Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Irvine, Chuck R [EQ] wrote:
I hope no one thinks this thread is off topic....
Actually, this is totally on-topic, and I'd love to see what some others
have to say. See my response below.
There are many in the company I work for that would like to leverage
open source software in general and and Tomcat in particular.
However, our legal staff resists the idea because of perceived legal
risks.
Specifically, what are they fearing?
I know that there are companies who provide indemnification as part
of their open source support products, but I wonder to what extent
such indemnification is really necessary. Could those that have
experience or knowledge in this area please comment?
It sounds like what your legal folks are looking for is CYA coverage --
if something breaks spectacularly and loses confidential information or
whatever, then they don't want to be liable.
My guess was different: that they were concerned about using software
that might later be claimed to be covered by somebody else's patent,
like M$ has been threatening with Linux. If my guess is correct, then I
seriously doubt there's anything to worry about there, because Tomcat
has been written as open source from the beginning, and nobody has ever
claimed patent rights over it.
This should be simple case of risk awareness and mitigation. Insurance
companies know all about this sort of thing. So do "security" companies,
and companies that make commercial servers like BEA, etc. I would look
into something like BEA, for instance, and ask what type of
indemnification they offer. My guess is that the indemnification works
/against/ you, rather than /for/ you: they're covering /their/ own
asses, not yours.
The bottom line is that everything can be solved with money. You can pay
someone else to assume the risk. If you pay BEA, you get the app server
for free (!). If you take Tomcat (for free), you'll have to pay someone
else to take the risk away from you. They can do their own audit of
Tomcat and decide how much they trust it not to be a problem, and how
much it's gonna cost you for them to assume the risk.
My guess is that /your/ software is more risky than Tomcat. ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4YWK9CaO5/Lv0PARAmJrAJ9N0AoY559zef6nOuVVc5Lk/eeQTgCfbx4d
hS37len1PNQHqJhHrtxKgJc=
=IT8t
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
