Quarantine for Copyleft Licenses
Have you rolled out quarantine to all your repositories? I’m always eager to learn more about what you’re blocking and why you’re blocking it – especially for apps that won’t ever be distributed to an end-user.
Brass tacks here – some licenses should almost never be used in the software you distribute to others. The GPLv2 is a good example. As a copyleft license, it has some strict requirements that might not be compatible with your business goals.
But! If your usage of a component with the GPLv2 license is purely internal (like, for testing environments), then those requirements may not apply, which means quarantine might not be necessary.
Speaking generally, the best practice is to quarantine for the License-Copyleft policy for apps going to production, but consider warning only for apps that are purely internal.
Of course, your Legal department may not agree. They’re the experts and the stakeholders who need to manage legal risk, so follow their lead.
So, here’s the challenge. Take a look at the two examples below, and tell us which one should have the License-Copyleft policy set to “Quarantine” and which one should have it set to “Warn.”
- A repo (named maven-proxy-usaeast1-prod) is hooked up to an automation server like Jenkins or Bamboo. A build task completes once a day, and the resulting .exe file is automatically pushed to a website, where any user can download it.
- A repo (named maven-proxy-product-testing) is used by four developers to build custom testing tools as part of a QA cycle. The repo isn’t used by anyone else, and whatever the team develops gets archived on an internal server somewhere.
Chances are you didn’t have to think too hard – but give us your answer in the comments, anyway! And for more, check the rest of the best practices posts and visit us at learn.sonatype.com.