# License Compatibility Analysis **Document Version:** 1.0.0 **Last Updated:** 2025-12-26 **StellaOps License:** AGPL-3.0-or-later This document analyzes the compatibility of third-party licenses with StellaOps' AGPL-3.0-or-later license. --- ## 1. AGPL-3.0-or-later Overview The GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later) is a strong copyleft license that: 1. **Requires** source code disclosure for modifications 2. **Requires** network use disclosure (Section 13) - users interacting over a network must be able to receive the source code 3. **Allows** linking with permissively-licensed code (MIT, Apache-2.0, BSD) 4. **Prohibits** linking with incompatibly-licensed code (GPL-2.0-only, proprietary) ### Key Compatibility Principle > Code licensed under permissive licenses (MIT, Apache-2.0, BSD, ISC) can be incorporated into AGPL projects. The combined work is distributed under AGPL terms. --- ## 2. License Compatibility Matrix ### 2.1 Fully Compatible (Inbound) These licenses are fully compatible with AGPL-3.0-or-later. Code under these licenses can be incorporated into StellaOps. | License | SPDX | Compatibility | Rationale | |---------|------|---------------|-----------| | MIT | MIT | **Yes** | Permissive, no copyleft restrictions | | Apache-2.0 | Apache-2.0 | **Yes** | Permissive, patent grant included | | BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions | | BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only | | ISC | ISC | **Yes** | Functionally equivalent to MIT | | 0BSD | 0BSD | **Yes** | Public domain equivalent | | CC0-1.0 | CC0-1.0 | **Yes** | Public domain dedication | | Unlicense | Unlicense | **Yes** | Public domain dedication | | PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD | | Zlib | Zlib | **Yes** | Permissive | | WTFPL | WTFPL | **Yes** | Do what you want | ### 2.2 Compatible with Conditions | License | SPDX | Compatibility | Conditions | |---------|------|---------------|------------| | LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking | | LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking | | MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL code must remain in separate files | | GPL-3.0-or-later | GPL-3.0-or-later | **Yes** | Combined work is AGPL-3.0+ | | AGPL-3.0-or-later | AGPL-3.0-or-later | **Yes** | Same license | ### 2.3 Incompatible These licenses are **NOT** compatible with AGPL-3.0-or-later: | License | SPDX | Issue | |---------|------|-------| | GPL-2.0-only | GPL-2.0-only | Version lock conflicts with AGPL-3.0 | | SSPL-1.0 | SSPL-1.0 | Additional restrictions | | Proprietary | LicenseRef-Proprietary | No redistribution rights | | Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions | | BUSL-1.1 | BUSL-1.1 | Production use restrictions | --- ## 3. Distribution Models ### 3.1 Source Distribution (AGPL Compliant) When distributing StellaOps source code: ``` StellaOps (AGPL-3.0-or-later) ├── StellaOps code (AGPL-3.0-or-later) ├── MIT-licensed deps (retain copyright notices) ├── Apache-2.0 deps (retain NOTICE files) └── BSD deps (retain copyright notices) ``` **Requirements:** - Include full AGPL-3.0-or-later license text - Preserve all third-party copyright notices - Preserve all NOTICE files from Apache-2.0 dependencies - Provide complete corresponding source ### 3.2 Binary Distribution (AGPL Compliant) When distributing StellaOps binaries (containers, packages): ``` StellaOps Binary ├── LICENSE (AGPL-3.0-or-later) ├── NOTICE.md (all attributions) ├── third-party-licenses/ (full license texts) └── Source availability: git.stella-ops.org ``` **Requirements:** - Include AGPL-3.0-or-later license - Include NOTICE file with all attributions - Provide mechanism to obtain source code - For network services: provide source access per Section 13 ### 3.3 Network Service (Section 13) StellaOps is primarily deployed as network services. AGPL Section 13 requires: > If you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network [...] an opportunity to receive the Corresponding Source of your version. **StellaOps Compliance:** - Source code is available at `https://git.stella-ops.org` - Web UI includes "Source" link in footer/about page - API responses include `X-Source-URL` header option - Documentation includes source availability notice ### 3.4 Aggregation (Not Derivation) The following are considered **aggregation**, not derivation: | Scenario | Classification | AGPL Impact | |----------|---------------|-------------| | PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed | | RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 | | Docker containers | Aggregation | Base image licenses unaffected | | Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 | | Hardware (HSM) | Interface only | HSM license unaffected | **Rationale:** These components communicate via network protocols, APIs, or standard interfaces. They are not linked into StellaOps binaries. --- ## 4. Specific Dependency Analysis ### 4.1 BouncyCastle Cryptography (MIT) | Aspect | Status | |--------|--------| | License | MIT | | Compatibility | Full | | Usage | Linked into binaries | | Requirement | Include copyright notice in NOTICE.md | ### 4.2 Npgsql/PostgreSQL (PostgreSQL License) | Aspect | Status | |--------|--------| | License | PostgreSQL (permissive) | | Compatibility | Full | | Usage | NuGet package (linked) | | Requirement | Include copyright notice in NOTICE.md | ### 4.3 Polly (BSD-3-Clause) | Aspect | Status | |--------|--------| | License | BSD-3-Clause | | Compatibility | Full | | Usage | NuGet package (linked) | | Requirement | Include copyright notice; no endorsement claims | ### 4.4 RxJS (Apache-2.0) | Aspect | Status | |--------|--------| | License | Apache-2.0 | | Compatibility | Full | | Usage | npm package (bundled in frontend) | | Requirement | Preserve NOTICE file | ### 4.5 CryptoPro CSP (Commercial) | Aspect | Status | |--------|--------| | License | Commercial (LicenseRef-CryptoPro) | | Compatibility | N/A - Not distributed | | Usage | PKCS#11 interface only | | Requirement | Customer obtains own license | **Analysis:** StellaOps provides only the integration code (AGPL-3.0-or-later). CryptoPro CSP binaries are never distributed by StellaOps. This is a clean separation: ``` StellaOps Ships: ├── PKCS#11 interface code (AGPL-3.0-or-later) ├── Configuration documentation └── Integration tests (mock only) Customer Provides: ├── CryptoPro CSP license ├── CryptoPro CSP binaries └── Hardware tokens (optional) ``` ### 4.6 AlexMAS.GostCryptography (MIT) | Aspect | Status | |--------|--------| | License | MIT | | Compatibility | Full | | Usage | Source vendored | | Requirement | Include copyright notice; license file preserved | **Analysis:** The fork is MIT-licensed and compatible with AGPL-3.0-or-later. The combined work (StellaOps + fork) is distributed under AGPL-3.0-or-later terms. ### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0) | Aspect | Status | |--------|--------| | License | MPL-2.0 | | Compatibility | Yes (with conditions) | | Usage | Dev dependency only | | Requirement | MPL files stay in separate files | **Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution. --- ## 5. Outbound Licensing ### 5.1 StellaOps Core All StellaOps-authored code is licensed under AGPL-3.0-or-later: ``` SPDX-License-Identifier: AGPL-3.0-or-later Copyright (C) 2025 stella-ops.org ``` ### 5.2 Documentation Documentation is licensed under: - Code examples: AGPL-3.0-or-later (same as source) - Prose content: CC-BY-4.0 (where specified) - API specifications: AGPL-3.0-or-later ### 5.3 Configuration Samples Sample configuration files (`etc/*.yaml.sample`) are: - Licensed under: AGPL-3.0-or-later - Derived configurations by users: User's choice (no copyleft propagation for configuration) --- ## 6. Compliance Checklist ### 6.1 For StellaOps Maintainers - [ ] All new dependencies checked against allowlist - [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies - [ ] third-party-licenses/ includes texts for vendored code - [ ] No GPL-2.0-only or incompatible licenses introduced - [ ] Source remains available at documented URL ### 6.2 For StellaOps Operators (Self-Hosted) - [ ] Source code available to network users (link in UI/docs) - [ ] Modifications (if any) made available under AGPL-3.0-or-later - [ ] Commercial components (CryptoPro, HSM) separately licensed - [ ] NOTICE file preserved in deployment ### 6.3 For Contributors - [ ] New code contributed under AGPL-3.0-or-later - [ ] No proprietary code introduced - [ ] Third-party code properly attributed - [ ] License headers in new files --- ## 7. FAQ ### Q: Can I use StellaOps commercially? **A:** Yes. AGPL-3.0-or-later permits commercial use. You must provide source code access to users interacting with your deployment over a network. ### Q: Can I modify StellaOps for internal use? **A:** Yes. If modifications are internal only (not exposed to network users), no disclosure required. ### Q: Does using StellaOps make my data AGPL-licensed? **A:** No. AGPL applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours. ### Q: Can I integrate StellaOps with proprietary systems? **A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses. ### Q: Do I need to disclose my CryptoPro CSP license? **A:** CryptoPro CSP is customer-provided. StellaOps only ships integration code. Your CSP license is between you and CryptoPro. --- ## 8. References - [GNU AGPL-3.0 FAQ](https://www.gnu.org/licenses/gpl-faq.html) - [FSF License Compatibility](https://www.gnu.org/licenses/license-list.html) - [SPDX License List](https://spdx.org/licenses/) - [Apache-2.0/GPL Compatibility](https://www.apache.org/licenses/GPL-compatibility.html) - [REUSE Best Practices](https://reuse.software/tutorial/) --- *Document maintained by: Legal + Security Guild* *Last review: 2025-12-26*