304 lines
10 KiB
Markdown
304 lines
10 KiB
Markdown
# License Compatibility Analysis
|
|
|
|
**Document Version:** 1.0.0
|
|
**Last Updated:** 2025-12-26
|
|
**StellaOps License:** AGPL-3.0-or-later
|
|
|
|
This document analyzes the compatibility of third-party licenses with StellaOps' AGPL-3.0-or-later license.
|
|
|
|
---
|
|
|
|
## 1. AGPL-3.0-or-later Overview
|
|
|
|
The GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later) is a strong copyleft license that:
|
|
|
|
1. **Requires** source code disclosure for modifications
|
|
2. **Requires** network use disclosure (Section 13) - users interacting over a network must be able to receive the source code
|
|
3. **Allows** linking with permissively-licensed code (MIT, Apache-2.0, BSD)
|
|
4. **Prohibits** linking with incompatibly-licensed code (GPL-2.0-only, proprietary)
|
|
|
|
### Key Compatibility Principle
|
|
|
|
> Code licensed under permissive licenses (MIT, Apache-2.0, BSD, ISC) can be incorporated into AGPL projects. The combined work is distributed under AGPL terms.
|
|
|
|
---
|
|
|
|
## 2. License Compatibility Matrix
|
|
|
|
### 2.1 Fully Compatible (Inbound)
|
|
|
|
These licenses are fully compatible with AGPL-3.0-or-later. Code under these licenses can be incorporated into StellaOps.
|
|
|
|
| License | SPDX | Compatibility | Rationale |
|
|
|---------|------|---------------|-----------|
|
|
| MIT | MIT | **Yes** | Permissive, no copyleft restrictions |
|
|
| Apache-2.0 | Apache-2.0 | **Yes** | Permissive, patent grant included |
|
|
| BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions |
|
|
| BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only |
|
|
| ISC | ISC | **Yes** | Functionally equivalent to MIT |
|
|
| 0BSD | 0BSD | **Yes** | Public domain equivalent |
|
|
| CC0-1.0 | CC0-1.0 | **Yes** | Public domain dedication |
|
|
| Unlicense | Unlicense | **Yes** | Public domain dedication |
|
|
| PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD |
|
|
| Zlib | Zlib | **Yes** | Permissive |
|
|
| WTFPL | WTFPL | **Yes** | Do what you want |
|
|
|
|
### 2.2 Compatible with Conditions
|
|
|
|
| License | SPDX | Compatibility | Conditions |
|
|
|---------|------|---------------|------------|
|
|
| LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking |
|
|
| LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking |
|
|
| MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL code must remain in separate files |
|
|
| GPL-3.0-or-later | GPL-3.0-or-later | **Yes** | Combined work is AGPL-3.0+ |
|
|
| AGPL-3.0-or-later | AGPL-3.0-or-later | **Yes** | Same license |
|
|
|
|
### 2.3 Incompatible
|
|
|
|
These licenses are **NOT** compatible with AGPL-3.0-or-later:
|
|
|
|
| License | SPDX | Issue |
|
|
|---------|------|-------|
|
|
| GPL-2.0-only | GPL-2.0-only | Version lock conflicts with AGPL-3.0 |
|
|
| SSPL-1.0 | SSPL-1.0 | Additional restrictions |
|
|
| Proprietary | LicenseRef-Proprietary | No redistribution rights |
|
|
| Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions |
|
|
| BUSL-1.1 | BUSL-1.1 | Production use restrictions |
|
|
|
|
---
|
|
|
|
## 3. Distribution Models
|
|
|
|
### 3.1 Source Distribution (AGPL Compliant)
|
|
|
|
When distributing StellaOps source code:
|
|
|
|
```
|
|
StellaOps (AGPL-3.0-or-later)
|
|
├── StellaOps code (AGPL-3.0-or-later)
|
|
├── MIT-licensed deps (retain copyright notices)
|
|
├── Apache-2.0 deps (retain NOTICE files)
|
|
└── BSD deps (retain copyright notices)
|
|
```
|
|
|
|
**Requirements:**
|
|
- Include full AGPL-3.0-or-later license text
|
|
- Preserve all third-party copyright notices
|
|
- Preserve all NOTICE files from Apache-2.0 dependencies
|
|
- Provide complete corresponding source
|
|
|
|
### 3.2 Binary Distribution (AGPL Compliant)
|
|
|
|
When distributing StellaOps binaries (containers, packages):
|
|
|
|
```
|
|
StellaOps Binary
|
|
├── LICENSE (AGPL-3.0-or-later)
|
|
├── NOTICE.md (all attributions)
|
|
├── third-party-licenses/ (full license texts)
|
|
└── Source availability: git.stella-ops.org
|
|
```
|
|
|
|
**Requirements:**
|
|
- Include AGPL-3.0-or-later license
|
|
- Include NOTICE file with all attributions
|
|
- Provide mechanism to obtain source code
|
|
- For network services: provide source access per Section 13
|
|
|
|
### 3.3 Network Service (Section 13)
|
|
|
|
StellaOps is primarily deployed as network services. AGPL Section 13 requires:
|
|
|
|
> If you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network [...] an opportunity to receive the Corresponding Source of your version.
|
|
|
|
**StellaOps Compliance:**
|
|
- Source code is available at `https://git.stella-ops.org`
|
|
- Web UI includes "Source" link in footer/about page
|
|
- API responses include `X-Source-URL` header option
|
|
- Documentation includes source availability notice
|
|
|
|
### 3.4 Aggregation (Not Derivation)
|
|
|
|
The following are considered **aggregation**, not derivation:
|
|
|
|
| Scenario | Classification | AGPL Impact |
|
|
|----------|---------------|-------------|
|
|
| PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed |
|
|
| RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 |
|
|
| Docker containers | Aggregation | Base image licenses unaffected |
|
|
| Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 |
|
|
| Hardware (HSM) | Interface only | HSM license unaffected |
|
|
|
|
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces. They are not linked into StellaOps binaries.
|
|
|
|
---
|
|
|
|
## 4. Specific Dependency Analysis
|
|
|
|
### 4.1 BouncyCastle Cryptography (MIT)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | MIT |
|
|
| Compatibility | Full |
|
|
| Usage | Linked into binaries |
|
|
| Requirement | Include copyright notice in NOTICE.md |
|
|
|
|
### 4.2 Npgsql/PostgreSQL (PostgreSQL License)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | PostgreSQL (permissive) |
|
|
| Compatibility | Full |
|
|
| Usage | NuGet package (linked) |
|
|
| Requirement | Include copyright notice in NOTICE.md |
|
|
|
|
### 4.3 Polly (BSD-3-Clause)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | BSD-3-Clause |
|
|
| Compatibility | Full |
|
|
| Usage | NuGet package (linked) |
|
|
| Requirement | Include copyright notice; no endorsement claims |
|
|
|
|
### 4.4 RxJS (Apache-2.0)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | Apache-2.0 |
|
|
| Compatibility | Full |
|
|
| Usage | npm package (bundled in frontend) |
|
|
| Requirement | Preserve NOTICE file |
|
|
|
|
### 4.5 CryptoPro CSP (Commercial)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | Commercial (LicenseRef-CryptoPro) |
|
|
| Compatibility | N/A - Not distributed |
|
|
| Usage | PKCS#11 interface only |
|
|
| Requirement | Customer obtains own license |
|
|
|
|
**Analysis:** StellaOps provides only the integration code (AGPL-3.0-or-later). CryptoPro CSP binaries are never distributed by StellaOps. This is a clean separation:
|
|
|
|
```
|
|
StellaOps Ships:
|
|
├── PKCS#11 interface code (AGPL-3.0-or-later)
|
|
├── Configuration documentation
|
|
└── Integration tests (mock only)
|
|
|
|
Customer Provides:
|
|
├── CryptoPro CSP license
|
|
├── CryptoPro CSP binaries
|
|
└── Hardware tokens (optional)
|
|
```
|
|
|
|
### 4.6 AlexMAS.GostCryptography (MIT)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | MIT |
|
|
| Compatibility | Full |
|
|
| Usage | Source vendored |
|
|
| Requirement | Include copyright notice; license file preserved |
|
|
|
|
**Analysis:** The fork is MIT-licensed and compatible with AGPL-3.0-or-later. The combined work (StellaOps + fork) is distributed under AGPL-3.0-or-later terms.
|
|
|
|
### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0)
|
|
|
|
| Aspect | Status |
|
|
|--------|--------|
|
|
| License | MPL-2.0 |
|
|
| Compatibility | Yes (with conditions) |
|
|
| Usage | Dev dependency only |
|
|
| Requirement | MPL files stay in separate files |
|
|
|
|
**Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution.
|
|
|
|
---
|
|
|
|
## 5. Outbound Licensing
|
|
|
|
### 5.1 StellaOps Core
|
|
|
|
All StellaOps-authored code is licensed under AGPL-3.0-or-later:
|
|
|
|
```
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
Copyright (C) 2025 stella-ops.org
|
|
```
|
|
|
|
### 5.2 Documentation
|
|
|
|
Documentation is licensed under:
|
|
- Code examples: AGPL-3.0-or-later (same as source)
|
|
- Prose content: CC-BY-4.0 (where specified)
|
|
- API specifications: AGPL-3.0-or-later
|
|
|
|
### 5.3 Configuration Samples
|
|
|
|
Sample configuration files (`etc/*.yaml.sample`) are:
|
|
- Licensed under: AGPL-3.0-or-later
|
|
- Derived configurations by users: User's choice (no copyleft propagation for configuration)
|
|
|
|
---
|
|
|
|
## 6. Compliance Checklist
|
|
|
|
### 6.1 For StellaOps Maintainers
|
|
|
|
- [ ] All new dependencies checked against allowlist
|
|
- [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies
|
|
- [ ] third-party-licenses/ includes texts for vendored code
|
|
- [ ] No GPL-2.0-only or incompatible licenses introduced
|
|
- [ ] Source remains available at documented URL
|
|
|
|
### 6.2 For StellaOps Operators (Self-Hosted)
|
|
|
|
- [ ] Source code available to network users (link in UI/docs)
|
|
- [ ] Modifications (if any) made available under AGPL-3.0-or-later
|
|
- [ ] Commercial components (CryptoPro, HSM) separately licensed
|
|
- [ ] NOTICE file preserved in deployment
|
|
|
|
### 6.3 For Contributors
|
|
|
|
- [ ] New code contributed under AGPL-3.0-or-later
|
|
- [ ] No proprietary code introduced
|
|
- [ ] Third-party code properly attributed
|
|
- [ ] License headers in new files
|
|
|
|
---
|
|
|
|
## 7. FAQ
|
|
|
|
### Q: Can I use StellaOps commercially?
|
|
**A:** Yes. AGPL-3.0-or-later permits commercial use. You must provide source code access to users interacting with your deployment over a network.
|
|
|
|
### Q: Can I modify StellaOps for internal use?
|
|
**A:** Yes. If modifications are internal only (not exposed to network users), no disclosure required.
|
|
|
|
### Q: Does using StellaOps make my data AGPL-licensed?
|
|
**A:** No. AGPL applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours.
|
|
|
|
### Q: Can I integrate StellaOps with proprietary systems?
|
|
**A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses.
|
|
|
|
### Q: Do I need to disclose my CryptoPro CSP license?
|
|
**A:** CryptoPro CSP is customer-provided. StellaOps only ships integration code. Your CSP license is between you and CryptoPro.
|
|
|
|
---
|
|
|
|
## 8. References
|
|
|
|
- [GNU AGPL-3.0 FAQ](https://www.gnu.org/licenses/gpl-faq.html)
|
|
- [FSF License Compatibility](https://www.gnu.org/licenses/license-list.html)
|
|
- [SPDX License List](https://spdx.org/licenses/)
|
|
- [Apache-2.0/GPL Compatibility](https://www.apache.org/licenses/GPL-compatibility.html)
|
|
- [REUSE Best Practices](https://reuse.software/tutorial/)
|
|
|
|
---
|
|
|
|
*Document maintained by: Legal + Security Guild*
|
|
*Last review: 2025-12-26*
|