EclipseCon Fear is stalking the corridors of corporate power, as executives sweat over the legal exposure caused by developers using open source software.

And the suits are resorting to play-it-safe legal advice and draconian management techniques in a vain attempt to stop open source crossing their frontier. Tactics include blocking popular sites like SourceForge and banning use of USB drives.

And, such is the hysteria, some business mergers have nearly come undone over the acquirees' use of open source.

In all, developers attending this week's EclipseCon must have had their darkest fears - that senior management is out of touch with the development shop floor - confirmed during a lively panel discussion on intellectual property issues and the risks of blending commercial and open source software.

Attending the panel were IBM, BEA Systems, OpenLogic, Black Duck, and Palamida. Yes, you could call this a case of predictable vendor scaremongering to drum up new business, but don't forget some well known open source cases are already on record - Tivo, Linksys/Cisco, and Progress Software versus MySQL, anyone?

What's behind such shenanigans?

According to Palamida co-founder Jeff Luszcz a disconnect exists between managers who set corporate open source policies and developers supposed to follow them, but who end up covering their tracks to make it seem like they are not using open source. Developers, though, end up using open source because of its ubiquity and not using it "puts them at a competitive disadvantage because their competitors are".

An example of the disconnect? OpenLogic director of community and partner programs Stormy Peters, who outlined the measures taken by one company, said: "We had a customer with a policy of no open source. They ended up blocking SourceForge.net, but people started downloading at home on thumb drives. The company then started saying 'no thumb drives'. You can't keep this up!"

Another problem: the increasingly distributed nature of development makes bans impossible, as offshore teams and outsourcing partners employ open source.

Companies running open source also often make the mistake of thinking they are running a relatively benign, commercial-friendly license like BSD when they are actually using GPL, which has limitations on modification and distribution of code.

And that's a problem because 10 per cent of open source code leaks out of development and into final product, meaning companies really are potentially at risk from rightfully aggrieved software authors. In at least one case, an ISV paid a developer after its product shipped because it contained their GPL'd code.

With GPL 3.0 coming, things ain't going to get any easier - especially for Software as a Service (SaaS). Sit up and pay attention Silicon Valley.

SaaS providers should ensure any modified GPL'd software they use is not deliberately or inadvertently downloaded to the user as this could be considered distribution. "No one can make that call until there has been a court case. [Use] is at your own risk. I'd say be very sure you are not distributing that software," Peters said.

What's creating the confusion? Everyone's favorite: license proliferation. Yes, there might be 58 OSI-approved licenses, but there are also thousands of vanity licenses that vary by only tiny degrees - an interesting fact, given Eclipse created its own (OSI-approved) license that happens to be incompatible with the GPL.

Black Duck president and CEO Doug Levin blamed proliferation and general lack of knowledge among the very legal teams management relies on for creating extreme lock down policies. "That stems from attorneys not being fully educated about open source software. This has to change as more information becomes available." Peters agreed: "Open source has a lot of FUD associated with it...it should be a case of weighing up the risks and the reward."

Among the panel's recommendations: educating managers about open source and licenses, regularly reviewing processes, and monitoring donations to the community. ®