stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6e687b523aa572c0850de61175d702ad3f7d9c24
git.stella-ops.org/docs/legal/LICENSE-COMPATIBILITY.md

342 lines
12 KiB
Markdown
Raw Blame History

# License Compatibility Analysis
**Document Version:** 1.1.0
**Last Updated:** 2026-01-20
**StellaOps License:** BUSL-1.1
This document analyzes the compatibility of third-party licenses with StellaOps' BUSL-1.1 license and Additional Use Grant.
---
## 1. BUSL-1.1 Overview
The Business Source License 1.1 (BUSL-1.1) is a source-available license that:
1. **Allows** non-production use, modification, and redistribution of the Licensed Work
2. **Allows** limited production use only as granted in the Additional Use Grant
3. **Requires** preservation of the license text and attribution notices
4. **Provides** a Change License (Apache-2.0) that becomes effective on the Change Date
5. **Restricts** SaaS/hosted service use beyond the Additional Use Grant
### Key Compatibility Principle
> Permissive-licensed code (MIT, BSD, Apache) can be incorporated into BUSL-1.1 projects without changing the overall license. Strong copyleft or service-restriction licenses (GPL/AGPL/SSPL) impose obligations that conflict with BUSL-1.1 distribution terms or Additional Use Grant restrictions.
---
## 2. License Compatibility Matrix
### 2.1 Fully Compatible (Inbound)
These licenses are fully compatible with BUSL-1.1. Code under these licenses can be incorporated into StellaOps.
| License | SPDX | Compatibility | Rationale |
|---------|------|---------------|-----------|
| MIT | MIT | **Yes** | Permissive, no copyleft restrictions |
| Apache-2.0 | Apache-2.0 | **Yes** | Same license, patent grant included |
| BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions |
| BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only |
| ISC | ISC | **Yes** | Functionally equivalent to MIT |
| 0BSD | 0BSD | **Yes** | Public domain equivalent |
| CC0-1.0 | CC0-1.0 | **Yes** | Public domain dedication |
| Unlicense | Unlicense | **Yes** | Public domain dedication |
| PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD |
| Zlib | Zlib | **Yes** | Permissive |
| BlueOak-1.0.0 | BlueOak-1.0.0 | **Yes** | Permissive |
| Python-2.0 | Python-2.0 | **Yes** | Permissive |
### 2.2 Compatible with Conditions
| License | SPDX | Compatibility | Conditions |
|---------|------|---------------|------------|
| LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking; library boundary required |
| LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking; library boundary required |
| MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL files remain isolated |
### 2.3 Incompatible
These licenses are **NOT** compatible with keeping StellaOps under BUSL-1.1:
| License | SPDX | Issue |
|---------|------|-------|
| GPL-2.0-only | GPL-2.0-only | Requires GPL relicensing; incompatible with BUSL distribution |
| GPL-2.0-or-later | GPL-2.0-or-later | Requires GPL relicensing; incompatible with BUSL distribution |
| GPL-3.0-only | GPL-3.0-only | Requires GPL distribution for combined work |
| GPL-3.0-or-later | GPL-3.0-or-later | Requires GPL distribution for combined work |
| AGPL-3.0-only | AGPL-3.0-only | Network copyleft conflicts with BUSL restrictions |
| AGPL-3.0-or-later | AGPL-3.0-or-later | Network copyleft conflicts with BUSL restrictions |
| SSPL-1.0 | SSPL-1.0 | Service source disclosure conflicts with BUSL restrictions |
| Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions conflict with BUSL grant |
| Proprietary | LicenseRef-Proprietary | No redistribution rights |
---
## 3. Distribution Models
### 3.1 Source Distribution (BUSL-1.1 Compliant)
When distributing StellaOps source code:
```
StellaOps (BUSL-1.1)
+-- StellaOps code (BUSL-1.1)
+-- MIT/BSD deps (retain notices)
+-- Apache-2.0 deps (retain NOTICE files)
+-- MPL/LGPL deps (retain file/library boundaries)
```
**Requirements:**
- Include full BUSL-1.1 license text with Additional Use Grant
- Preserve all third-party copyright and attribution notices
- Preserve NOTICE files from Apache-2.0 dependencies
- Mark modified files with prominent change notices
### 3.2 Binary Distribution (BUSL-1.1 Compliant)
When distributing StellaOps binaries (containers, packages):
```
StellaOps Binary
+-- LICENSE (BUSL-1.1)
+-- NOTICE.md (all attributions)
+-- third-party-licenses/ (full license texts)
+-- Source link (optional, transparency only)
```
**Requirements:**
- Include BUSL-1.1 license with Additional Use Grant
- Include NOTICE file with all attributions
- Include license texts for vendored code
### 3.3 Network Service (No Copyleft Clause)
BUSL-1.1 restricts SaaS/hosted service use beyond the Additional Use Grant. Operating StellaOps as a service is permitted only within the grant limits or under a commercial license; see `LICENSE` for details.
### 3.4 Aggregation (Not Derivation)
The following are considered **aggregation**, not derivation:
| Scenario | Classification | BUSL-1.1 Impact |
|----------|---------------|-------------------|
| PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed |
| RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 |
| Docker containers | Aggregation | Base image licenses unaffected |
| Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 |
| Hardware (HSM) | Interface only | HSM license unaffected |
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces and are not linked into StellaOps binaries.
### 3.5 Plugin Distribution (Community Plugin Grant)
The Community Plugin Grant Addendum (`LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`)
provides additional terms for plugin development and distribution.
**When distributing StellaOps Plugins:**
```
Plugin Distribution
+-- Plugin code (your license)
+-- Attribution to StellaOps
+-- If derivative work:
+-- LICENSE (BUSL-1.1)
+-- LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md
+-- NOTICE.md
```
**Requirements by Plugin Type:**
| Plugin Type | License | Attribution | Include LICENSE | Include Addendum |
|-------------|---------|-------------|-----------------|------------------|
| API-only (no StellaOps code) | Your choice | Recommended | No | No |
| Includes StellaOps code | BUSL-1.1 | Required | Yes | Yes |
| Bundled with StellaOps | BUSL-1.1 | Required | Yes | Yes |
| Competing managed service | Commercial | N/A | N/A | N/A |
**Not Allowed Without Commercial License:**
- Redistributing plugins as part of a competing managed service offering
- White-labeling StellaOps functionality through plugins
- Embedding plugins in multi-tenant SaaS offerings to third parties
**See Also:**
- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Detailed plugin licensing FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP hosting scenarios
---
## 4. Specific Dependency Analysis
### 4.1 BouncyCastle Cryptography (MIT)
| Aspect | Status |
|--------|--------|
| License | MIT |
| Compatibility | Full |
| Usage | Linked into binaries |
| Requirement | Include copyright notice in NOTICE.md |
### 4.2 Npgsql/PostgreSQL (PostgreSQL License)
| Aspect | Status |
|--------|--------|
| License | PostgreSQL (permissive) |
| Compatibility | Full |
| Usage | NuGet package (linked) |
| Requirement | Include copyright notice in NOTICE.md |
### 4.3 Polly (BSD-3-Clause)
| Aspect | Status |
|--------|--------|
| License | BSD-3-Clause |
| Compatibility | Full |
| Usage | NuGet package (linked) |
| Requirement | Include copyright notice; no endorsement claims |
### 4.4 RxJS (Apache-2.0)
| Aspect | Status |
|--------|--------|
| License | Apache-2.0 |
| Compatibility | Full |
| Usage | npm package (bundled in frontend) |
| Requirement | Preserve NOTICE file |
### 4.5 CryptoPro CSP (Commercial)
| Aspect | Status |
|--------|--------|
| License | Commercial (LicenseRef-CryptoPro) |
| Compatibility | N/A - Not distributed |
| Usage | PKCS#11 interface only |
| Requirement | Customer obtains own license |
**Analysis:** StellaOps provides only the integration code (BUSL-1.1). CryptoPro CSP binaries are never distributed by StellaOps.
```
StellaOps Ships:
+-- PKCS#11 interface code (BUSL-1.1)
+-- Configuration documentation
+-- Integration tests (mock only)
Customer Provides:
+-- CryptoPro CSP license
+-- CryptoPro CSP binaries
+-- Hardware tokens (optional)
```
### 4.6 AlexMAS.GostCryptography (MIT)
| Aspect | Status |
|--------|--------|
| License | MIT |
| Compatibility | Full |
| Usage | Source vendored |
| Requirement | Include copyright notice; license file preserved |
**Analysis:** The fork is MIT-licensed and compatible with BUSL-1.1. The combined work remains BUSL-1.1 with MIT attribution preserved.
### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0)
| Aspect | Status |
|--------|--------|
| License | MPL-2.0 |
| Compatibility | Yes (with conditions) |
| Usage | Dev dependency only |
| Requirement | MPL files remain in separate files |
**Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution.
---
## 5. Outbound Licensing
### 5.1 StellaOps Core
All StellaOps-authored code is licensed under BUSL-1.1:
```
SPDX-License-Identifier: BUSL-1.1
Copyright (C) 2026 stella-ops.org
```
### 5.2 Documentation
Documentation is licensed under:
- Code examples: BUSL-1.1 (same as source)
- Prose content: CC-BY-4.0 (where specified)
- API specifications: BUSL-1.1
### 5.3 Configuration Samples
Sample configuration files (`etc/*.yaml.sample`) are:
- Licensed under: BUSL-1.1
- Derived configurations by users: User's choice (no copyleft propagation)
---
## 6. Compliance Checklist
### 6.1 For StellaOps Maintainers
- [ ] All new dependencies checked against allowlist
- [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies
- [ ] third-party-licenses/ includes texts for vendored code
- [ ] No GPL/AGPL or incompatible licenses introduced
- [ ] LICENSE and NOTICE shipped with source and binary distributions
### 6.2 For StellaOps Operators (Self-Hosted)
- [ ] LICENSE and NOTICE preserved in deployment
- [ ] Commercial components (CryptoPro, HSM) separately licensed
- [ ] Attribution notices accessible to end users (docs or packaged file)
### 6.3 For Contributors
- [ ] New code contributed under BUSL-1.1
- [ ] No proprietary code introduced
- [ ] Third-party code properly attributed
- [ ] License headers in new files
---
## 7. FAQ
### Q: Can I use StellaOps commercially?
**A:** Yes, within the Additional Use Grant limits or under a commercial license. SaaS/hosted third-party use requires a commercial license.
### Q: Can I modify StellaOps for internal use?
**A:** Yes. Non-production use is permitted, and production use is allowed within the Additional Use Grant or with a commercial license.
### Q: Does using StellaOps make my data BUSL-licensed?
**A:** No. BUSL-1.1 applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours.
### Q: Can I integrate StellaOps with proprietary systems?
**A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses.
### Q: Do I need to disclose my CryptoPro CSP license?
**A:** CryptoPro CSP is customer-provided. StellaOps only ships integration code. Your CSP license is between you and CryptoPro.
---
## 8. References
- [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)
- [Apache 2.0 FAQ](https://www.apache.org/foundation/license-faq.html)
- [SPDX License List](https://spdx.org/licenses/)
- [REUSE Best Practices](https://reuse.software/tutorial/)
- [BUSL-1.1 License Text](https://spdx.org/licenses/BUSL-1.1.html)
---
## 9. Related Documents
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Community Plugin Grant Addendum
- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Plugin developer FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP guidance
- `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and compliance policy
---
*Document maintained by: Legal + Security Guild*
*Last review: 2026-01-25*
Reference in New Issue View Git Blame Copy Permalink