Comment by acdha
24 days ago
Consider that there might be a difference between knowing which licensed libraries you used and verifying that your usage of them fully complied with the current license terms when releasing the source code. For example, licensing a library for binary distribution might not cover releasing a copy of a header file, modified copy of something you got from support before a bug fix made it into a release, some random utilities used for preprocessing data, etc. even though for years your developers might not have made the distinction because it wasn’t open source when they were actively working on it.
Also, every company I've ever worked at, including ones producing regulated products like medical or home appliances, uses the beuracracy to take the stance of "Considered Risk". Rather than spending all the tone knowing for sure they comply, they make a "best effort" (the level of which varies a lot by company and industry) and bank on never getting closely questioned about the specifics. Releasing publicly is exactly that "closely questioned about the specifics" though.
This is a non problem. We use libraries with standard licenses and there is finite set of them - like 4. And I work on fairly large software.
If your company has issue achieving this, then it was simply not complying with those licenses.
You can go through all licenses just by checking their list in maven. None of that is hard or expensive.
We have considerably more than 4, some of which are custom works of companies which have been selling under their terms since the 80s. No, I don’t think it’s a huge problem but if you have a lawyer who doesn’t at least want to check, you need a better lawyer.
This is actually something that a law requiring source code releases would end up improving though as those companies would be forced to standardize their licenses or find themselves without customers.