Health warning: I am only passing on here my understanding of the legal issues relevant to OSS products, I am no lawyer!
Sadly few IT managers will be any better equipped than me, but as risk managers they will inevitably have to become more legally aware than in the past. The cause of this emphasis on legal issues is the growth of OSS products in the commercial market. The threat that OSS products have made to Microsoft, Oracle, etc., not to mention SCO, has lead to the use of legal issues to frighten potential users to deter them from switching from expensive proprietary products to more effective OSS alternatives.
Before looking further into the legal aspects it is worth reminding potential OSS users that this is not the only issue in making a choice. OSS products are not free! They still need support, maintenance, documentation, training, etc. and they may not be as robust or reliable. Because Apache has proved more robust than the Windows Web servers does not automatically mean that all other OSS products are similarly superior!
The legal issues are related to licensing and patents. OSS products are developed by networks of programmers, most of whom have a normal job with a conventional software company. Tracing the IPR of such a complex system is very difficult and even more difficult to trace a guilty individual. Thus the legal emphasis is placed on the retail and the user communities. The legal risk is split between the developer and distributors on one hand and the users on the other. A development audit is crucial, but so too are the licensing terms (the users). This in fact is true of any software product, but the scale of the potential problems is so much bigger with OSS than with proprietary code, hence the current emphasis on legal issues.
There are three licensing models in common use for OSS, which with the usual variants gets very confusing. Today the Open Source Initiative (OSI) sets the rules, largely derived from the original licensing scheme (GNU).
The "purest" license is the GNU General Public License (GPL). All users have the right to change and distribute the source code, but they must make all changes and additions public as well. This caused problems for a lot of developers, particularly those with an existing proprietary product that they wished to move into the OSS world but with some protection. Thus the MPL license allows a developer to use GPL code but to add their own proprietary code. There is also a "dual licensing" alternative in which different terms are offered for the same software. A customer can then choose whether they want to pay for the full proprietary version or an open version with community support and development. The flexibility to switch between models is an interesting option. This model, e.g. Sun Solaris, is an increasingly popular one. It is important to remember that there are only limited warranty rights associated with GPL products, nor is there any indemnity protection against infringement of IPR.
Due diligence is required form both users and developers. Some developers such as Novell and Red Hat are now offering indemnity to customers against SCO, which means that they are taking responsibility for the "purity" of their code, taking a lot of strain off the end-users. Nevertheless end-users must still be aware of possible implications. One attraction to some users of OSS products is to make modifications for their own in-house use, but they must be careful that this does not creep into products and services.< BR>
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.