How do you combat this sort of thing? My employer is set to impose a software registry upon its employees -- any open source tool, at all, has to be registered. Proprietary but free packages, like Adobe Reader or Opera, do not need to be reported.

I've yet to find a compelling argument against this. Or at least one that's persuasive to our legal department.

How much 'proprietary but free' software is malware, spyware, etc? Using examples of well-known software like Opera or Adobe Reader is a straw-man in favor of the 'OpenSource is bad' argument.

What -- in particular -- does the legal department have against Open Source software? Is FireFox somehow a legal-risk as opposed to Opera? Even though it's been vetted by a larger installed user-base? Or is it just because there is no 'single entity' that they can sue/point fingers at when/if something goes wrong? There are plenty of anonymously authored non-opensource pieces of software out there.

I think that it would make more sense to have either: 1) have to register all software on the list or 2) have to register all 'non-popular' software (i.e. Firefox/Opera ok, random OSS/proprietary software needs to be registered though).

From what I've been able to ascertain, our counsel's primary concern is that the mere availability of the source creates risk in terms of the introduction of copyleft code into our proprietary products. They're also afraid that, were an issue to arise, they wouldn't be able to settle it as a business matter as they would with a large corporation like Adobe or Opera.

We also have a number of customers requiring that we provide indemnification against any open source software infringement claims, which has sent our counsel down the path of wanting a full registry and approval process for all open source software on developer workstations.

The positions I've taken -- the workload, the fact that the registry doesn't adequately protect us from the surreptitious introduction of copyleft code snippets, etc. have all fallen on deaf ears. I'm trying to figure out what other arguments I might be able to bring to the table.

> They're also afraid that, were an issue to arise, they wouldn't be able to settle it as a business matter as they would with a large corporation like Adobe or Opera.

You might remind them that not all proprietary software comes from large corporations and many of the smaller guys might be more willing to pursue the legal 'issues' to the fullest extent of the law.

> The positions I've taken -- the workload, the fact that the registry doesn't adequately protect us from the surreptitious introduction of copyleft code snippets, etc. have all fallen on deaf ears. I'm trying to figure out what other arguments I might be able to bring to the table.

I would point them in the direction of people that have purposely included open source code in proprietary projects (e.g. the recent ScummVM on Wii issue) to try and instill the fact that registering all open source tools that are being used will not protect them from a developer that is trying to 'cut corners.'

If I have Firefox installed on my computer that DOES NOT mean that I have the source code 'at my fingertips' as well. The same could be said of Vim or Emacs. And unless your employer is building developer tools, I doubt that any of your developers is going to try and include code from the Vim or Emacs codebase. It just doesn't make sense.

Follow the new regulations to the letter. Document how much time you waste registering every useful Firefox extension, command-line utility, development library, etc. Include that evidence in your argument against the policy.

It's almost certainly more return on less effort to just find a new employer.

Or perhaps it just feels that way to me, because I really detest environments where one must start paperwork fights with bureaucrats just to get things done.

Yeah, actually I think roc's advice is better. (It was partly red tape this that made me quit Amazon.com to work at a startup.)

Are they providing a "We verified that these things are okay to not register." list or are they saying "If it's a free version of a proprietary program, you don't have to register". If the latter, how do you know that something qualifies? Or rather, what guidelines did they give you for making the decision.

Note that the answer to the latter can not be "you know what we mean".

Note that there's potential liability for proprietary software if you get this wrong while there's no liability for free software if you make a mistake. (The only liability for free software is if it turns out that it's actually proprietary.)