Summary
The repo is MIT-licensed, and that's the right choice — but two licensing-hygiene gaps should be closed so the MIT claim is correct, not just probably fine. Neither is urgent (no copyleft is infecting our code), so targeting v1.1.
Background: We bundle two GPLv3 components — p2pool and xmrig-proxy. Both enter as version-pinned, sha256-verified upstream binaries downloaded at image-build time and run as separate containers communicating over sockets/RPC. No GPL source is in our tree and nothing is linked into our code, so this is textbook GPLv3 "mere aggregation" — MIT for our orchestrator code is fine. Everything else we ship is permissive (monerod/Tor/Tari = BSD-3, Caddy/socket-proxy/Python deps = Apache-2.0/BSD, vendored JS = MIT except htm = Apache-2.0).
Gap 1 — LICENSE over-claims third-party files
LICENSE asserts MIT © Vijit Singh over "the Software," but the repo also redistributes files that are neither ours nor MIT:
- Tari
.proto files + generated gRPC stubs under build/dashboard/mining_dashboard/client/tari/ — BSD-3-Clause, © The Tari Project
build/dashboard/mining_dashboard/web/static/vendor/htm.module.js — Apache-2.0- Other vendored JS (preact, chart.js, chartjs-plugin-zoom, hammerjs) — MIT (compatible, but should still be attributed)
This is an attribution gap, not a copyleft problem.
Fix:
Gap 2 — We publish images containing GPLv3 binaries → GPLv3 §6 applies to those binaries
We push ghcr.io/p2pool-starter-stack/pithead-p2pool and …-xmrig-proxy, which contain the GPLv3 binaries. Whoever distributes a GPLv3 binary must provide the corresponding source (or a written offer / network access) plus the GPLv3 license text and copyright notices — independent of our repo's own license. Since we ship unmodified, version-pinned upstream binaries, compliance is low-effort: point to the exact upstream source for the pinned tag.
Fix:
Out of scope / non-issues
- No GPL source is copied into the repo; no linking — orchestrator code stays MIT.
- monerod, Tor, Tari, Caddy, socket-proxy are permissive (no copyleft obligations beyond attribution, folded into Gap 1).
Not legal advice — engineering-informed reading of well-trodden GPLv3 aggregation principles. A quick counsel check before a major release wouldn't hurt.
Summary
The repo is MIT-licensed, and that's the right choice — but two licensing-hygiene gaps should be closed so the MIT claim is correct, not just probably fine. Neither is urgent (no copyleft is infecting our code), so targeting v1.1.
Background: We bundle two GPLv3 components —
p2poolandxmrig-proxy. Both enter as version-pinned, sha256-verified upstream binaries downloaded at image-build time and run as separate containers communicating over sockets/RPC. No GPL source is in our tree and nothing is linked into our code, so this is textbook GPLv3 "mere aggregation" — MIT for our orchestrator code is fine. Everything else we ship is permissive (monerod/Tor/Tari = BSD-3, Caddy/socket-proxy/Python deps = Apache-2.0/BSD, vendored JS = MIT excepthtm= Apache-2.0).Gap 1 —
LICENSEover-claims third-party filesLICENSEasserts MIT © Vijit Singh over "the Software," but the repo also redistributes files that are neither ours nor MIT:.protofiles + generated gRPC stubs underbuild/dashboard/mining_dashboard/client/tari/— BSD-3-Clause, © The Tari Projectbuild/dashboard/mining_dashboard/web/static/vendor/htm.module.js— Apache-2.0This is an attribution gap, not a copyleft problem.
Fix:
THIRD_PARTY_LICENSES.md(orNOTICE) enumerating bundled/vendored components and their licensesLICENSEto clarify MIT covers the project's original code; bundled/third-party files retain their own licensesGap 2 — We publish images containing GPLv3 binaries → GPLv3 §6 applies to those binaries
We push
ghcr.io/p2pool-starter-stack/pithead-p2pooland…-xmrig-proxy, which contain the GPLv3 binaries. Whoever distributes a GPLv3 binary must provide the corresponding source (or a written offer / network access) plus the GPLv3 license text and copyright notices — independent of our repo's own license. Since we ship unmodified, version-pinned upstream binaries, compliance is low-effort: point to the exact upstream source for the pinned tag.Fix:
ARG *_VERSION+ sha256 in each Dockerfile make this unambiguous)Out of scope / non-issues
Not legal advice — engineering-informed reading of well-trodden GPLv3 aggregation principles. A quick counsel check before a major release wouldn't hurt.