Enforcing license compliance

Whether your organization already has a detailed license policy or needs to set one up, we can help you implement and enforce it with the Tidelift Subscription. By choosing to use the license compliance standard, we will ensure that all package releases in your catalog only use a license from your approved list of licenses. With your Tidelift Subscription, you can also get accurate and verified license data from Tidelift’s license-annotated catalogs.

How do I set up license compliance?

You can begin enforcing license compliance from the Catalog > Standards page. If you have not already set up an approved license list, you will be presented with pre-built templates. If your organization does not already have an approved license list, you can select the template most appropriate for your deployment scenario. Otherwise, you can proceed without a template.

You will then be able to make any changes to the following three lists:

  • “Approved” – Licenses that are always approved for use in the catalog
  • “Uncategorized” – Licenses that will need additional review in the future
  • “Denied” – Licenses that are never approved for use in the catalog

Note that each license is listed using its SPDX license expression. If you have a policy and need support mapping onto the appropriate SPDX identifiers, reach out to your account manager.

What happens if a package release in my catalog doesn’t comply with the approved license list?

Although a package's license rarely changes, an already-approved release may no longer comply with the license standard if you make changes to your approved license list. In these cases, a task will be generated for the catalog administrator or to notify them about already-approved releases that violate this standard. For each license, the catalog administrator will be able to do one or more of the following:

  1. Approve the license being used by the already-approved releases
  2. Deny the releases

What happens when a newly requested package release doesn’t use an approved license?

If a newly requested release uses a license that isn’t on the approved list and the license compliance standard is enabled, the catalog administrator reviewing the request will see that there is a standard violation. The catalog administrator can do any of the following:

  1. Approve the license for the requested release
  2. Deny the request
  3. Approve the request without changing the license status, creating an exception. An exception can be created for either just that specific release or all releases of the package.

Creating exceptions for specific packages

When a package with an unapproved license is requested, you may not want to globally approve the license for all packages. In this case you have the option to approve the license only for this package or approve the license only for this release of the package. This will create an exception that will allow you to approve the package release even though the license has not been globally approved.

You can view and export all license compliance exceptions by going to Standards > View license compliance standards exceptions.