I think there are 2 more options: 3. Fail early when there's more than one configuration and not all or one of those have an "approved" section. Maybe with a global option to opt-in to the current behavior. 4. Make the "approved" section mandatory (1+ entries). Not sure about this one though.
On Sun, Nov 9, 2025 at 12:07 AM Claude Warren <[email protected]> wrote: > > I have opened a ticket RAT-518 [1] concerning the definition of additional > licenses. The issue arises when additional licenses are defined but no > approved license families are included. The default behaviour when there > is no "approved" section is to assume that all licenses defined in the file > are approved. This strategy works well when there is a single definition > file that contains only the approved licenses. However, if there are > additional licenses defined but that should not be approved it becomes > cumbersome. > > I think there are two solutions. > > 1. Change the default behaviour so that if approved license families > have to be explicitly approved. This may break some implementation in rare > cases, but is easily fixable. > 2. Continue with the case where all licenses defined in a configuration > that does not include an "approved" section are considered to be approved. > This can lead to a case where unintended licenses are included in the > approved list. Since these will not be flagged, it would not be evident > that there was an issue with the approval system. > > I wanted to surface this issue and see if there were any strong feelings > about it. If not I will proceed with the removal of the "approved" as > default. > > [1] https://issues.apache.org/jira/browse/RAT-518
