The focus of debate on Open Source is too often focused on “its free” and sometimes overstated claims about software quality.
As everybody knows, the cost and risk associated with bringing anything into an enterprise go far beyond the license costs. For OSS, a big problem is that by its nature it can bypass the controls imposed by procurement and the legal departments. This can lead to a range of potential risks from IP infringement to plain old version control. Of almost equal importance to the actual risk is the fact that the risk associated with OSS can be invisible (as the OSS use will often not be tracked as licensed software would be) and therefore undermine the whole of IT risk management.
This article covers one approach to dealing with issue: specialist software to analyse the Open Source software. There are of course more straight forward alternatives: Any vendor supplying OSS as part of a licensed product should be held to account to provide support and ‘handle’ the risk issues. For ‘pure’ OSS, there are plenty of commercial organisations who will provide a degree of quality assurance and service guarantees around projects. It may take away from the “Its free and I won’t need to talk to legal and prodcurement” but do we really want staff bringing software straight from the web into deployment?