When you do need to combine your application code with open-source, say, by making library calls to it, the Library GPL (LGPL) is an ideal license, suggests Michael Mullis. He's the chief technology officer at Scientific Games Corp. in New York, which provides lottery software to state governments. The LGPL license permits calling the open-source code from a stored library in your application.

Mullis adds that even if your company has a group like Fidelity's OSSC and you follow stringent best practices and employ zealous technical leads to apply them, you still must audit your code for open-source license transgressions. Your oversight group needs to establish milestones where audits should take place throughout the software cycle.

That central group needs to have real authority, says Diane Peters, general counsel at Open Source Development Labs Inc. in Beaverton, Ore. For example, if you're involved in a project to deliver software tools to your customers or supply chain and the group has concerns about a license obligations, it should have the power to stop the project in its tracks, she says.

Mullis recalls an incident at a prior employer when a contractor, who was not aware of the open-source-use policies, included some free code into an application. Had Mullis not discovered it, his former company would have had to reveal its entire proprietary source code to the world. "It would have been a serious legal problem," he says.

Fingerprints