Managed open source company Tidelift wants to help organizations navigate through their open-source dependencies as well as clear up any confusion.
According to the company, organizations usually take a distributed or centralized approach when it comes to managing open-source dependencies. With the distributed approach, developers are free to bring in new open-source components without many controls. This helps give developers the freedom to work fast, but as more and more components are added it can become a “maintenance and security nightmare” the company explained.
The centralized approach aims to lower the risk of maintenance, security and licensing by putting strict controls in place, but this gets in the way of developers being able to do their work. For instance, it can take days, weeks and even months for an open-source component to be approved.
“The end result: Cranky developers who can’t get much done. Builds blocked at the last minute. A backlog of unresolved issues flagged by scanning tools that no one knows how to fix. Meanwhile, development slows, good developers get discouraged, and no one is happy with the status quo,” Havoc Pennington, cofounder of Tidelift, wrote in a post.
While scanning tools can help identify issues, Tidelift believes they are not enough to help resolve issues.
The new catalogs solution aims to tackle the amount of review work, promote an efficient workflow, and provide accurate data to workflow automation and policy compliance.
The company explained catalogs can clear up whether or not you can use a package, provide a single source of truth for packages and versions, provide a repository of known-good artifacts, and clear up who is responsible for managing and maintaining the open-source components.
The way it works is teams or organizations create a catalog, subscribe to Tidelift-managed catalogs, and define standards. Tidelift will help keep the catalog current, provide security updates, and track maintenance and licensing data as well as provide recommended fixes. From there, developers can add new packages to the catalog as needed and organizations can create more catalogs if desired.