Firms should set policies on how to deal with the use and distribution of and contributions to open source projects, Stormy Peters, director of community and partner programmes with OpenLogic, argued in a session at the Linuxworld conference.

Only 41 per cent of firms currently have some level of an open source licensing policy, according to a survey by the company that offers software that tracks the use of open source applications within a firm.

Such policies range from informal arrangements that require verbal approval from a company lawyer or open source manager before installing any software, to formalised policies that list pre-approved software packages or licences.

The lack of open source policies is often sparked by the complexity of the open source licensing landscape. In addition to 59 official open source licences approved by the Open Source Initiative, there are numerous unofficial open source licences that range from a variation of the GPL banning use in military applications to one called the Free Beer Licence.

Instead of navigating this complex legal mine field, most organisations choose to turn a blind eye towards licences, quietly allowing engineers to download and install the software without going through a procurement process.

"Organisations […] know they are saving money and they know they are saving time. But [ignoring the problem] is really kind of scary at the same time. They are looking for a way to manage the risk without getting rid of all the money they are saving," said Peters.

But allowing open source to enter through the back door is rarely a good strategy, she warned, because it could put them in violation of licensing terms. For instance a company can use GPL-software such as Linux internally without having to publish the source code. But publication is required when it starts to distribute the software, either to customers or to partners, which include corporate spin-offs.

Firms might also want to avoid licences that require distributors of the code to provide users and developers with a patent licence.

Companies should therefore create a list of pre-approved open source licences that have been studied for their requirements and interdependencies, suggested Peters. The resulting policy should also differentiate between internal and external use.

Policies can also prevent unpleasant surprises when firms contribute to open source projects, or when employees participate on discussion lists.

Some firms don't disclose which software they use because that makes it easier for hackers to target the company or because they don't want to be singled out in the media for being an early adopter of an unproven technology.

But they can also score points with the open source community if they allow employees to work on a project or when they submit bug fixes. Having the backing of a large corporation gives a project more clout if any problems do arise.