I have opened a ticket RAT-518 [1] concerning the definition of additional licenses. The issue arises when additional licenses are defined but no approved license families are included. The default behaviour when there is no "approved" section is to assume that all licenses defined in the file are approved. This strategy works well when there is a single definition file that contains only the approved licenses. However, if there are additional licenses defined but that should not be approved it becomes cumbersome.
I think there are two solutions. 1. Change the default behaviour so that if approved license families have to be explicitly approved. This may break some implementation in rare cases, but is easily fixable. 2. Continue with the case where all licenses defined in a configuration that does not include an "approved" section are considered to be approved. This can lead to a case where unintended licenses are included in the approved list. Since these will not be flagged, it would not be evident that there was an issue with the approval system. I wanted to surface this issue and see if there were any strong feelings about it. If not I will proceed with the removal of the "approved" as default. [1] https://issues.apache.org/jira/browse/RAT-518
