TrustSource supports a dynamic approach to ensure compliance with open source licenses. This builds on a knowledge base about license knowhow and a deep understanding of the implications the legal and commercial situation of a project have. Alltogether this allows for a comprehensive, adhoc interpretation of the compliance situation.
However, there still might be the demand to tightly control the application of certain licenses or license families. To support the different needs, TrustSource provides the concepts of blacklists and whitelists:
- Deny list - The Deny List can be used to forbid the usage of a particular license. A license on a Deny list will always appear as a violation. These lists cascade. A license put on the corporate Deny list, will be flagged as violation wherever it occurs. Potential scopes of blacklists are corporate, project or module.
- Allow list - The Allow list allows to create exemptions or explicitly declare a license as valid for a particular scope. The analysis result of a whitelisted license will be overruled with an OK status. This allows to declare suitability of a license despite our interpretation. Allow lists follow the same cascade as Deny lists: corporate, project and module Allow list.
PLEASE NOTE: All interaction with Deny or Allow lists will be recorded in the audit logs!
It is possible to request licenses to be approved for a particular project or module on an Allow list. This allows for a very restrictive compliance approach. See here for more information about "enforce Allow-listing". We would not recommend this approach due to its typically poor performance. However, for very critical solutions it might be important.
To get more details on how to manage Deny and Allow lists, see the following articles:
- Policy to prevent use of specific licenses
- Enforce Allow-listing
- Manage approvals on Allow-lists
Comments
0 comments
Please sign in to leave a comment.