# License Compatibility Analysis **Document Version:** 1.1.0 **Last Updated:** 2026-01-20 **StellaOps License:** BUSL-1.1 This document analyzes the compatibility of third-party licenses with StellaOps' BUSL-1.1 license and Additional Use Grant. --- ## 1. BUSL-1.1 Overview The Business Source License 1.1 (BUSL-1.1) is a source-available license that: 1. **Allows** non-production use, modification, and redistribution of the Licensed Work 2. **Allows** limited production use only as granted in the Additional Use Grant 3. **Requires** preservation of the license text and attribution notices 4. **Provides** a Change License (Apache-2.0) that becomes effective on the Change Date 5. **Restricts** SaaS/hosted service use beyond the Additional Use Grant ### Key Compatibility Principle > Permissive-licensed code (MIT, BSD, Apache) can be incorporated into BUSL-1.1 projects without changing the overall license. Strong copyleft or service-restriction licenses (GPL/AGPL/SSPL) impose obligations that conflict with BUSL-1.1 distribution terms or Additional Use Grant restrictions. --- ## 2. License Compatibility Matrix ### 2.1 Fully Compatible (Inbound) These licenses are fully compatible with BUSL-1.1. Code under these licenses can be incorporated into StellaOps. | License | SPDX | Compatibility | Rationale | |---------|------|---------------|-----------| | MIT | MIT | **Yes** | Permissive, no copyleft restrictions | | Apache-2.0 | Apache-2.0 | **Yes** | Same license, patent grant included | | BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions | | BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only | | ISC | ISC | **Yes** | Functionally equivalent to MIT | | 0BSD | 0BSD | **Yes** | Public domain equivalent | | CC0-1.0 | CC0-1.0 | **Yes** | Public domain dedication | | Unlicense | Unlicense | **Yes** | Public domain dedication | | PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD | | Zlib | Zlib | **Yes** | Permissive | | BlueOak-1.0.0 | BlueOak-1.0.0 | **Yes** | Permissive | | Python-2.0 | Python-2.0 | **Yes** | Permissive | ### 2.2 Compatible with Conditions | License | SPDX | Compatibility | Conditions | |---------|------|---------------|------------| | LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking; library boundary required | | LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking; library boundary required | | MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL files remain isolated | ### 2.3 Incompatible These licenses are **NOT** compatible with keeping StellaOps under BUSL-1.1: | License | SPDX | Issue | |---------|------|-------| | GPL-2.0-only | GPL-2.0-only | Requires GPL relicensing; incompatible with BUSL distribution | | GPL-2.0-or-later | GPL-2.0-or-later | Requires GPL relicensing; incompatible with BUSL distribution | | GPL-3.0-only | GPL-3.0-only | Requires GPL distribution for combined work | | GPL-3.0-or-later | GPL-3.0-or-later | Requires GPL distribution for combined work | | AGPL-3.0-only | AGPL-3.0-only | Network copyleft conflicts with BUSL restrictions | | AGPL-3.0-or-later | AGPL-3.0-or-later | Network copyleft conflicts with BUSL restrictions | | SSPL-1.0 | SSPL-1.0 | Service source disclosure conflicts with BUSL restrictions | | Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions conflict with BUSL grant | | Proprietary | LicenseRef-Proprietary | No redistribution rights | --- ## 3. Distribution Models ### 3.1 Source Distribution (BUSL-1.1 Compliant) When distributing StellaOps source code: ``` StellaOps (BUSL-1.1) +-- StellaOps code (BUSL-1.1) +-- MIT/BSD deps (retain notices) +-- Apache-2.0 deps (retain NOTICE files) +-- MPL/LGPL deps (retain file/library boundaries) ``` **Requirements:** - Include full BUSL-1.1 license text with Additional Use Grant - Preserve all third-party copyright and attribution notices - Preserve NOTICE files from Apache-2.0 dependencies - Mark modified files with prominent change notices ### 3.2 Binary Distribution (BUSL-1.1 Compliant) When distributing StellaOps binaries (containers, packages): ``` StellaOps Binary +-- LICENSE (BUSL-1.1) +-- NOTICE.md (all attributions) +-- third-party-licenses/ (full license texts) +-- Source link (optional, transparency only) ``` **Requirements:** - Include BUSL-1.1 license with Additional Use Grant - Include NOTICE file with all attributions - Include license texts for vendored code ### 3.3 Network Service (No Copyleft Clause) BUSL-1.1 restricts SaaS/hosted service use beyond the Additional Use Grant. Operating StellaOps as a service is permitted only within the grant limits or under a commercial license; see `LICENSE` for details. ### 3.4 Aggregation (Not Derivation) The following are considered **aggregation**, not derivation: | Scenario | Classification | BUSL-1.1 Impact | |----------|---------------|-------------------| | PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed | | RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 | | Docker containers | Aggregation | Base image licenses unaffected | | Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 | | Hardware (HSM) | Interface only | HSM license unaffected | **Rationale:** These components communicate via network protocols, APIs, or standard interfaces and are not linked into StellaOps binaries. ### 3.5 Plugin Distribution (Community Plugin Grant) The Community Plugin Grant Addendum (`LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`) provides additional terms for plugin development and distribution. **When distributing StellaOps Plugins:** ``` Plugin Distribution +-- Plugin code (your license) +-- Attribution to StellaOps +-- If derivative work: +-- LICENSE (BUSL-1.1) +-- LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md +-- NOTICE.md ``` **Requirements by Plugin Type:** | Plugin Type | License | Attribution | Include LICENSE | Include Addendum | |-------------|---------|-------------|-----------------|------------------| | API-only (no StellaOps code) | Your choice | Recommended | No | No | | Includes StellaOps code | BUSL-1.1 | Required | Yes | Yes | | Bundled with StellaOps | BUSL-1.1 | Required | Yes | Yes | | Competing managed service | Commercial | N/A | N/A | N/A | **Not Allowed Without Commercial License:** - Redistributing plugins as part of a competing managed service offering - White-labeling StellaOps functionality through plugins - Embedding plugins in multi-tenant SaaS offerings to third parties **See Also:** - `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Detailed plugin licensing FAQ - `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP hosting scenarios --- ## 4. Specific Dependency Analysis ### 4.1 BouncyCastle Cryptography (MIT) | Aspect | Status | |--------|--------| | License | MIT | | Compatibility | Full | | Usage | Linked into binaries | | Requirement | Include copyright notice in NOTICE.md | ### 4.2 Npgsql/PostgreSQL (PostgreSQL License) | Aspect | Status | |--------|--------| | License | PostgreSQL (permissive) | | Compatibility | Full | | Usage | NuGet package (linked) | | Requirement | Include copyright notice in NOTICE.md | ### 4.3 Polly (BSD-3-Clause) | Aspect | Status | |--------|--------| | License | BSD-3-Clause | | Compatibility | Full | | Usage | NuGet package (linked) | | Requirement | Include copyright notice; no endorsement claims | ### 4.4 RxJS (Apache-2.0) | Aspect | Status | |--------|--------| | License | Apache-2.0 | | Compatibility | Full | | Usage | npm package (bundled in frontend) | | Requirement | Preserve NOTICE file | ### 4.5 CryptoPro CSP (Commercial) | Aspect | Status | |--------|--------| | License | Commercial (LicenseRef-CryptoPro) | | Compatibility | N/A - Not distributed | | Usage | PKCS#11 interface only | | Requirement | Customer obtains own license | **Analysis:** StellaOps provides only the integration code (BUSL-1.1). CryptoPro CSP binaries are never distributed by StellaOps. ``` StellaOps Ships: +-- PKCS#11 interface code (BUSL-1.1) +-- Configuration documentation +-- Integration tests (mock only) Customer Provides: +-- CryptoPro CSP license +-- CryptoPro CSP binaries +-- Hardware tokens (optional) ``` ### 4.6 AlexMAS.GostCryptography (MIT) | Aspect | Status | |--------|--------| | License | MIT | | Compatibility | Full | | Usage | Source vendored | | Requirement | Include copyright notice; license file preserved | **Analysis:** The fork is MIT-licensed and compatible with BUSL-1.1. The combined work remains BUSL-1.1 with MIT attribution preserved. ### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0) | Aspect | Status | |--------|--------| | License | MPL-2.0 | | Compatibility | Yes (with conditions) | | Usage | Dev dependency only | | Requirement | MPL files remain in separate files | **Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution. --- ## 5. Outbound Licensing ### 5.1 StellaOps Core All StellaOps-authored code is licensed under BUSL-1.1: ``` SPDX-License-Identifier: BUSL-1.1 Copyright (C) 2026 stella-ops.org ``` ### 5.2 Documentation Documentation is licensed under: - Code examples: BUSL-1.1 (same as source) - Prose content: CC-BY-4.0 (where specified) - API specifications: BUSL-1.1 ### 5.3 Configuration Samples Sample configuration files (`etc/*.yaml.sample`) are: - Licensed under: BUSL-1.1 - Derived configurations by users: User's choice (no copyleft propagation) --- ## 6. Compliance Checklist ### 6.1 For StellaOps Maintainers - [ ] All new dependencies checked against allowlist - [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies - [ ] third-party-licenses/ includes texts for vendored code - [ ] No GPL/AGPL or incompatible licenses introduced - [ ] LICENSE and NOTICE shipped with source and binary distributions ### 6.2 For StellaOps Operators (Self-Hosted) - [ ] LICENSE and NOTICE preserved in deployment - [ ] Commercial components (CryptoPro, HSM) separately licensed - [ ] Attribution notices accessible to end users (docs or packaged file) ### 6.3 For Contributors - [ ] New code contributed under BUSL-1.1 - [ ] No proprietary code introduced - [ ] Third-party code properly attributed - [ ] License headers in new files --- ## 7. FAQ ### Q: Can I use StellaOps commercially? **A:** Yes, within the Additional Use Grant limits or under a commercial license. SaaS/hosted third-party use requires a commercial license. ### Q: Can I modify StellaOps for internal use? **A:** Yes. Non-production use is permitted, and production use is allowed within the Additional Use Grant or with a commercial license. ### Q: Does using StellaOps make my data BUSL-licensed? **A:** No. BUSL-1.1 applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours. ### Q: Can I integrate StellaOps with proprietary systems? **A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses. ### Q: Do I need to disclose my CryptoPro CSP license? **A:** CryptoPro CSP is customer-provided. StellaOps only ships integration code. Your CSP license is between you and CryptoPro. --- ## 8. References - [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) - [Apache 2.0 FAQ](https://www.apache.org/foundation/license-faq.html) - [SPDX License List](https://spdx.org/licenses/) - [REUSE Best Practices](https://reuse.software/tutorial/) - [BUSL-1.1 License Text](https://spdx.org/licenses/BUSL-1.1.html) --- ## 9. Related Documents - `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Community Plugin Grant Addendum - `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Plugin developer FAQ - `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP guidance - `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and compliance policy --- *Document maintained by: Legal + Security Guild* *Last review: 2026-01-25*