Comment by watwut

24 days ago

> Legal had to verify that there was no licensed library code used

Your company did not tracked libraries licenses in the first place?

6 comments

watwut

Reply
acdha  24 days ago

Consider that there might be a difference between knowing which licensed libraries you used and verifying that your usage of them fully complied with the current license terms when releasing the source code. For example, licensing a library for binary distribution might not cover releasing a copy of a header file, modified copy of something you got from support before a bug fix made it into a release, some random utilities used for preprocessing data, etc. even though for years your developers might not have made the distinction because it wasn’t open source when they were actively working on it.

  • aaravchen  24 days ago

    Also, every company I've ever worked at, including ones producing regulated products like medical or home appliances, uses the beuracracy to take the stance of "Considered Risk". Rather than spending all the tone knowing for sure they comply, they make a "best effort" (the level of which varies a lot by company and industry) and bank on never getting closely questioned about the specifics. Releasing publicly is exactly that "closely questioned about the specifics" though.

  • watwut  24 days ago

    This is a non problem. We use libraries with standard licenses and there is finite set of them - like 4. And I work on fairly large software.

    If your company has issue achieving this, then it was simply not complying with those licenses.

    You can go through all licenses just by checking their list in maven. None of that is hard or expensive.

    • acdha  24 days ago

      We have considerably more than 4, some of which are custom works of companies which have been selling under their terms since the 80s. No, I don’t think it’s a huge problem but if you have a lawyer who doesn’t at least want to check, you need a better lawyer.

      1 reply →

account42  22 days ago

Historically, the game industry often enough wasn't even able to track the final source code of their past releases.