Sentry is a leader in application performance and error monitoring. Over four million developers and 90,000 organizations monitor the health of their applications using the organization’s products.
The company has grown and evolved quite a bit since it was launched as an open source side project in 2008, but its open source origins are still apparent today.
Sentry is a vocal proponent of open source sustainability — a philosophy that includes providing financial support to open source projects and maintainers as well as using open source responsibly. Not only does Sentry fund (to the tune of over $500,000 in 2023 alone) the open source community, but it’s developed and implemented a sophisticated program to track and ensure compliance with software licensing requirements.
The company’s license compliance program includes a mix of policies, processes, and automation — in the form of FOSSA’s open source management platform.
“We’re very developer-focused here,” says Gavin Zee, Sentry’s Head of Commercial Transactions. “Our No. 1 goal in running license compliance is to not block our developers and keep things running quickly and smoothly as much as possible. For us, that means automating — and it means automating with FOSSA.”
“The key factors in choosing FOSSA were the policy customization options in addition to the fact that the UI is intuitive and easy for us to use. We’ve now been using FOSSA for several years, and what’s also stood out beyond its features has been the support we’ve gotten from the team.”
Inside Open Source License Compliance at Sentry
Sentry views open source license compliance as vital to promoting open source sustainability, and it has made significant investments to develop the tooling and processes to manage compliance continuously.
The company’s legal team works closely with its open source program office (and Head of Open Source Chad Whitacre) to draft policies — which are then implemented in FOSSA — concerning open source licenses that can and can’t be included in the products it ships. These policies are based on an approve/flag/deny system:
- Approve: Permissive licenses such as Apache 2.0 and MIT are always allowed in Sentry’s products. FOSSA never creates a ticket or breaks a build for a license on the “Approve” list.
- Flag: Newer or less common licenses that aren’t on Sentry’s “Approve” or “Deny” lists are flagged for further review.
- Deny: Certain strong copyleft licenses are never allowed in Sentry’s distributed products. FOSSA will break the build and create an issue ticket if it detects a license on Sentry’s “Deny” list.
Sentry automates the application of these policies by building them in FOSSA, which integrates directly with the company’s CI/CD pipeline. This automation allows Sentry to have confidence that it’s only shipping code with in-policy licenses. It also frees Sentry’s engineers from tracking their licenses in spreadsheets or with other manual processes.
“FOSSA is in our CI/CD and automatically runs license checks,” Zee says. “Every license it detects on our ‘Approve’ list passes right through. If FOSSA detects a license that’s flagged for further review, there’s a quick way for us to triage, review, and clear it with a Slack channel we maintain.”
Managing IP Risks from Source Available Licenses
Source available licenses are similar to open source licenses in that they make source code available, but they differ in that source available does put certain restrictions on using that code. In contrast, open source might place conditions (e.g. providing attribution), but never requirements.
The new Functional Source License (FSL), which Sentry created to provide greater standardization to the source available space, is an example of a source available license. So, too, is the Business Source License (BSL).
The growing popularity of source available licenses means that in-house legal teams, OSPOs, and engineering organizations will be well-served to be mindful of the IP considerations around using source available code — just like they would open source.
Sentry’s software license compliance program accounts for source available in addition to open source. For one, the company’s approve/deny/flag policies cover popular source available licenses. Additionally, since FOSSA detects source available licenses (in addition to open source), Sentry is able to automate the implementation of those policies.
Ultimately, Sentry takes a similar approach to managing source available licenses as it does copyleft open source licenses.
“With source available, it’s important to do the same analysis that you would for weak or strong copyleft,” Zee says. “That means understanding the requirements of the underlying license and knowing what your use cases are and whether your use cases will trigger any of the obligations or violate any of the obligations.”
Sentry and Software Licensing: Learn More
This blog is based on a webinar that Sentry’s Head of Commercial Transactions Gavin Zee and Head of Open Source Chad Whitacre conducted with FOSSA. For a deeper dive into the organization’s software licensing philosophy, we’d recommend you view the on-demand recording.
In addition to guidance on managing compliance with open source and source available licenses, the webinar offers a behind-the-scenes look at how (and why) Sentry created the new Functional Source License.