I found this pretty good brief review by the American Bar Association’s Software Licensing Committee that discusses the potential legal issues involved with open source.
Legal and Other Risks Associated with Open Source
Along with the many benefits of open source, however, come a number of risks. Perhaps the most obvious risk is potential liability for intellectual property infringement. The typical open source project is a grass-roots effort that contains contributions from many people. This method of development can be worrisome from an intellectual property standpoint because it creates multiple opportunities for contributors to introduce infringing code and makes it almost impossible to audit the entire code base. The risks of this development process are largely borne by the licensees. Contributors do not vouch for the cleanliness of the code they contribute to the project; in fact, the opposite is true — the standard open source license is designed to be very protective of the contributor. The typical license form does not include any intellectual property representations, warranties or indemnities in favor of the licensee; it contains a broad disclaimer of all warranties that benefits the licensor/contributors.
Even if such representations and warranties or indemnity obligations existed in open source license agreements, it would be difficult if not impossible to recover against the licensor for having licensed infringing code. Many of the most prominent open source projects appear to be owned by thinly-capitalized non-profit entities that do not have the financial wherewithal in most cases to answer for a massive intellectual property infringement suit.
The shifting of all risk for intellectual property infringement to the licensee is somewhat atypical for the commercial software world. Most for-profit software companies would require some level of contractual assurances from a licensor of software technology that such technology does not infringe intellectual property rights. By receiving such contractual assurances, the licensee shifts some or all of the risk of an intellectual property lawsuit onto the licensor, assuming of course the licensor’s capability to honor its obligations.
Open source licenses also do not contain the kinds of representations and warranties of quality or fitness for a particular purpose that commercial software vendors sometimes negotiate into agreements among themselves. Again, the process of developing open source software can contribute to problems in this area. Some open source software projects, such as the Linux initiative, have one or more stewards who monitor code quality and track bugs. Other initiatives, however, are really more the product of weekend and after-hours hobbyists and do not enjoy the same code quality and rigorous testing protocol. Without contractual commitments of quality or fitness, the licensee must accept the risk that the software contains fatal errors, viruses or other problems that may have downstream financial consequences.
Companies looking to build a business on open source software also need to consider the problems associated with creating derivative works. Some open source license forms, such as the GPL, require licensees to provide free copies of their derivative works in source code form for others to use, modify and redistribute in accordance with the terms of the license agreement for the unmodified program. This licensing term is advantageous for the free software community because it ensures that no for-profit company can “hijack” the code base from the community. On the other hand, this licensing term makes it very difficult for companies in the commercial software business to use such open source software as a foundation for a business. These companies must be concerned that their “value added” programs might some day be viewed as “derivative works” and need to be made available to the world in source code form for free.
While the copyright attribution and notice requirements in open source licenses are relatively innocuous as compared to the issues outlined above, they nevertheless can become burdensome for the commercial software vendor. Some open source projects have multiple contributors and modules that have been created under various licensing forms. According to the terms of most open source licenses, the licensee must give each of these contributors full copyright attribution and reproduce the entire text of the license agreements for the open source code included in the product. These notices and licenses can clutter up documentation files and confuse end user customers.