Asay explains that restrictions and requirements most often come into play when the entity using the open source code distributes the final software package to someone else.
"If people are just pulling it in and there's zero chance it will make it out the door, no one will know about that use, so you don't have license obligations. Distribution is the trigger that makes the license obligations real," he says.
But in this day and age, when so many IT organizations develop apps for customers to use when interacting with companies, developers may cross that distribution threshold more often than they realize, Asay says. And that could mean legal trouble.
"You have this culture [that thinks] 'Hey, we're free to use it. We can avoid having to reinvent the wheel.' But if you don't follow the license conditions, then the copyright holder can bring an injunction and get statutory damages," Asay says.
Ramaswamy Nagappan, co-CIO at Pershing, says such risks are why open-source software needs as much management as -- if not a bit more than -- commercial software. And that's why Pershing has detailed protocols for when and how it uses open source.
Those protocols first require that the open source code proposed for use undergoes a legal review to check its licensing terms and contribution requirements, and to determine if there's any threat of IP or patent infringement. (Nagappan notes that commercial software also goes through a legal review, but that happens later in the procurement process.)
"Then we do a small pilot. A small team downloads it, they make sure it's working, then goes into the development cycle -- they test it and make sure there's no bug. It's like a proof of concept," he says, noting that IT also looks at the total cost of ownership and compares it against the TCO of comparable commercial products.
If it passes all those checks, the code then becomes part of the company's catalog of open-source options, which are tracked in Pershing's own free and open-source software management application. That ensures that "people don't download something that does the same function as something we already have," he says.
Karim R. Lakhani, an associate professor at Harvard Business School who has extensively studied the emergence of open-source software communities, says more organizations are developing strong management policies, aided by evolving tools and service providers. But more organizations still need to take up the charge.
"IT executives do need to pay attention to this and create an inventory of code they've brought in, with what the licenses are. But most organizations don't have good control over what their obligations are, both to the commercial sector as well as to the open-source sector," he says. But they should, he adds, noting that "software, both open source as well as commercial, comes with a lot of encumbrances."
Sign up for MIS Asia eNewsletters.