Frequently asked catalog questions

Tidelift Catalogs: Frequently Asked Questions

  • How do catalogs work?
    • Catalogs keep track of package releases that have been approved or denied. They also define standards that these releases must meet. When a release falls short of a standard, it’s kept out of the catalog, or the Tidelift service generates a task workflow for the catalog manager to resolve the situation.
    • Enforced standards on a catalog can include security, licensing, and technical concerns. For example, all releases in the catalog must have a known, acceptable license; or all releases must be free of critical vulnerabilities.
    • Customers can then choose from several mechanisms to keep their software aligned with the releases in the catalog:
      • The Tidelift CLI allows individual developers to check alignment on their desks, and request additions to the catalog;
      • A check in customers’ CI/CD pipeline can verify catalog alignment;
      • Tidelift’s Artifactory plugin allows you to block not-in-catalog releases from designated Artifactory repositories, if desired.
    • Subscribers manage their custom catalogs (“subscriber-managed”); Tidelift (with help from lifter tasks) manages pre-built catalogs (“Tidelift-managed”). 
    • Work done for one catalog can feed into a different catalog. In effect, one catalog can inherit from another one, object-oriented-style. This means that subscriber-managed catalogs can pull-in Tidelift-managed catalogs, and in the process, benefit from lifter work and advice.
    • By subscribing to a Tidelift-managed catalog, customers can receive a continuous feed of security updates, license data, and other advice from Tidelift and our partnered open source maintainers.
  • Can Tidelift manage my entire catalog or does my team need to get involved?
    • Your organization can select the open source components that make up your catalog, or choose to add some of Tidelift’s pre-built catalogs to your own.
    • Tidelift works with its network of maintainers to create a feed of data and updates that customers can use to keep their own catalogs up to date.
  • How are Tidelift-managed catalogs different than the one my company would create?
    • Some of the largest organizations —like Google, LinkedIn, and Netflix, have an in-house custom-built version of this idea already 
      • They use in-house tools to create an approved list of dependencies, sometimes called a paved path, for their developers.
      • Before approving a package, organizations would typically review security, licensing, and technical aspects of that package.
      • It is super time intensive and expensive to build this in house—which is why only the largest companies do it today.
    • We make it possible for ANY company of ANY size to be able to get this same sort of “known-good” open source approach.
    • Tidelift works directly with open source maintainers to manage and curate catalogs of open source components that are commonly used together by developers working with JavaScript, Python, and more. A few examples include:
      • Our license-annotated catalog enables subscribers to apply an automated license policy. It also allows them to screen out unacceptable licenses without independently researching thousands of false positives that license scanners may turn up.
      • Our security-advised catalog provides advice and remediation around security vulnerabilities. We created this catalog based on work with maintainers to proactively improve open source project security.
      • Our indemnified catalog provides IP protection, including indemnification against claims that the packages a customer uses may contain copyright violations, such as copied code or an open source license violation.
  • How frequently does Tidelift update my catalog?
    • Tidelift adds new releases, license data, and vulnerability information in real time as it becomes available. Customers control their own catalogs, and can choose when to pull in new recommendations and what to review manually.

Still need help? Contact Us Contact Us