stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
docs/legal/LEGAL_FAQ_QUOTA.md
View File

@@ -1,84 +1,68 @@
# LegalFAQ FreeTier Quota & AGPLCompliance
> **Operational behaviour (limits, counters, delays) is documented in
> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).**
> This page covers only the legal aspects of offering StellaOps as a
> service or embedding it into another product while the freetier limits are
> in place.
---
## 1 · Does enforcing a quota violate the AGPL?
**No.**
AGPL3.0 does not forbid implementing usage controls in the program itself.
Recipients retain the freedoms to run, study, modify and share the software.
The StellaOps quota:
* Is enforced **solely at the service layer** (Valkey counters, Redis-compatible) — the source
code implementing the quota is published under AGPL3.0orlater.
* Never disables functionality; it introduces *time delays* only after the
free allocation is exhausted.
* Can be bypassed entirely by rebuilding from source and removing the
enforcement middleware — the licence explicitly allows such modifications.
Therefore the quota complies with §§ 0 & 2 of the AGPL.
---
## 2·Can I redistribute StellaOps with the quota removed?
Yes, provided you:
1. **Publish the full corresponding source code** of your modified version
(AGPL§13 & §5c), and
2. Clearly indicate the changes (AGPL§5a).
You may *retain* or *relax* the limits, or introduce your own tiering, as long
as the complete modified source is offered to every user of the service.
---
## 3·Embedding in a proprietary appliance
You may ship StellaOps inside a hardware or virtual appliance **only if** the
entire combined work is distributed under **AGPL3.0orlater** and you supply
the full source code for both the scanner and your integration glue.
Shipping an AGPL component while keeping the rest closedsource violates
§13 (*“remote network interaction”*).
---
## 4·SaaS redistribution
Operating a public SaaS that offers StellaOps scans to third parties triggers
the **networkuse clause**. You must:
* Provide the complete, buildable source of **your running version**
including quota patches or UI branding.
* Present the offer **conspicuously** (e.g. a “Source Code” footer link).
Failure to do so breaches §13 and can terminate your licence under §8.
---
## 5·Is email collection for the JWT legal?
* **Purpose limitation (GDPR Art. 51 b):** address is used only to deliver the
JWT or optional release notes.
* **Data minimisation (Art. 51 c):** no name, IP or marketing preferences are
required; a blank email body suffices.
* **Storage limitation (Art. 51 e):** addresses are deleted or hashed after
7days unless the sender opts into updates.
Hence the token workflow adheres to GDPR principles.
---
## 6·Changelog
| Version | Date | Notes |
|---------|------|-------|
| **2.0** | 20250716 | Removed runtime quota details; linked to new authoritative overview. |
| 1.0 | 20241220 | Initial legal FAQ. |
# Legal FAQ <EFBFBD> Free-Tier Quota & BUSL-1.1 Additional Use Grant
> **Operational behaviour (limits, counters, delays) is documented in**
> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).
> This page covers only the legal aspects of offering Stella Ops as a
> service or embedding it into another product while the free-tier limits are
> in place.
---
## 1 ? Does enforcing a quota violate BUSL-1.1?
**No.**
BUSL-1.1 permits usage controls and requires production use to remain within the
Additional Use Grant (3 environments, 999 new hash scans per 24 hours, and no
SaaS/hosted third-party service). Quota enforcement documents compliance.
The Stella Ops quota:
* Is enforced **solely at the service layer** (Valkey counters, Redis-compatible).
* Never disables functionality; it introduces *time delays* only after the
free allocation is exhausted.
* Can be bypassed by rebuilding from source, but production use outside the
Additional Use Grant requires a commercial license.
## 2 ? Can I redistribute Stella Ops with the quota removed?
Yes, provided you:
1. **Include the LICENSE and NOTICE files** with your distribution, and
2. **Mark modified files** with prominent change notices.
Recipients are still bound by BUSL-1.1 and the Additional Use Grant; production
use outside the grant requires a commercial license.
## 3 ? Embedding in a proprietary appliance
You may ship Stella Ops inside a hardware or virtual appliance under BUSL-1.1.
You must include LICENSE and NOTICE and preserve attribution notices. Production
use must remain within the Additional Use Grant unless a commercial license is
obtained. Proprietary integration code does not have to be disclosed.
## 4 ? SaaS redistribution
The BUSL-1.1 Additional Use Grant prohibits providing Stella Ops as a hosted or
managed service to third parties. SaaS/hosted use requires a commercial license.
## 5 <20> Is e-mail collection for the JWT legal?
* **Purpose limitation (GDPR Art. 5-1 b):** address is used only to deliver the
JWT or optional release notes.
* **Data minimisation (Art. 5-1 c):** no name, IP or marketing preferences are
required; a blank e-mail body suffices.
* **Storage limitation (Art. 5-1 e):** addresses are deleted or hashed after
<= 7 days unless the sender opts into updates.
Hence the token workflow adheres to GDPR principles.
---
## 6 <20> Change-log
| Version | Date | Notes |
|---------|------|-------|
| **3.0** | 2026-01-20 | Updated for BUSL-1.1 Additional Use Grant. |
| **2.1** | 2026-01-20 | Updated for Apache-2.0 licensing (superseded by BUSL-1.1 in v3.0). |
| **2.0** | 2025-07-16 | Removed runtime quota details; linked to new authoritative overview. |
| 1.0 | 2024-12-20 | Initial legal FAQ. |

163
docs/legal/LICENSE-COMPATIBILITY.md
View File

@@ -1,25 +1,26 @@
# License Compatibility Analysis
**Document Version:** 1.0.0
**Last Updated:** 2025-12-26
**StellaOps License:** AGPL-3.0-or-later
**Document Version:** 1.1.0
**Last Updated:** 2026-01-20
**StellaOps License:** BUSL-1.1
This document analyzes the compatibility of third-party licenses with StellaOps' AGPL-3.0-or-later license.
This document analyzes the compatibility of third-party licenses with StellaOps' BUSL-1.1 license and Additional Use Grant.
---
## 1. AGPL-3.0-or-later Overview
## 1. BUSL-1.1 Overview
The GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later) is a strong copyleft license that:
The Business Source License 1.1 (BUSL-1.1) is a source-available license that:
1. **Requires** source code disclosure for modifications
2. **Requires** network use disclosure (Section 13) - users interacting over a network must be able to receive the source code
3. **Allows** linking with permissively-licensed code (MIT, Apache-2.0, BSD)
4. **Prohibits** linking with incompatibly-licensed code (GPL-2.0-only, proprietary)
1. **Allows** non-production use, modification, and redistribution of the Licensed Work
2. **Allows** limited production use only as granted in the Additional Use Grant
3. **Requires** preservation of the license text and attribution notices
4. **Provides** a Change License (Apache-2.0) that becomes effective on the Change Date
5. **Restricts** SaaS/hosted service use beyond the Additional Use Grant
### Key Compatibility Principle
> Code licensed under permissive licenses (MIT, Apache-2.0, BSD, ISC) can be incorporated into AGPL projects. The combined work is distributed under AGPL terms.
> Permissive-licensed code (MIT, BSD, Apache) can be incorporated into BUSL-1.1 projects without changing the overall license. Strong copyleft or service-restriction licenses (GPL/AGPL/SSPL) impose obligations that conflict with BUSL-1.1 distribution terms or Additional Use Grant restrictions.
---
@@ -27,12 +28,12 @@ The GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later) is a str
### 2.1 Fully Compatible (Inbound)
These licenses are fully compatible with AGPL-3.0-or-later. Code under these licenses can be incorporated into StellaOps.
These licenses are fully compatible with BUSL-1.1. Code under these licenses can be incorporated into StellaOps.
| License | SPDX | Compatibility | Rationale |
|---------|------|---------------|-----------|
| MIT | MIT | **Yes** | Permissive, no copyleft restrictions |
| Apache-2.0 | Apache-2.0 | **Yes** | Permissive, patent grant included |
| Apache-2.0 | Apache-2.0 | **Yes** | Same license, patent grant included |
| BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions |
| BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only |
| ISC | ISC | **Yes** | Functionally equivalent to MIT |
@@ -41,95 +42,89 @@ These licenses are fully compatible with AGPL-3.0-or-later. Code under these lic
| Unlicense | Unlicense | **Yes** | Public domain dedication |
| PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD |
| Zlib | Zlib | **Yes** | Permissive |
| WTFPL | WTFPL | **Yes** | Do what you want |
| BlueOak-1.0.0 | BlueOak-1.0.0 | **Yes** | Permissive |
| Python-2.0 | Python-2.0 | **Yes** | Permissive |
### 2.2 Compatible with Conditions
| License | SPDX | Compatibility | Conditions |
|---------|------|---------------|------------|
| LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking |
| LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking |
| MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL code must remain in separate files |
| GPL-3.0-or-later | GPL-3.0-or-later | **Yes** | Combined work is AGPL-3.0+ |
| AGPL-3.0-or-later | AGPL-3.0-or-later | **Yes** | Same license |
| LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking; library boundary required |
| LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking; library boundary required |
| MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL files remain isolated |
### 2.3 Incompatible
These licenses are **NOT** compatible with AGPL-3.0-or-later:
These licenses are **NOT** compatible with keeping StellaOps under BUSL-1.1:
| License | SPDX | Issue |
|---------|------|-------|
| GPL-2.0-only | GPL-2.0-only | Version lock conflicts with AGPL-3.0 |
| SSPL-1.0 | SSPL-1.0 | Additional restrictions |
| GPL-2.0-only | GPL-2.0-only | Requires GPL relicensing; incompatible with BUSL distribution |
| GPL-2.0-or-later | GPL-2.0-or-later | Requires GPL relicensing; incompatible with BUSL distribution |
| GPL-3.0-only | GPL-3.0-only | Requires GPL distribution for combined work |
| GPL-3.0-or-later | GPL-3.0-or-later | Requires GPL distribution for combined work |
| AGPL-3.0-only | AGPL-3.0-only | Network copyleft conflicts with BUSL restrictions |
| AGPL-3.0-or-later | AGPL-3.0-or-later | Network copyleft conflicts with BUSL restrictions |
| SSPL-1.0 | SSPL-1.0 | Service source disclosure conflicts with BUSL restrictions |
| Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions conflict with BUSL grant |
| Proprietary | LicenseRef-Proprietary | No redistribution rights |
| Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions |
| BUSL-1.1 | BUSL-1.1 | Production use restrictions |
---
## 3. Distribution Models
### 3.1 Source Distribution (AGPL Compliant)
### 3.1 Source Distribution (BUSL-1.1 Compliant)
When distributing StellaOps source code:
```
StellaOps (AGPL-3.0-or-later)
├── StellaOps code (AGPL-3.0-or-later)
├── MIT-licensed deps (retain copyright notices)
├── Apache-2.0 deps (retain NOTICE files)
└── BSD deps (retain copyright notices)
StellaOps (BUSL-1.1)
+-- StellaOps code (BUSL-1.1)
+-- MIT/BSD deps (retain notices)
+-- Apache-2.0 deps (retain NOTICE files)
+-- MPL/LGPL deps (retain file/library boundaries)
```
**Requirements:**
- Include full AGPL-3.0-or-later license text
- Preserve all third-party copyright notices
- Preserve all NOTICE files from Apache-2.0 dependencies
- Provide complete corresponding source
- Include full BUSL-1.1 license text with Additional Use Grant
- Preserve all third-party copyright and attribution notices
- Preserve NOTICE files from Apache-2.0 dependencies
- Mark modified files with prominent change notices
### 3.2 Binary Distribution (AGPL Compliant)
### 3.2 Binary Distribution (BUSL-1.1 Compliant)
When distributing StellaOps binaries (containers, packages):
```
StellaOps Binary
├── LICENSE (AGPL-3.0-or-later)
├── NOTICE.md (all attributions)
├── third-party-licenses/ (full license texts)
└── Source availability: git.stella-ops.org
+-- LICENSE (BUSL-1.1)
+-- NOTICE.md (all attributions)
+-- third-party-licenses/ (full license texts)
+-- Source link (optional, transparency only)
```
**Requirements:**
- Include AGPL-3.0-or-later license
- Include BUSL-1.1 license with Additional Use Grant
- Include NOTICE file with all attributions
- Provide mechanism to obtain source code
- For network services: provide source access per Section 13
- Include license texts for vendored code
### 3.3 Network Service (Section 13)
### 3.3 Network Service (No Copyleft Clause)
StellaOps is primarily deployed as network services. AGPL Section 13 requires:
> If you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network [...] an opportunity to receive the Corresponding Source of your version.
**StellaOps Compliance:**
- Source code is available at `https://git.stella-ops.org`
- Web UI includes "Source" link in footer/about page
- API responses include `X-Source-URL` header option
- Documentation includes source availability notice
BUSL-1.1 restricts SaaS/hosted service use beyond the Additional Use Grant. Operating StellaOps as a service is permitted only within the grant limits or under a commercial license; see `LICENSE` for details.
### 3.4 Aggregation (Not Derivation)
The following are considered **aggregation**, not derivation:
| Scenario | Classification | AGPL Impact |
|----------|---------------|-------------|
| Scenario | Classification | BUSL-1.1 Impact |
|----------|---------------|-------------------|
| PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed |
| RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 |
| Docker containers | Aggregation | Base image licenses unaffected |
| Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 |
| Hardware (HSM) | Interface only | HSM license unaffected |
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces. They are not linked into StellaOps binaries.
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces and are not linked into StellaOps binaries.
---
@@ -180,18 +175,18 @@ The following are considered **aggregation**, not derivation:
| Usage | PKCS#11 interface only |
| Requirement | Customer obtains own license |
**Analysis:** StellaOps provides only the integration code (AGPL-3.0-or-later). CryptoPro CSP binaries are never distributed by StellaOps. This is a clean separation:
**Analysis:** StellaOps provides only the integration code (BUSL-1.1). CryptoPro CSP binaries are never distributed by StellaOps.
```
StellaOps Ships:
├── PKCS#11 interface code (AGPL-3.0-or-later)
├── Configuration documentation
└── Integration tests (mock only)
+-- PKCS#11 interface code (BUSL-1.1)
+-- Configuration documentation
+-- Integration tests (mock only)
Customer Provides:
├── CryptoPro CSP license
├── CryptoPro CSP binaries
└── Hardware tokens (optional)
+-- CryptoPro CSP license
+-- CryptoPro CSP binaries
+-- Hardware tokens (optional)
```
### 4.6 AlexMAS.GostCryptography (MIT)
@@ -203,7 +198,7 @@ Customer Provides:
| Usage | Source vendored |
| Requirement | Include copyright notice; license file preserved |
**Analysis:** The fork is MIT-licensed and compatible with AGPL-3.0-or-later. The combined work (StellaOps + fork) is distributed under AGPL-3.0-or-later terms.
**Analysis:** The fork is MIT-licensed and compatible with BUSL-1.1. The combined work remains BUSL-1.1 with MIT attribution preserved.
### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0)
@@ -212,7 +207,7 @@ Customer Provides:
| License | MPL-2.0 |
| Compatibility | Yes (with conditions) |
| Usage | Dev dependency only |
| Requirement | MPL files stay in separate files |
| Requirement | MPL files remain in separate files |
**Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution.
@@ -222,25 +217,25 @@ Customer Provides:
### 5.1 StellaOps Core
All StellaOps-authored code is licensed under AGPL-3.0-or-later:
All StellaOps-authored code is licensed under BUSL-1.1:
```
SPDX-License-Identifier: AGPL-3.0-or-later
Copyright (C) 2025 stella-ops.org
SPDX-License-Identifier: BUSL-1.1
Copyright (C) 2026 stella-ops.org
```
### 5.2 Documentation
Documentation is licensed under:
- Code examples: AGPL-3.0-or-later (same as source)
- Code examples: BUSL-1.1 (same as source)
- Prose content: CC-BY-4.0 (where specified)
- API specifications: AGPL-3.0-or-later
- API specifications: BUSL-1.1
### 5.3 Configuration Samples
Sample configuration files (`etc/*.yaml.sample`) are:
- Licensed under: AGPL-3.0-or-later
- Derived configurations by users: User's choice (no copyleft propagation for configuration)
- Licensed under: BUSL-1.1
- Derived configurations by users: User's choice (no copyleft propagation)
---
@@ -251,19 +246,18 @@ Sample configuration files (`etc/*.yaml.sample`) are:
- [ ] All new dependencies checked against allowlist
- [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies
- [ ] third-party-licenses/ includes texts for vendored code
- [ ] No GPL-2.0-only or incompatible licenses introduced
- [ ] Source remains available at documented URL
- [ ] No GPL/AGPL or incompatible licenses introduced
- [ ] LICENSE and NOTICE shipped with source and binary distributions
### 6.2 For StellaOps Operators (Self-Hosted)
- [ ] Source code available to network users (link in UI/docs)
- [ ] Modifications (if any) made available under AGPL-3.0-or-later
- [ ] LICENSE and NOTICE preserved in deployment
- [ ] Commercial components (CryptoPro, HSM) separately licensed
- [ ] NOTICE file preserved in deployment
- [ ] Attribution notices accessible to end users (docs or packaged file)
### 6.3 For Contributors
- [ ] New code contributed under AGPL-3.0-or-later
- [ ] New code contributed under BUSL-1.1
- [ ] No proprietary code introduced
- [ ] Third-party code properly attributed
- [ ] License headers in new files
@@ -273,13 +267,13 @@ Sample configuration files (`etc/*.yaml.sample`) are:
## 7. FAQ
### Q: Can I use StellaOps commercially?
**A:** Yes. AGPL-3.0-or-later permits commercial use. You must provide source code access to users interacting with your deployment over a network.
**A:** Yes, within the Additional Use Grant limits or under a commercial license. SaaS/hosted third-party use requires a commercial license.
### Q: Can I modify StellaOps for internal use?
**A:** Yes. If modifications are internal only (not exposed to network users), no disclosure required.
**A:** Yes. Non-production use is permitted, and production use is allowed within the Additional Use Grant or with a commercial license.
### Q: Does using StellaOps make my data AGPL-licensed?
**A:** No. AGPL applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours.
### Q: Does using StellaOps make my data BUSL-licensed?
**A:** No. BUSL-1.1 applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours.
### Q: Can I integrate StellaOps with proprietary systems?
**A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses.
@@ -291,13 +285,12 @@ Sample configuration files (`etc/*.yaml.sample`) are:
## 8. References
- [GNU AGPL-3.0 FAQ](https://www.gnu.org/licenses/gpl-faq.html)
- [FSF License Compatibility](https://www.gnu.org/licenses/license-list.html)
- [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)
- [Apache 2.0 FAQ](https://www.apache.org/foundation/license-faq.html)
- [SPDX License List](https://spdx.org/licenses/)
- [Apache-2.0/GPL Compatibility](https://www.apache.org/licenses/GPL-compatibility.html)
- [REUSE Best Practices](https://reuse.software/tutorial/)
---
*Document maintained by: Legal + Security Guild*
*Last review: 2025-12-26*
*Last review: 2026-01-20*

15
docs/legal/README.md Normal file
View File

@@ -0,0 +1,15 @@
# Legal and Licensing
This folder centralizes the legal and compliance references for Stella Ops
Suite. For distributions, treat the root `LICENSE` and `NOTICE.md` as the
authoritative artifacts.
## Canonical documents
- Project license (BUSL-1.1 + Additional Use Grant): `LICENSE`
- Third-party notices: `NOTICE.md`
- Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md`
- License compatibility guidance: `docs/legal/LICENSE-COMPATIBILITY.md`
- Additional Use Grant summary and quotas: `docs/legal/LEGAL_FAQ_QUOTA.md`
- Regulator-grade threat and evidence model: `docs/legal/LEGAL_COMPLIANCE.md`
- Cryptography compliance notes: `docs/legal/crypto-compliance-review.md`

42
docs/legal/THIRD-PARTY-DEPENDENCIES.md
View File

@@ -1,10 +1,10 @@
# Third-Party Dependencies
**Document Version:** 1.0.0
**Last Updated:** 2025-12-26
**SPDX License Identifier:** AGPL-3.0-or-later (StellaOps)
**Document Version:** 1.1.0
**Last Updated:** 2026-01-20
**SPDX License Identifier:** BUSL-1.1 (StellaOps)
This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and AGPL-3.0-or-later compatibility status.
This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and BUSL-1.1 compatibility status.
---
@@ -19,7 +19,17 @@ This document provides a comprehensive inventory of all third-party dependencies
| npm (Dev) | ~30+ | MIT, Apache-2.0 |
| Infrastructure | 6 | PostgreSQL, MPL-2.0, BSD-3-Clause, Apache-2.0 |
### License Compatibility with AGPL-3.0-or-later
### Canonical License Declarations
- Project license text: `LICENSE`
- Third-party attributions: `NOTICE.md`
- Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md`
- Vendored license texts: `third-party-licenses/`
StellaOps is licensed under BUSL-1.1 with an Additional Use Grant (see `LICENSE`).
The Change License is Apache License 2.0 effective on the Change Date stated in `LICENSE`.
### License Compatibility with BUSL-1.1
| License | SPDX | Compatible | Notes |
|---------|------|------------|-------|
@@ -30,8 +40,8 @@ This document provides a comprehensive inventory of all third-party dependencies
| ISC | ISC | Yes | Functionally equivalent to MIT |
| 0BSD | 0BSD | Yes | Public domain equivalent |
| PostgreSQL | PostgreSQL | Yes | Permissive, similar to MIT/BSD |
| MPL-2.0 | MPL-2.0 | Yes | File-level copyleft, compatible via aggregation |
| LGPL-2.1+ | LGPL-2.1-or-later | Yes | Library linking allowed |
| MPL-2.0 | MPL-2.0 | Yes | File-level copyleft; keep MPL files isolated |
| LGPL-2.1+ | LGPL-2.1-or-later | Yes | Dynamic linking only; relinking rights preserved |
| Commercial | LicenseRef-* | N/A | Customer-provided, not distributed |
---
@@ -267,7 +277,8 @@ Components required for deployment but not bundled with StellaOps source.
|-----------|---------|---------|------|--------------|-------|
| PostgreSQL | ≥16 | PostgreSQL | PostgreSQL | Separate | Required database |
| RabbitMQ | ≥3.12 | MPL-2.0 | MPL-2.0 | Separate | Optional message broker |
| Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) |
| Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) for StellaOps and Rekor |
| Rekor v2 (rekor-tiles) | v2 (tiles) | Apache-2.0 | Apache-2.0 | Separate | Optional transparency log (POSIX tiles backend) |
| Docker | ≥24 | Apache-2.0 | Apache-2.0 | Tooling | Container runtime |
| OCI Registry | - | Varies | - | External | Harbor (Apache-2.0), Docker Hub, etc. |
| Kubernetes | ≥1.28 | Apache-2.0 | Apache-2.0 | Orchestration | Optional |
@@ -284,7 +295,7 @@ Components with special licensing or distribution considerations.
|-----------|---------|--------------|-------|
| AlexMAS.GostCryptography | MIT | Vendored source | GOST algorithm implementation |
| CryptoPro CSP | Commercial | **Customer-provided** | PKCS#11 interface only |
| CryptoPro wrapper | AGPL-3.0-or-later | StellaOps code | Integration bindings |
| CryptoPro wrapper | BUSL-1.1 | StellaOps code | Integration bindings |
### 6.2 China (RootPack_CN) - Planned
@@ -385,11 +396,16 @@ allowed_licenses:
### 8.4 Blocked Licenses
These licenses are **NOT compatible** with AGPL-3.0-or-later:
These licenses are **NOT compatible** with BUSL-1.1 for StellaOps distribution:
```yaml
blocked_licenses:
- GPL-2.0-only # Version lock incompatible with AGPL-3.0
- GPL-2.0-only
- GPL-2.0-or-later
- GPL-3.0-only
- GPL-3.0-or-later
- AGPL-3.0-only
- AGPL-3.0-or-later
- SSPL-1.0 # Server Side Public License - additional network restrictions
- BUSL-1.1 # Business Source License - time-delayed commercial restrictions
- Elastic-2.0 # Similar restrictions to SSPL
@@ -424,11 +440,11 @@ The following licenses are used **only in development dependencies** and are not
## 10. References
- [SPDX License List](https://spdx.org/licenses/)
- [AGPL-3.0-or-later Compatibility](https://www.gnu.org/licenses/gpl-faq.html)
- [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)
- [REUSE Specification](https://reuse.software/spec/)
- [CycloneDX License Component](https://cyclonedx.org/docs/1.6/json/#components_items_licenses)
---
*Document maintained by: Security Guild*
*Last full audit: 2025-12-26*
*Last full audit: 2026-01-20*

12
docs/legal/crypto-compliance-review.md
View File

@@ -1,7 +1,7 @@
# Crypto Compliance Review · License & Export Analysis
**Status:** IN REVIEW (legal sign-off pending)
**Date:** 2025-12-07
**Date:** 2026-01-20
**Owners:** Security Guild, Legal
**Unblocks:** RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06
@@ -22,7 +22,7 @@ This document captures the licensing, export controls, and distribution guidance
| Upstream | https://github.com/AlexMAS/GostCryptography |
| License | MIT |
| StellaOps Usage | Source-vendored within CryptoPro plugin folder |
| Compatibility | MIT is compatible with AGPL-3.0-or-later |
| Compatibility | MIT is compatible with BUSL-1.1 |
### 1.2 Attribution Requirements
@@ -68,7 +68,7 @@ CryptoPro CSP is **not redistributable** by StellaOps. The distribution model is
├─────────────────────────────────────────────────────────────────┤
│ │
│ StellaOps ships: │
│ ├── Plugin source code (AGPL-3.0-or-later)
│ ├── Plugin source code (BUSL-1.1)
│ ├── Interface bindings to CryptoPro CSP │
│ └── Documentation for customer-provided CSP installation │
│ │
@@ -270,7 +270,7 @@ Running CryptoPro CSP DLLs under Wine for cross-platform testing:
### For Legal Sign-off
- [ ] Confirm MIT + AGPL-3.0 compatibility statement
- [ ] Confirm MIT + BUSL-1.1 compatibility statement
- [ ] Confirm customer-provided model for CSP is acceptable
- [ ] Review export control applicability for GOST distribution
@@ -284,5 +284,5 @@ Running CryptoPro CSP DLLs under Wine for cross-platform testing:
---
*Document Version: 1.0.0*
*Last Updated: 2025-12-07*
*Document Version: 1.0.1*
*Last Updated: 2026-01-20*