When we think about the implications of non-compliance with F/OSS licensing the considerations tend to be around legal exposure and concern that the conditions of a reciprocal license, e.g. the GPL, may propagate into proprietary code. When risk is assessed it is usually in terms of the possibility of litigation and the associated costs, and/or the weakening of business models that are based upon exercising exclusive rights in connection with associated proprietary IP.
However, a lot of damage can be done without a case ever going to court and without any ruling that you must open up your proprietary technology and provide it for use by all via a liberal licence. Firstly, even if you are not subject to litigation there is always the risk of brand damage. Secondly, a healthy relationship with the communities that produce the software your business depends upon will become increasingly important in the future. Companies are beginning to appreciate that to unlock the real potential in F/OSS you have to participate -- we are moving to a hybrid creator/consumer world and innovation is no longer the reserve of vendors. And you want to really lower your costs? You can, if you are prepared to get your hands a little dirty and assume some level of risk. But guess what, you'll need to be part of the community and not on the periphery.
Just this week a third concern in connection with licence violation came to my attention: damage to the health or possible death of a community you depend upon. For example, the creator of the AKRip32 CD digital audio extraction library has ceased development due to alleged violations of its licence, the LGPL:
"All current development of AKRip has been discontinued due to increasing amounts of license violations. This library is my work, and it is copyrighted. The library may be used in commercial applications, but in all cases under the terms of the LGPL. Specifically:
- A copy of the license (LGPL) must be prominently included
- The source code to the library must be included, or at least a link where it can be downloaded
- Derivative works and modified versions must be so marked, and my copyright notice must remain on the source code
It is not permissible to take the code, recompile it, change the name of the resulting DLL and remove my copyright notices."
This to my mind is the worst possible outcome from licence violation, as absolutely everybody loses. The project becomes orphaned - no longer maintained, and downstream consumers need to do one of: 1) take on maintenance of the code (at what cost?), 2) re-engineer their technology to make it use something else (at what cost?) or 3) stick to the last release and pray they never have a problem with it, or that it requires updating due to a security advisory or change in an upstream dependency (at what risk?)
So, next time you are assessing the risks associated with licence violation, take care to ensure that you consider that the ramifications may extend way beyond simply legal exposure.