up

docs/security/rootpack_ru_package.md

@@ -2,6 +2,11 @@
 
 This guide describes the reproducible process for assembling the sovereign cryptography bundle that backs RootPack_RU deployments.
 
+## 0. Fork provenance & licensing checklist
+- Confirm the vendored fork commit recorded in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` matches `git -C third_party/forks/AlexMAS.GostCryptography rev-parse HEAD` before you package.
+- Copy the fork's `LICENSE` (MIT) and `STELLA_NOTES.md` into the bundle `docs/` directory so downstream operators see the source provenance; keep the plug-ins themselves under AGPL-3.0-or-later.
+- Do not publish the fork to NuGet; all builds must use the vendored sources shipped inside the bundle.
+
 ## 1. What the bundle contains
 
 | Directory | Purpose |
@@ -29,6 +34,13 @@ The script performs the following steps:
 4. Adds the Russian trust anchors from `certificates/russian_trusted_*`.
 5. Emits `README.txt` and optionally creates a `*.tar.gz` archive (set `PACKAGE_TAR=0` to skip the tarball).
 
+After the script finishes, drop the fork metadata into `docs/` inside the bundle:
+
+```bash
+cp third_party/forks/AlexMAS.GostCryptography/LICENSE "${OUTPUT_ROOT}/docs/LICENSE.gostcryptography"
+cp third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md "${OUTPUT_ROOT}/docs/STELLA_NOTES.gostcryptography.md"
+```
+
 > **Temporary quarantine (2025-11-09).** To keep day-to-day builds free of the vulnerable GostCryptography dependency, the repository disables the CryptoPro plug-in unless you pass `-p:StellaOpsEnableCryptoPro=true`. RootPack packaging still works because this script publishes the plug-in directly, but any host/service build that needs CryptoPro must opt in with that MSBuild property until the patched package lands.
 
 ## 3. Attach deterministic test evidence