You're using a lot of open source. It's free, but nothing is really free. When you pay for software, you insist on certain assurances: around security practices, licensing, support, and more. There are good reasons you want these—and with open source, for most packages, there's literally no way to obtain them. And there’s a cost to that your team bears every day.
Most software teams are adopting new open source packages every day, with individual developers making the calls informally. Developers need to work this way to get their jobs done—there are too many packages involved in modern development to talk to a committee about every one.
“In all cases I want to reduce risk. The whole point of OSS is to accelerate. If I start to lose velocity I’m losing the value of using open source”
What if you could have the flexibility of open source with the assurances of vendor-provided code? It'd be great to choose any open source you need from Maven Central, npm, Rubygems, PyPI, or wherever, and manage it all in one place. What if you could easily set up continuous tracking of your dependencies, and then have a straightforward list of issues to be aware of—all in one place?
That'd be great, but you'd still have to fix those issues. What if you could also get some proactive assurances that the list of issues will go down in the future—that your dependencies in particular won't have so many security, licensing, and maintenance problems to worry about? You'd have significantly more peace-of-mind around your open source stack.
That's the product we've built.
It's called the Tidelift Subscription. Here's how it works:
Ready to learn more?
How do we do it? We've set up software and business processes for our subscribers to manage all their open source packages, at scale The two key elements:
Here's exactly what happens when you subscribe to Tidelift.