Which of these two tires would you rather have on your car:
- [Tire Company A] If one of our tires randomly bursts, causing you to lose control and injure a 3rd party and you get sued, we’ll provide you legal counsel during the trial and even pay damages awarded against you for up to 4x what you paid for the tires.
- [Tire Company B] We run 190 tests on all our tires to ensure product quality and specifically pay attention to manufacturing issues that could lead to tires bursting.
You said the tires that did both A & B right ;-)
So, what’s more important, legal cover after the fact, or ensuring the OSS product you’re using has gone through a rigorous process to identify and eliminate sticky IP issues.
When we were first coming out with WAS Community Edition (WAS CE), based on Apache Geronimo, our development team took a very long time going through the Geronimo code to ensure we could attribute the right copyrights to severely minimize the chance that a WAS CE customer could get sued for IP infringement issues. I can’t underscore how difficult and how time consuming this effort was for the development team. But, the scans & remediation work was absolutely necessary, and heck our executives and lawyers wouldn’t have let WAS CE out the doors without the work being done. We found a few things that needed to be addressed, wrote new code to remove the possibly hairy code and contributed it back to the Geronimo community. [NOTE: Yep, you're right, I didn't say that this work removes all possibility of a WAS CE customer being sued for IP issues within WAS CE. The team does its best to check the code and the process is very rigorous and the lawyers are intimately involved. Hence, I say "severely minimize the chance...."]
I couldn’t figure out whether your 42-point certification process actually does IP-related scrubbing or whether it’s mainly focused on technical integration and dependency issues. But if OpenLogic does do scans for IP issues and fixes them, then I say make a bigger deal about it. Get the word out to your customers; educate them on why a CYA approach of requiring indemnification doesn’t really address the problem. (And seriously, if the customer is bigger than OpenLogic, they’ll likely use their own legal team wouldn’t they??)
We’ve done this with WAS CE customers and they absolutely understand and value the rigorous IP-related work we do.