You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Irvine, Chuck R [EQ]" <Ch...@Embarq.com> on 2007/09/07 17:36:07 UTC
Legal Risk of Using Tomcat
I hope no one thinks this thread is off topic....
There are many in the company I work for that would like to leverage
open source software in general and and Tomcat in particular. However,
our legal staff resists the idea because of perceived legal risks. I
know that there are companies who provide indemnification as part of
their open source support products, but I wonder to what extent such
indemnification is really necessary. Could those that have experience or
knowledge in this area please comment? Thanks
Chuck
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Legal Risk of Using Tomcat
Posted by tomcat <tc...@1bigthink.com>.
At 01:19 PM 9/7/2007, you wrote:
> > My guess was different: that they were concerned about using
> > software
> > that might later be claimed to be covered by somebody else's patent,
> > like M$ has been threatening with Linux. If my guess is
> > correct, then I
> > seriously doubt there's anything to worry about there, because Tomcat
> > has been written as open source from the beginning, and
> > nobody has ever
> > claimed patent rights over it.
> >
>
>You are right - I think this is the primary concern.
Yes, most likely the M$ vs. Linux and the whole SCO vs Linux and
Novell deal. It is rather dicey.
Tomcat on Windows would pretty much CYA. However, Tomcat on Linux is
quite nice and IMHO, more secure (or rather secure-able!). More
tunable as far as performance too!
Cheers!
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by David kerber <dc...@verizon.net>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
> David kerber wrote:
>
>> If my guess is correct, then I
>> seriously doubt there's anything to worry about there, because Tomcat
>> has been written as open source from the beginning, and nobody has ever
>> claimed patent rights over it.
>>
>
> Well, it started out as Apache JServ, which came from Sun's original
> reference implementation. At this point, I'm pretty sure there's neither
> JServ code nor Sun code left in Tomcat.
>
> Besides, if the application is written properly, you can always switch
> vendors relatively easily, right? Tomcat is one of the easiest vendors
> to switch away /from/ since there's not much in the way of crazy add-on
>
Good, point.
> services. Just imagine trying to leave BEA or Oracle when they've got
> their classes all up in your business. :(
>
> - -chris
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
David kerber wrote:
> If my guess is correct, then I
> seriously doubt there's anything to worry about there, because Tomcat
> has been written as open source from the beginning, and nobody has ever
> claimed patent rights over it.
Well, it started out as Apache JServ, which came from Sun's original
reference implementation. At this point, I'm pretty sure there's neither
JServ code nor Sun code left in Tomcat.
Besides, if the application is written properly, you can always switch
vendors relatively easily, right? Tomcat is one of the easiest vendors
to switch away /from/ since there's not much in the way of crazy add-on
services. Just imagine trying to leave BEA or Oracle when they've got
their classes all up in your business. :(
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4ZWz9CaO5/Lv0PARAgyaAJ0e9ZSTJ7dLbjYzgrcIcT0uDl5DxwCfYuQ9
DYBPZuw1NgCUdykmEEw/zCY=
=GUxB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Irvine, Chuck R [EQ] wrote:
>> My guess was different: that they were concerned about using
>> software
>> that might later be claimed to be covered by somebody else's patent,
>> like M$ has been threatening with Linux. If my guess is
>> correct, then I
>> seriously doubt there's anything to worry about there, because Tomcat
>> has been written as open source from the beginning, and
>> nobody has ever
>> claimed patent rights over it.
>>
>>
>
> You are right - I think this is the primary concern.
>
if that is the case, you can get a commercial bundle of Tomcat from
companies like www.covalent.net (and there are others) that offer the
CYA they are looking for.
Filip
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Legal Risk of Using Tomcat
Posted by "Irvine, Chuck R [EQ]" <Ch...@Embarq.com>.
> My guess was different: that they were concerned about using
> software
> that might later be claimed to be covered by somebody else's patent,
> like M$ has been threatening with Linux. If my guess is
> correct, then I
> seriously doubt there's anything to worry about there, because Tomcat
> has been written as open source from the beginning, and
> nobody has ever
> claimed patent rights over it.
>
You are right - I think this is the primary concern.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by David kerber <dc...@verizon.net>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> Irvine, Chuck R [EQ] wrote:
>
>> I hope no one thinks this thread is off topic....
>>
>
> Actually, this is totally on-topic, and I'd love to see what some others
> have to say. See my response below.
>
>
>> There are many in the company I work for that would like to leverage
>> open source software in general and and Tomcat in particular.
>> However, our legal staff resists the idea because of perceived legal
>> risks.
>>
>
> Specifically, what are they fearing?
>
>
>> I know that there are companies who provide indemnification as part
>> of their open source support products, but I wonder to what extent
>> such indemnification is really necessary. Could those that have
>> experience or knowledge in this area please comment?
>>
>
> It sounds like what your legal folks are looking for is CYA coverage --
> if something breaks spectacularly and loses confidential information or
> whatever, then they don't want to be liable.
>
My guess was different: that they were concerned about using software
that might later be claimed to be covered by somebody else's patent,
like M$ has been threatening with Linux. If my guess is correct, then I
seriously doubt there's anything to worry about there, because Tomcat
has been written as open source from the beginning, and nobody has ever
claimed patent rights over it.
> This should be simple case of risk awareness and mitigation. Insurance
> companies know all about this sort of thing. So do "security" companies,
> and companies that make commercial servers like BEA, etc. I would look
> into something like BEA, for instance, and ask what type of
> indemnification they offer. My guess is that the indemnification works
> /against/ you, rather than /for/ you: they're covering /their/ own
> asses, not yours.
>
> The bottom line is that everything can be solved with money. You can pay
> someone else to assume the risk. If you pay BEA, you get the app server
> for free (!). If you take Tomcat (for free), you'll have to pay someone
> else to take the risk away from you. They can do their own audit of
> Tomcat and decide how much they trust it not to be a problem, and how
> much it's gonna cost you for them to assume the risk.
>
> My guess is that /your/ software is more risky than Tomcat. ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG4YWK9CaO5/Lv0PARAmJrAJ9N0AoY559zef6nOuVVc5Lk/eeQTgCfbx4d
> hS37len1PNQHqJhHrtxKgJc=
> =IT8t
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Irvine, Chuck R [EQ] wrote:
> I hope no one thinks this thread is off topic....
Actually, this is totally on-topic, and I'd love to see what some others
have to say. See my response below.
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular.
> However, our legal staff resists the idea because of perceived legal
> risks.
Specifically, what are they fearing?
> I know that there are companies who provide indemnification as part
> of their open source support products, but I wonder to what extent
> such indemnification is really necessary. Could those that have
> experience or knowledge in this area please comment?
It sounds like what your legal folks are looking for is CYA coverage --
if something breaks spectacularly and loses confidential information or
whatever, then they don't want to be liable.
This should be simple case of risk awareness and mitigation. Insurance
companies know all about this sort of thing. So do "security" companies,
and companies that make commercial servers like BEA, etc. I would look
into something like BEA, for instance, and ask what type of
indemnification they offer. My guess is that the indemnification works
/against/ you, rather than /for/ you: they're covering /their/ own
asses, not yours.
The bottom line is that everything can be solved with money. You can pay
someone else to assume the risk. If you pay BEA, you get the app server
for free (!). If you take Tomcat (for free), you'll have to pay someone
else to take the risk away from you. They can do their own audit of
Tomcat and decide how much they trust it not to be a problem, and how
much it's gonna cost you for them to assume the risk.
My guess is that /your/ software is more risky than Tomcat. ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4YWK9CaO5/Lv0PARAmJrAJ9N0AoY559zef6nOuVVc5Lk/eeQTgCfbx4d
hS37len1PNQHqJhHrtxKgJc=
=IT8t
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by David Delbecq <de...@oma.be>.
This indemnification all depends on the contracts you have with your
client and the supported hardware you need.
Tomcat and apache fundation in particular do not give any warranty on
this product. It's free but if you sell products
based on it, you assumed needed responsability. Note that i wouldn't
think it very different if you used a commercial product in it, the
vendor could tell you when you have a prob with your client that you
didn't use as it was meaned to.
One way i have seen here tomcat used as a commercial product
(tomcat+application bundle), the company sold us the Application + The
small server it would run onto. This way they had full control of tomcat
environnment and could give us support for application, including any
problem that may arise in tomcat. On the other hand we are not allowed
to deploy anything else on that server :) .
En l'instant précis du 07/09/07 17:36, Irvine, Chuck R [EQ] s'exprimait
en ces termes:
> I hope no one thinks this thread is off topic....
>
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular. However,
> our legal staff resists the idea because of perceived legal risks. I
> know that there are companies who provide indemnification as part of
> their open source support products, but I wonder to what extent such
> indemnification is really necessary. Could those that have experience or
> knowledge in this area please comment? Thanks
>
> Chuck
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by Joshua Fielek <jf...@centriccrm.com>.
A good resource would be: http://www.opensolutionsalliance.org/
There are lots of knowledgeable people for the various licensing models.
You'll have to register, but all it takes is an email address to do so.
After that, check out Community->forums and ask away.
Thanks,
J
For the most part, AFAIK, Tomcat
Irvine, Chuck R [EQ] wrote:
> I hope no one thinks this thread is off topic....
>
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular. However,
> our legal staff resists the idea because of perceived legal risks. I
> know that there are companies who provide indemnification as part of
> their open source support products, but I wonder to what extent such
> indemnification is really necessary. Could those that have experience or
> knowledge in this area please comment? Thanks
>
> Chuck
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Joshua J. Fielek
Sr. Software Engineer
Centric CRM
223 East City Hall Ave., Suite 212
Norfolk, VA 23510
Phone : (757) 627-3002x6656
Mobile : (757) 754-4462
Fax : (757) 627-8773
Email : jfielek@centriccrm.com
http://www.centriccrm.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Legal Risk of Using Tomcat
Posted by "Irvine, Chuck R [EQ]" <Ch...@Embarq.com>.
> -----Original Message-----
> From: Len Popp [mailto:len.popp@gmail.com]
> Sent: Friday, September 07, 2007 12:57 PM
> To: Tomcat Users List
> Subject: Re: Legal Risk of Using Tomcat
>
>
> Do your lawyers have the same reluctance about proprietary
> software? If not, why not? There have been more patent
> lawsuits against users of proprietary software than against
> users of open-source software (from what I've seen in the press).
Good question. Their concern is with regard to both commercial and open
source software. However, they are especially concerned with open source
since they believe there is less control over content than is present in
commercial software. Also, since source code is readily available for
open source applications, it's easier to determine whether it infringes
patents, etc.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by Len Popp <le...@gmail.com>.
Do your lawyers have the same reluctance about proprietary software?
If not, why not? There have been more patent lawsuits against users of
proprietary software than against users of open-source software (from
what I've seen in the press).
--
Len
On 9/7/07, Irvine, Chuck R [EQ] <Ch...@embarq.com> wrote:
> I hope no one thinks this thread is off topic....
>
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular. However,
> our legal staff resists the idea because of perceived legal risks. I
> know that there are companies who provide indemnification as part of
> their open source support products, but I wonder to what extent such
> indemnification is really necessary. Could those that have experience or
> knowledge in this area please comment? Thanks
>
> Chuck
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Legal Risk of Using Tomcat
Posted by je...@loukasmgmt.com.
Sounds like your legal department is worried that if the technology
team screws up they will not have anyone to blame. If you really want
to have someone else do your set up and implementations then you need
to find a consulting firm that was that type of clause in their
contract. (See http://www.covalent.com/ etc...) Other than laying
responsibility at the feet of those that complete your project, there
is no legal precedence for suing an open source product. It is 100%
downloader beware....
-JL
Quoting "Irvine, Chuck R [EQ]" <Ch...@Embarq.com>:
> I hope no one thinks this thread is off topic....
>
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular. However,
> our legal staff resists the idea because of perceived legal risks. I
> know that there are companies who provide indemnification as part of
> their open source support products, but I wonder to what extent such
> indemnification is really necessary. Could those that have experience or
> knowledge in this area please comment? Thanks
>
> Chuck
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Legal Risk of Using Tomcat
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Irvine, Chuck R [EQ] [mailto:Chuck.R.Irvine@Embarq.com]
> There are many in the company I work for that would like to leverage
> open source software in general and and Tomcat in particular. However,
> our legal staff resists the idea because of perceived legal risks. I
> know that there are companies who provide indemnification as part of
> their open source support products, but I wonder to what extent such
> indemnification is really necessary.
[Disclaimer: I Am Not A Lawyer, I've just worked with several of them on
various OSS issues. Disregard this message if the legal framework in
your country is not precedent-based]
Without knowing *which* risks your legal staff are concerned about, it's
difficult to comment specifically. The biggest risk I've seen lawyers
concerned about goes roughly as follows:
- Open Source software was not covered in my course, there is no
specific primary legislation, there have been few cases through <insert
top court of country concerned> and there is therefore little precendent
to go on;
- Therefore if I recommend for it I will be risking my career, whereas
if I recommend against it I will not;
- I am a lawyer, I am self-selected to be risk averse, therefore I will
recommend against it.
To an extent, this is fair enough. OSS licensing is a new area. Test
cases are sparse, and therefore it's genuinely difficult for lawyers to
know which way the courts will rule when such cases do come through.
Therefore the risks *are* somewhat higher than with commercial software,
where there's decades or centuries of precedent to go on.
The risks can typically be addressed for any given product, for example
by sourcing it from a company that provides support and indemnification,
*if* you can get the legal team to state precisely what the risks are.
I'm guessing you won't get a clear statement of the risks out of them,
or it'll take a long time as they research the issues.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org