  3. Catalogs

Enforcing license compliance

Larry Copeland
Updated

Whether your organization already has a detailed license policy or needs to set one up, the Tidelift Subscription can help you implement and enforce it. By choosing to use the license compliance standard, Allowed licenses, Tidelift ensures that all package releases in your catalog only use a license from your approved list of licenses. With the Tidelift Subscription, you can also get accurate and verified license data from Tidelift’s license-annotated catalogs.

image (5).png

How do I set up license compliance?

You can begin enforcing license compliance by doing the following:

  1. Go to Standards 
  2. Find the Allowed licenses standard
  3. Select Configure standard
  4. If you have not already set up an approved license list, you will be presented with pre-built templates. (If you want to edit your template(s), select change your licensing template.)
    Screen_Shot_2022-06-02_at_10.42.38_AM.png
  5. If your organization does not already have an approved license list, you can select the template most appropriate for your deployment scenario. By default, the Mobile App/Hardware template will be selected. Otherwise, you can proceed without a template.
  6. You will then be able to make any changes to the following three lists:
    • Approved Licenses that are always approved for use in the catalog
    • Uncategorized Licenses that will need additional review in the future
    • Denied Licenses that are never approved for use in the catalog

Note about SPDX

Note that each license is listed using its SPDX license expression, so this standard should be used with the Identified licenses standard, which will create tasks for any package using a license string that is not in SPDX or not automatically mapped to one by Tidelift. If you have a policy and need support mapping onto the appropriate SPDX identifiers, reach out to your account manager.

It is essential to turn on the identified licenses standard if turning on the “licenses must comply with policy” standard. Packages with no valid license are NOT compared to the policy.

image (6).png

What happens if a package release in my catalog doesn’t comply with the approved license list?

Although a package's license rarely changes, an already-approved release may no longer comply with the license standard if changes are made to your approved license list. In these cases, a task will be generated for the catalog administrator, notifying them about already-approved releases that violate this standard.

For each license, the catalog administrator will be able to do one or more of the following:

  • Approve the license being used by the already-approved releases
  • Deny the releases

What happens when a newly requested package release doesn’t use an approved license?

If a newly requested release uses a license that isn’t on the approved list and the Allowed licenses standard is enabled, the catalog administrator reviewing the request will see that there is a standard violation.

The catalog administrator can do any of the following:

  • Approve the license for the requested release
  • Deny the request
  • Approve the request without changing the license status, creating an override. An override can be created for either just that specific release or all releases of the package.

What is the 'Identified licenses' standard?

With the Identified licenses standard, users will be able to start tracking packages that need human review of the license. Tidelift assigns a license to packages when the license is entered with an SPDX style in the license field on the package. Tidelift also does additional work to map common non-SPDX style entries to the correct format.

However, there are cases where this requires human review. This can happen because of a typo by the package maintainer, a package manager not having entered a license in a common way (or at all), or if the package is an internal package.

When addressing this task, you can determine that there was no license provided at all and complete the task by assigning the license to be NONE. This license should only be used when someone has confirmed the license did not exist. Once these types of tasks are addressed, it will be compared to the Allowed licenses standard.

An example: This task for 'pypi/psycopg2-binary' exists because the license was entered as a string that is not easily mapped to the proper SPDX expression. The maintainer had listed the license as "LGPL with exceptions or ZPL", which is not mappable to an SPDX expression. Someone will have to research what the appropriate license is and enter the license in this task.

Unknown_license_task.png

Creating overrides for specific packages

When a package with an unapproved license is requested, you may not want to globally approve the license for all packages. In this case you have the option to approve the license only for this package or approve the license only for this release of the package. This will create an override that will allow you to approve the package release even though the license has not been globally approved. When looking at the list of overrides, you may see a version of * which means that it applies to all versions of a package.

You can view and export all license compliance overrides:

  1. Go to Standards
  2. Find the Allowed licenses standard
  3. Select Manage overrides on the right
  4. From here you can add new, edit, and export as .csv.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more