Comment by bionsystem
4 years ago
You are being downvoted but I actually think there are some fair points that you are making.
We use a lot of FOSS in our company. We pay licenses and contribute very little (our job isn't to improve gitlab or docker, we are shipping a software product on top of that), but I wouldn't know where exactly we are in the legal-illegal spectrum to save my life.
I consider myself an employee, not an entrepreneur. If I was an entrepreneur, I sure would happily seek legal advice on what exactly is fair use of open source. But really, I wouldn't know who to trust on the free advice market to figure out what I'm allowed and not allowed to do when starting up. I have absolutely 0 interest in legal stuff and it's mostly scary and confusing to me (and that's probably why I don't do any entrepreneurship, not even a side hustle in consulting), and I wish I and other salary men would be given a break about what the company is doing.
Nutanix shouldn't do what they are doing, but I don't think engineers should be to blame. At the end of the day, if an employee would have to go through everything that the company might not do perfectly right before deciding on a job, we would work nowhere. I wouldn't work for Oracle, but where to draw the line exactly ?
If your job is to pick the dependencies, your job is also to understand what picking those dependencies means.
It rings hollow to throw your hands up at the license part and say - “not my job”. It is. Understanding the legal risk of that dependency is as important as understanding the technical risk.
If your company doesn’t have a license policy, ask for a lawyer to draft that. But I’ve worked at some pretty penny-ante companies before and even they had an acceptable license policy.
If yours truly doesn’t have one, part of your job as the person building the software is to get one drafted.
Engineers generally have the responsibility of picking dependencies subject to legal constraints - they have zero understanding or inclination to understand licensing terms. That's generally fine at companies with established legal departments. The enforcement of legal constraints is done by the legal department, which will usually employ at least one full-time counsel who specializes in IP law, and it is generally completely outside engineers' purview. In fact, this is Standard Operating Procedure at almost every company of this size, including at Nutanix, which is a mid-size, public, enterprise hardware/software company whose shares are traded on NASDAQ.
It's really not the engineers' job to pick the dependencies per se, but to pick them subject to constraints that are laid out by management. There is certainly no ethical quandary or abdication of moral responsibilities in this setup: engineers will pick among choices that are pre-vetted by people who know the legal ramifications best and have a fiduciary responsibility to shareholders to make sure the company does not run afoul of applicable law.
Engineers need to ask legal for a license review. You as an engineer may not understand every aspect of it, but your legal team should make it clear. It’s the same at most places. Licenses are included with the source code, it’s not that hard to bump it up to legal to understand your responsibilities of including it in the product.
OTOH - if the engineer did that and received flawed guidance, then it’s a legal issue and not the engineer’s issue. I guess the question is whether the legal review of all FOSS licenses in the product was done.
For the record, opensource licenses are generally fairly understandable.
And if you're lazy, there are websites which gives you a summary of it: https://tldrlegal.com/licenses/tags/OSI-Approved
I'm really starting to think that companies violating OSS licenses is often times malice, not ignorance.