From ec65048d1bc56b2673445ee9295716843d3c138a Mon Sep 17 00:00:00 2001
From: leodido <120051+leodido@users.noreply.github.com>
Date: Mon, 4 May 2026 13:15:13 +0000
Subject: [PATCH] docs(readme): explain Apache 2.0 + uABI posture

Adds a License-section paragraph explaining why a library that reads /proc and /sys is Apache 2.0 (not GPL) and Apache 2.0 over MIT. Documents the kernel-uABI-only posture, the kernel COPYING carve-out for normal syscalls, the patent-grant rationale, and the adopter base.

Co-authored-by: Ona <no-reply@ona.com>
---
 CHANGELOG.md |  1 +
 README.md    | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce00e7a..a1808ce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Releases: every artifact (per-platform tarballs and `checksums.txt`) is now signed with [cosign](https://github.com/sigstore/cosign) keyless signing backed by GitHub's OIDC token. Each artifact has a sibling `<artifact>.sigstore.json` bundle containing the signature, certificate (with the workflow identity baked in), and Rekor transparency-log inclusion proof. Verifying a download is a single `cosign verify-blob --bundle ...` invocation; see the new [Verifying releases](README.md#verifying-releases) section in the README for the exact commands. Requires cosign v2.0+ on the verifier side.
 - `NOTICE` file at repo root carrying the `Copyright 2026 Leonardo Di Donato` attribution. Apache 2.0 distinguishes the license text (canonical, verbatim, in `LICENSE`) from project-level attribution (in a `NOTICE` file that downstream consumers must propagate). The previous setup folded the copyright line into `LICENSE` itself; that conflated the two and is one of the deviations that caused licensecheck to mis-classify the file (see corresponding `### Fixed` entry).
+- README License section: "Why Apache 2.0" paragraph. Documents the kernel-uABI posture (no kernel source, no cgo, no GPL deps; `/proc` and `/sys` reads fall under the kernel `COPYING` "normal syscalls" carve-out) and the Apache-2.0-over-MIT rationale (patent grant for security-adjacent probing; same-license adopter base of Cilium, Tetragon, Falco, etc.).
 
 ### Fixed
 
diff --git a/README.md b/README.md
index e9a720d..9b2114e 100644
--- a/README.md
+++ b/README.md
@@ -390,4 +390,13 @@ feature-addition checklist, and the development workflow.
 
 ## License
 
-[Apache License 2.0](LICENSE).
+[Apache License 2.0](LICENSE). Project attribution in [NOTICE](NOTICE), per Apache 2.0 §4(d).
+
+### Why Apache 2.0
+
+`kfeatures` is pure-Go userspace. No kernel source embedded, no cgo, no GPL/LGPL deps. Kernel interaction is uABI only: reads from `/proc` and `/sys`, syscalls and constants via [`golang.org/x/sys/unix`](https://pkg.go.dev/golang.org/x/sys/unix) (BSD-3-Clause), ELF parsing via [`github.com/cilium/ebpf`](https://pkg.go.dev/github.com/cilium/ebpf) (MIT; never calls `BPF_PROG_LOAD`). The kernel's `COPYING` carves "user programs that use kernel services by normal system calls" out of GPL: the carve-out `ps`, `ls`, and `mount` rely on.
+
+Apache 2.0 over MIT:
+
+- Patent grant (§3). Probing eBPF, LSM, IMA, namespaces, and Spectre mitigations is patent-adjacent. Apache 2.0 grants an irrevocable patent license with defensive termination. MIT has none.
+- Adopter alignment. Cilium, Tetragon, Tracee, Falco, Pixie, and Inspektor Gadget are Apache 2.0. No compatibility review needed.