What tasks do lifters take on? When you partner with Tidelift as a lifter, you’ll be working with us to ensure that your project(s) meets an important set of industry security, maintenance, and licensing standards that help validate the overall health and resilience of your projects.
Examples of standards include annotating licenses, documenting security policies, properly tracking and communicating package dependencies, and implementing two-factor authentication.
What we ask of you
- Validate that your package meets a documented set of industry standards, and ensure it continues to meet these standards into the future.
- Help us document and communicate critical information about your package(s) to our subscribers in an automated way, so subscribers don't have to individually watch every package they use.
- Adhering to the standards we request you to implement such that the most effective security, maintenance, and licensing practices are upheld.
What we don't ask of you
- Giving up control of your technical roadmap.
- Providing help desk or consulting services.
- Changing the license type associated with your package(s)
- And you can stop lifting a package at any time.
(We're careful to set subscriber expectations on these points.)
Maintainer-verified standards you will need to validate:
|Enable 2FA on GitHub||Confirm that this additional layer of security is enabled on your GitHub account, if there is one on record|
|Enable 2FA in package manager||Confirm that this additional layer of security is enabled for the package manager level where new versions are distributed|
|Set source repository URL||Provide the correct link to the repository for this package|
|Review release managers||Confirm that you have reviewed and confirmed that only authorized people have access to manage releases for your package(s)|
|Review security vulnerabilities||Provide detailed, contextual feedback on the vulnerabilities found in your package(s) so users have the most accurate source of truth for the vulnerability|
|Set versioning scheme||Set the versioning scheme the package uses to better understand which releases may have breaking changes|
|Verify license||Clearly document the license type that has been assigned for your package(s).|
|Create a discoverable security policy||Document that there is a process in place for handling vulnerabilities found in your package(s)|
|Create security maintenance plan||Document which versions you are willing to provide security updates for and if you will offer users any additional level of updates beyond what you offer all users|
|Create a fixed release||Create a new release to address vulnerabilities in your package or dependencies. Exceptions can be logged.|
We may add or remove standards over time. Any changes made will be communicated ahead of time to the lifter community. We’ll also be rolling out provisional standards, these are tasks that we present to lifters but they are not required. These provisional standards allow lifters to review the task and submit feedback to Tidelift about the relevancy and importance of the task before we implement it widely.
The lifter agreement and Code of Conduct
We love feedback!
We're always looking for ways to improve, and we'd love to hear your thoughts. Please email us your feedback at firstname.lastname@example.org.