Aranya is licensed under Affero GPL v3.0.
A: SpiderOak offers our software development toolkit with your choice of an open source or commercial license. Through our open-source license, we enable widespread access to this technology, advocating for the developer community to collaborate, build and adopt protections to secure applications and devices to protect themselves against unauthorized access or data breaches. However, many developers may need different levels of regulatory compliance, as well as additional product features, and therefore our commercial product may be best suited for use. Contact SpiderOak to discuss which license might be best for you.
A: Thank you for your engagement and contribution to the Aranya project! As long as you have signed our Contributor License Agreement, you can contribute to our open-source project. However, SpiderOak may or may not choose to include your contributions in our SpiderOak commercial product offering.
A: No. Under the AGPL license, you cannot deny recipients access to source code. If you add to the code and use the code as part of a SaaS or cloud offering, then you must make your modifications available in source code form to users under the AGPL license. If you include the code in a distributed or on-premises application, you must make the source code available for the entire program that contains the AGPL code, whether or not you are modifying the AGPL licensed code. If you plan to use Aranya for your closed source application, and cannot comply with AGPL, you must contact SpiderOak to discuss work under our commercial licensing terms.
A: Our policy language (policy compiler, policy parser, and policy VM) are all captured in our AGPL license. However, we understand that users may want to create their own custom policies to be compiled by our software. We do not consider policies to be a derived work of our software that is under AGPL. The relationship of our software to policies is a relationship of program to data, not program to program. AGPL only requires sharing for a program, not the data that the program processes.
A: No. At a high-level, DoD policy requires commercial software (including OSS) to come with either a warranty or source code, so that the software can be maintained, when necessary, by the supplier or the government. Since OSS provides source code, there is no problem. Specifically, the federal government’s IA controls, as documented in NIST SP 800-53 revision 5 includes a control enhancement, CM-7(8). Control enhancement CM-7(8) states that an organization must prohibit “the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code”. This control enhancement is based on the need for some way to update software to fix problems after they are discovered. For commercial software, such needed fixes could be provided by a software vendor as part of a warranty, or in the case of OSS, by the government (or its contractors).
Note that the above is only for informational purposes and is not legal advice for you.
Additional information from: https://dodcio.defense.gov/Open-Source-Software-FAQ/#q-under-what-conditions-can-gpl-licensed-software-be-mixed-with-proprietaryclassified-software