stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/legal/THIRD-PARTY-DEPENDENCIES.md
View File

@@ -1,10 +1,10 @@
# Third-Party Dependencies
**Document Version:** 1.0.0
**Last Updated:** 2025-12-26
**SPDX License Identifier:** AGPL-3.0-or-later (StellaOps)
**Document Version:** 1.1.0
**Last Updated:** 2026-01-20
**SPDX License Identifier:** BUSL-1.1 (StellaOps)
This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and AGPL-3.0-or-later compatibility status.
This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and BUSL-1.1 compatibility status.
---
@@ -19,7 +19,17 @@ This document provides a comprehensive inventory of all third-party dependencies
| npm (Dev) | ~30+ | MIT, Apache-2.0 |
| Infrastructure | 6 | PostgreSQL, MPL-2.0, BSD-3-Clause, Apache-2.0 |
### License Compatibility with AGPL-3.0-or-later
### Canonical License Declarations
- Project license text: `LICENSE`
- Third-party attributions: `NOTICE.md`
- Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md`
- Vendored license texts: `third-party-licenses/`
StellaOps is licensed under BUSL-1.1 with an Additional Use Grant (see `LICENSE`).
The Change License is Apache License 2.0 effective on the Change Date stated in `LICENSE`.
### License Compatibility with BUSL-1.1
| License | SPDX | Compatible | Notes |
|---------|------|------------|-------|
@@ -30,8 +40,8 @@ This document provides a comprehensive inventory of all third-party dependencies
| ISC | ISC | Yes | Functionally equivalent to MIT |
| 0BSD | 0BSD | Yes | Public domain equivalent |
| PostgreSQL | PostgreSQL | Yes | Permissive, similar to MIT/BSD |
| MPL-2.0 | MPL-2.0 | Yes | File-level copyleft, compatible via aggregation |
| LGPL-2.1+ | LGPL-2.1-or-later | Yes | Library linking allowed |
| MPL-2.0 | MPL-2.0 | Yes | File-level copyleft; keep MPL files isolated |
| LGPL-2.1+ | LGPL-2.1-or-later | Yes | Dynamic linking only; relinking rights preserved |
| Commercial | LicenseRef-* | N/A | Customer-provided, not distributed |
---
@@ -267,7 +277,8 @@ Components required for deployment but not bundled with StellaOps source.
|-----------|---------|---------|------|--------------|-------|
| PostgreSQL | ≥16 | PostgreSQL | PostgreSQL | Separate | Required database |
| RabbitMQ | ≥3.12 | MPL-2.0 | MPL-2.0 | Separate | Optional message broker |
| Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) |
| Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) for StellaOps and Rekor |
| Rekor v2 (rekor-tiles) | v2 (tiles) | Apache-2.0 | Apache-2.0 | Separate | Optional transparency log (POSIX tiles backend) |
| Docker | ≥24 | Apache-2.0 | Apache-2.0 | Tooling | Container runtime |
| OCI Registry | - | Varies | - | External | Harbor (Apache-2.0), Docker Hub, etc. |
| Kubernetes | ≥1.28 | Apache-2.0 | Apache-2.0 | Orchestration | Optional |
@@ -284,7 +295,7 @@ Components with special licensing or distribution considerations.
|-----------|---------|--------------|-------|
| AlexMAS.GostCryptography | MIT | Vendored source | GOST algorithm implementation |
| CryptoPro CSP | Commercial | **Customer-provided** | PKCS#11 interface only |
| CryptoPro wrapper | AGPL-3.0-or-later | StellaOps code | Integration bindings |
| CryptoPro wrapper | BUSL-1.1 | StellaOps code | Integration bindings |
### 6.2 China (RootPack_CN) - Planned
@@ -385,11 +396,16 @@ allowed_licenses:
### 8.4 Blocked Licenses
These licenses are **NOT compatible** with AGPL-3.0-or-later:
These licenses are **NOT compatible** with BUSL-1.1 for StellaOps distribution:
```yaml
blocked_licenses:
- GPL-2.0-only # Version lock incompatible with AGPL-3.0
- GPL-2.0-only
- GPL-2.0-or-later
- GPL-3.0-only
- GPL-3.0-or-later
- AGPL-3.0-only
- AGPL-3.0-or-later
- SSPL-1.0 # Server Side Public License - additional network restrictions
- BUSL-1.1 # Business Source License - time-delayed commercial restrictions
- Elastic-2.0 # Similar restrictions to SSPL
@@ -424,11 +440,11 @@ The following licenses are used **only in development dependencies** and are not
## 10. References
- [SPDX License List](https://spdx.org/licenses/)
- [AGPL-3.0-or-later Compatibility](https://www.gnu.org/licenses/gpl-faq.html)
- [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)
- [REUSE Specification](https://reuse.software/spec/)
- [CycloneDX License Component](https://cyclonedx.org/docs/1.6/json/#components_items_licenses)
---
*Document maintained by: Security Guild*
*Last full audit: 2025-12-26*
*Last full audit: 2026-01-20*