Required Source Disclosure
Required Source Disclosure
Required Source Disclosure
The following components are distributed under licenses that require us to make source code available. Links point to the exact source archives used in this release build.
| Component | Version | License | Source |
|---|---|---|---|
| audit | 4.1.2 | GPL-2.0-or-later | source |
| bash-interactive | 5.3p9 | GPL-3.0-or-later | source |
| busybox | 1.37.0 | GPL-2.0-only | source |
| db | 4.8.30 | Sleepycat | source |
| gcc | 15.2.0 | GPL-3.0-or-later | source |
| glibc | 2.42 | LGPL-2.0-or-later | source |
| keyutils | 1.6.3 | GPL-2.0-or-later | source |
| libcap-ng | 0.9 | LGPL-2.1-only | source |
| libidn2 | 2.3.8 | GPL-2.0-or-later | source |
| libunistring | 1.4.1 | LGPL-3.0-or-later | source |
| libxcrypt | 4.5.2 | LGPL-2.1-or-later | source |
| nss-cacert | 3.121 | MPL-2.0 | source |
| readline | 8.3p3 | GPL-3.0-or-later | source |
| xgcc | 15.2.0 | GPL-3.0-or-later | source |
All Other Components
Source URLs for all components (including permissively-licensed ones) are
recorded in the CycloneDX SBOM under the externalReferences field with
type distribution. Download the SBOM from the
Dependencies section to access them.
All images are built using Nix derivations from pinned inputs, ensuring the source URL in the SBOM is the exact archive used in the build — not a “latest” pointer.
Last updated on • David Laing