Today we’ve added a new feature we are calling catalogs to the Tidelift Subscription. Catalogs bring managed open source to life by providing a mechanism for customers to create and maintain an organization-wide inventory of open source package releases that just work.
Simultaneously, catalogs provide a mechanism for Tidelift, working with our network of maintainers, to pre-build a data-enriched inventory of known-good, issue free open source packages that feeds into each subscriber’s customized catalogs. Tidelift subscribers receive a feed of data and updates from Tidelift-managed catalogs, helping them keep their own catalogs high-quality and up-to-date.
So that’s the what. Now let us go back to the why.
Over the past few years, we’ve talked to hundreds of organizations about how they manage their open source dependencies. Most of them fall along a spectrum between one of these two extremes.
Developers in your organization bring in new open source components on their own, without many controls. After all, you don’t want to set roadblocks in the way of your developers being able to deploy as quickly as possible.
But as you multiply this by hundreds or thousands of applications, each using a large number of open source dependencies, it creates the potential for a maintenance and security nightmare. You often don’t know which dependencies are being used and how they are (or are not) being secured and maintained, and by whom.
You’ve resisted putting in place too many controls, but the risks are getting higher, and the maintenance headaches are getting worse.
Your organization can’t tolerate the risk of a maintenance, security, or licensing emergency with an open source dependency. No one wants to be the next Equifax. So you’ve put strict controls in place. Scanning tools flag issues with the components you are using and block builds. Approvals for introducing new dependencies take days, weeks, or even months to weave through the bureaucracy.
The end result: Cranky developers who can’t get much done. Builds blocked at the last minute. A backlog of unresolved issues flagged by scanning tools that no one knows how to fix. Meanwhile, development slows, good developers get discouraged, and no one is happy with the status quo.
We hear from organizations every day that while scanning tools are useful for identifying issues, identification on its own is not enough without a clear way to help resolve those issues.
Scanning tools take one problem with an open source package (say, a security vulnerability or missing license), and create an issue for every application (and every developer), using that package. The result: work proportional to M packages times N applications. Ouch. Moreover, the issues arise late in the development lifecycle.
So we asked ourselves, what might a better approach look like? How can we help organizations solve the issues that their scanners flag, while getting the benefits of a distributed approach (move fast) AND the benefits of a centralized approach (stay safe) at the same time?
The biggest and most well-funded Internet giants have identified the need to move fast and stay safe, and have come up with a solution to do both at once proactively. Here is an article that describes Google’s approach, for example.
These large organizations often create a library of pre-vetted, known-good open source package releases. Developers can use these without fear of late-in-the-game deployment blockers. Vulnerabilities and license concerns can be reviewed once, centrally, and addressed for the entire organization at once.
To work in this way, organizations need to solve several problems:
This approach takes a lot of time and people power—which is why only the richest technology companies have been able to afford it—until now.
Tidelift catalogs provide a way for any organization to get issue-free open source packages without the expense of vetting them wholly on its own. Instead, the Tidelift Subscription allows you to offload that responsibility to Tidelift and our network of independent maintainers—saving you time and allowing you to focus on building your apps.
With Tidelift catalogs in place, you can now definitively answer questions like these:
With the backing of Tidelift and our network of independent open source maintainers, you will have reliable, timely, and often proactive fixes in-hand for the components you rely on.