tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David kerber <>
Subject Re: Legal Risk of Using Tomcat
Date Fri, 07 Sep 2007 17:14:45 GMT
Christopher Schultz wrote:
> Hash: SHA1
> Chuck,
> Irvine, Chuck R [EQ] wrote:
>> I hope no one thinks this thread is off topic....
> Actually, this is totally on-topic, and I'd love to see what some others
> have to say. See my response below.
>> There are many in the company I work for that would like to leverage 
>> open source software in general and and Tomcat in particular.
>> However, our legal staff resists the idea because of perceived legal
>> risks.
> Specifically, what are they fearing?
>> I know that there are companies who provide indemnification as part
>> of their open source support products, but I wonder to what extent
>> such indemnification is really necessary. Could those that have
>> experience or knowledge in this area please comment?
> It sounds like what your legal folks are looking for is CYA coverage --
> if something breaks spectacularly and loses confidential information or
> whatever, then they don't want to be liable.
My guess was different:  that they were concerned about using software 
that might later be claimed to be covered by somebody else's patent, 
like M$ has been threatening with Linux.  If my guess is correct, then I 
seriously doubt there's anything to worry about there, because Tomcat 
has been written as open source from the beginning, and nobody has ever 
claimed patent rights over it.

> This should be simple case of risk awareness and mitigation. Insurance
> companies know all about this sort of thing. So do "security" companies,
> and companies that make commercial servers like BEA, etc. I would look
> into something like BEA, for instance, and ask what type of
> indemnification they offer. My guess is that the indemnification works
> /against/ you, rather than /for/ you: they're covering /their/ own
> asses, not yours.
> The bottom line is that everything can be solved with money. You can pay
> someone else to assume the risk. If you pay BEA, you get the app server
> for free (!). If you take Tomcat (for free), you'll have to pay someone
> else to take the risk away from you. They can do their own audit of
> Tomcat and decide how much they trust it not to be a problem, and how
> much it's gonna cost you for them to assume the risk.
> My guess is that /your/ software is more risky than Tomcat. ;)
> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iD8DBQFG4YWK9CaO5/Lv0PARAmJrAJ9N0AoY559zef6nOuVVc5Lk/eeQTgCfbx4d
> hS37len1PNQHqJhHrtxKgJc=
> =IT8t
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message