Open Source Licenses & SBOM¶
Repod is open source and relies on open source components. This page documents the license structure, the Software Bill of Materials (SBOM), and how to verify the component inventory of your deployment.
Repod license¶
The Repod source code — backend (FastAPI/Python) and frontend (React) — is released under the Apache License 2.0.
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/LICENSE-2.0
Copyright 2024-2026 Repod contributors
See the full text in the repository's LICENSE file.
Why Apache 2.0?¶
- Explicit patent grant (§3): protects users from patent claims by contributors. Essential for enterprise and government procurement.
- Compatible with EUPL 1.2: required for DINUM (French government) open source contributions and listed in the official DINUM license catalogue.
- Compatible with Apache 2.0 dependencies: Grype and Syft (both Apache 2.0) integrate without license friction.
- No copyleft propagation: organizations can build proprietary extensions or internal forks without open-sourcing them.
Third-party components¶
Repod's Docker images include third-party tools. Each component retains its original license; no component's license propagates to Repod's own code (see below).
GPL v2 components¶
| Component | Version | License | Usage | Source |
|---|---|---|---|---|
| reprepro (APT only) | 5.4.6 | GPL v2 | APT repo management — invoked via subprocess.exec() |
salsa.debian.org |
| createrepo_c (RPM only) | 1.2.0 | GPL v2 | RPM repo indexing — invoked via subprocess.exec() |
github.com/rpm-software-management/createrepo_c |
| rpm (RPM only) | 4.20.1 | GPL v2 / LGPL v2 | RPM package querying — invoked via subprocess.exec() |
github.com/rpm-software-management/rpm |
| ClamAV | 1.4.3 | GPL v2 | Antivirus scanning — accessed via clamd Unix socket |
github.com/Cisco-Talos/clamav |
Apache 2.0 components¶
| Component | License | Role |
|---|---|---|
| Grype v0.112.0 | Apache 2.0 | CVE vulnerability scanning |
| Syft v1.44.0 | Apache 2.0 | SBOM generation |
| Requests | Apache 2.0 | HTTP client library |
| Prometheus Client | Apache 2.0 | Metrics export |
MIT components¶
| Component | License | Role |
|---|---|---|
| FastAPI 0.136.1 | MIT | Backend web framework |
| React | MIT | Frontend UI library |
| Tailwind CSS | MIT | CSS framework |
| axios | MIT | Frontend HTTP client |
| APScheduler | MIT | Scheduled jobs (SLA checks, security sync) |
| react-hot-toast | MIT | Notification UI |
| react-router-dom | MIT | Client-side routing |
Full attribution details are in the repository's NOTICES file.
GPL v2 isolation¶
Legal basis for Apache 2.0 licensing
GPL v2 applies to derivative works — code that is statically or dynamically
linked against a GPL library. Repod does not link against libreprepro,
libclamav, or librpm. All GPL v2 tools are called as independent processes
via subprocess.exec() or Unix socket communication.
This architecture was validated by independent legal counsel under French law (Code de la Propriété Intellectuelle, Article L122-6) and U.S. copyright law. The conclusion: Repod's Apache 2.0 code is not a derivative work of the GPL v2 components, and the GPL v2 does not propagate to Repod's license.
If you modify Repod to statically link against any GPL v2 library, you would create a derivative work and GPL v2 obligations would apply to that modification.
Software Bill of Materials (SBOM)¶
Repod publishes machine-readable SBOMs for each release in CycloneDX JSON format.
Download¶
| Image | Format | File |
|---|---|---|
| APT backend | CycloneDX JSON | repod-apt-backend.sbom.cdx.json |
| APT frontend | CycloneDX JSON | repod-apt-frontend.sbom.cdx.json |
| RPM backend | CycloneDX JSON | repod-rpm-backend.sbom.cdx.json |
| RPM frontend | CycloneDX JSON | repod-rpm-frontend.sbom.cdx.json |
Verify the SBOM against your deployment¶
# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \
| sh -s -- -b /usr/local/bin
# Generate a fresh SBOM of your running image
syft scan docker:repodata-backend:latest \
-o cyclonedx-json=my-repod-backend.sbom.cdx.json
# Scan the SBOM for vulnerabilities
grype sbom:my-repod-backend.sbom.cdx.json
Scan for license compliance¶
# List all licenses in the image
syft scan docker:repodata-backend:latest \
-o table \
| awk '{print $NF}' | sort -u
Repod generates SBOMs for your packages¶
In addition to publishing its own SBOM, Repod generates SBOMs for the packages
it manages. Every uploaded package gets a CycloneDX 1.5 and SPDX 2.3 manifest
stored in /repos/manifests/.
# Download the SBOM for a specific package (CycloneDX)
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8000/api/v1/sbom/mypackage/1.0.0?format=cyclonedx&arch=amd64" \
-o mypackage-sbom.cdx.json
# Or the entire repository
curl -H "Authorization: Bearer $TOKEN" \
"http://localhost:8000/api/v1/sbom/export?format=cyclonedx" \
-o repod-full-sbom.cdx.json
This is the feature that makes Repod directly useful for NIS2 Article 21 supply chain audits — every package in your infrastructure has a machine-readable provenance record.