19855efacc
Some checks failed
Tests / Go Tests (push) Has been cancelled
Tests / Python Tests (push) Has been cancelled
Tests / Integration Tests (push) Has been cancelled
Tests / Go Lint (push) Has been cancelled
Tests / Python Lint (push) Has been cancelled
Tests / Security Scan (push) Has been cancelled
Tests / All Checks Passed (push) Has been cancelled
Security Scanning / Secret Scanning (push) Has been cancelled
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Security Scanning / Go Security Scan (push) Has been cancelled
Security Scanning / Python Security Scan (push) Has been cancelled
Security Scanning / Node.js Security Scan (push) Has been cancelled
Security Scanning / Docker Image Security (push) Has been cancelled
Security Scanning / Security Summary (push) Has been cancelled
CI/CD Pipeline / Go Tests (push) Has been cancelled
CI/CD Pipeline / Python Tests (push) Has been cancelled
CI/CD Pipeline / Website Tests (push) Has been cancelled
CI/CD Pipeline / Linting (push) Has been cancelled
CI/CD Pipeline / Security Scan (push) Has been cancelled
CI/CD Pipeline / Docker Build & Push (push) Has been cancelled
CI/CD Pipeline / Integration Tests (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / CI Summary (push) Has been cancelled
ci/woodpecker/manual/build-ci-image Pipeline was successful
ci/woodpecker/manual/main Pipeline failed
All services: admin-v2, studio-v2, website, ai-compliance-sdk, consent-service, klausur-service, voice-service, and infrastructure. Large PDFs and compiled binaries excluded via .gitignore.
100 lines
2.2 KiB
Markdown
100 lines
2.2 KiB
Markdown
# Open Source Policy
|
|
|
|
## Lizenzprüfung (AUTOMATISCH BEI JEDER DEPENDENCY)
|
|
|
|
### Erlaubte Lizenzen ✅
|
|
|
|
| Lizenz | Typ | Kommerziell OK |
|
|
|--------|-----|----------------|
|
|
| MIT | Permissive | ✅ |
|
|
| Apache-2.0 | Permissive | ✅ |
|
|
| BSD-2-Clause | Permissive | ✅ |
|
|
| BSD-3-Clause | Permissive | ✅ |
|
|
| ISC | Permissive | ✅ |
|
|
| MPL-2.0 | Weak Copyleft | ✅ |
|
|
| LGPL-2.1 / LGPL-3.0 | Weak Copyleft | ✅ (nur linking) |
|
|
| CC0-1.0 | Public Domain | ✅ |
|
|
| Unlicense | Public Domain | ✅ |
|
|
|
|
### Verbotene Lizenzen ❌
|
|
|
|
| Lizenz | Grund |
|
|
|--------|-------|
|
|
| GPL-2.0 / GPL-3.0 | Copyleft - infiziert Projekt |
|
|
| AGPL-3.0 | Network Copyleft - SaaS-Killer |
|
|
| SSPL | Server Side Public License |
|
|
| BSL | Business Source License |
|
|
| "Non-Commercial" | Keine kommerzielle Nutzung |
|
|
| "Educational Only" | Nur für Bildung |
|
|
| Proprietary | Keine OSS |
|
|
|
|
---
|
|
|
|
## Workflow bei neuer Dependency
|
|
|
|
### 1. Vor dem Hinzufügen prüfen
|
|
|
|
```bash
|
|
# NPM Package
|
|
npm view <package> license
|
|
|
|
# Python Package
|
|
pip show <package> | grep License
|
|
|
|
# Go Module
|
|
go-licenses check <module>
|
|
```
|
|
|
|
### 2. Bei Unklarheit
|
|
|
|
- README.md des Projekts lesen
|
|
- LICENSE-Datei prüfen
|
|
- SPDX-Identifier suchen
|
|
- Im Zweifel: **NICHT verwenden**
|
|
|
|
### 3. Nach dem Hinzufügen
|
|
|
|
**SBOM aktualisieren:** https://macmini:3002/infrastructure/sbom
|
|
|
|
```bash
|
|
# SBOM generieren
|
|
cd /Users/benjaminadmin/Projekte/breakpilot-pwa
|
|
|
|
# Python
|
|
pip-licenses --format=json > sbom/python-licenses.json
|
|
|
|
# Node.js
|
|
npx license-checker --json > sbom/node-licenses.json
|
|
|
|
# Go
|
|
go-licenses csv ./... > sbom/go-licenses.csv
|
|
```
|
|
|
|
---
|
|
|
|
## Grenzfälle
|
|
|
|
### Dual-Licensed Packages
|
|
- Wenn MIT **oder** GPL angeboten wird → MIT wählen
|
|
- Dokumentieren welche Lizenz gewählt wurde
|
|
|
|
### Transitive Dependencies
|
|
- Auch indirekte Abhängigkeiten prüfen
|
|
- `npm ls`, `pip-tree`, `go mod graph`
|
|
|
|
### Fonts & Assets
|
|
- Google Fonts: ✅ (OFL)
|
|
- Font Awesome Free: ✅ (CC BY 4.0 / OFL / MIT)
|
|
- Icons8: ❌ (Attribution required, kompliziert)
|
|
|
|
---
|
|
|
|
## Checkliste bei PR/Commit
|
|
|
|
Wenn neue Dependencies hinzugefügt wurden:
|
|
|
|
- [ ] Lizenz ist in der Whitelist
|
|
- [ ] SBOM wurde aktualisiert
|
|
- [ ] Keine GPL/AGPL-Abhängigkeiten eingeschleppt
|
|
- [ ] Bei Dual-License: MIT/Apache gewählt
|