Legal Risk

License Compliance

• What consitutes an acceptable license depends on the software, the license and the context it is used in.
• For this reason, it is difficult to get (say the legal department) to review each license and make a blanket decision on each one.
• Again - look to tooling to help mitigate this risk. Can software project's build be failed because the wrong licenses are included in the codebase?
• See License Compliance Management

Cross-Border Obligations

• Many organisations are bound by what is allowed to cross their borders. For example: in Swiss banks, there are strong controls in place to make sure no data leaves Switzerland.
• This is a consideration for code too, as code contributed to GitHub is data leaving the organisation and there may be requirements around these obligations.
• Another example of why preventing contributions with "test data" in them may be good policy.

Export Regulations

• In a similar vein, many countries are prevented from selling into certain territories. US/Iran for example.
• There are rules in the US about exporting "non-standard crypto" (which might include obfuscated code).
• Is open source contribution encompassed in "selling"?