Open-source licenses
Live inventory
The authoritative list of every component, its version, license, homepage, and upstream source is in the portal itself:
Sidebar → Licenses (also accessible from the pre-login footer)
That page is auto-generated daily by the oss-component-scan job from dpkg -l, pip list, and npm ls. Hand-curation gets stale — Meridian rejects it on principle.
License families used
| Family | Examples | Obligation |
|---|---|---|
| Permissive | MIT · BSD-2 · BSD-3 · Apache-2.0 · PostgreSQL · ISC | Preserve notice + license text |
| Weak copyleft | MPL-2.0 (bind9) · LGPL-3.0+ (psycopg2) | Preserve notice + provide source offer on request |
| Strong copyleft | GPL-2.0+ (fail2ban, apparmor, util-linux) | Preserve notice + provide source offer on request |
| Font | OFL-1.1 (JetBrains Mono, DM Sans) | Preserve notice; cannot be sold alone |
How we satisfy copyleft source-offer
Meridian installs copyleft dependencies via apt from Debian (or pip from PyPI) — we do not bundle modified versions of their source. The source-offer is therefore satisfied by publishing a link to the upstream project for each:
- bind9 (MPL-2.0): gitlab.isc.org/isc-projects/bind9
- fail2ban (GPL-2.0+): github.com/fail2ban/fail2ban
- apparmor (GPL-2.0): gitlab.com/apparmor/apparmor
- psycopg2 (LGPL-3.0+): github.com/psycopg/psycopg2
- util-linux, e2fsprogs, coreutils, etc.: see the portal's Licenses page for per-package links.
If you are required to provide the actual source tarball rather than a link (some enterprise / government contracts require this), contact oss@meridiannip.com and we will ship you the source set matching your installed versions.
SBOM export
The Licenses page in the portal exports the full component list in four formats suitable for compliance and supply-chain tooling:
- CycloneDX 1.5 JSON — security tooling (Snyk, Dependency-Track, etc.)
- CycloneDX 1.5 XML
- SPDX 2.3 JSON — legal review, compliance attestations
- SPDX 2.3 Tag-Value
Or generate via the CLI:
sudo meridian-nip oss sbom --format cyclonedx_json > meridian-sbom.json
sudo meridian-nip oss sbom --format spdx_json > meridian-sbom.spdx.jsonLicense-change detection
The OSS scan compares each day's findings against the prior day's. If any package changes license (say, a library relicenses from MIT to BSL), the compliance report flags it and emails all admins. This catches surprises like the Redis → RSAL relicense before they break your compliance posture.
What Meridian itself is licensed as
Meridian is licensed under the Apache License 2.0 — free to install, modify, distribute, and use commercially. The "MeridianNIP" name and logo are trademarks (see License + trademark). There is no paid tier, no license key, no commercial-use agreement required. Full LICENSE + NOTICE files are at the root of the source tree and on github.com/MeridianNIP/meridian.