Legal aspects of Open Source in large organisations
Aaron Williamson - Williamson Legal
In this Open Source Readiness session, Aaron Williamson (former General Counsel for FINOS/Symphony Software Foundation) returned to the community to share what he had learned from years of advising financial services and technology firms on open source legal issues. Rather than diving into license minutiae, Aaron focused on “second-order” lessons that emerged once firms had the basics in place: cataloguing open source use, understanding license families, and having a policy framework.
He explained why, for many banks, distribution was the real trigger for most license obligations, and why simply putting correct notices and attributions where users could find them was often the single most important compliance step. Aaron highlighted common gotchas uncovered by compliance scans: proprietary “shareware” libraries that looked like open source but weren’t; the risks of relying on single-vendor “commercial open source” and source-available projects whose licenses and business models could change; and Oracle’s particularly aggressive stance around MySQL and legacy OpenJDK. He also touched on thorny topics from the Q&A, including intra-group distribution between legal entities, container images and AMIs, and how to think about dual-licensed components.
A major theme of the talk was that "open source is people." Aaron stressed the importance of treating maintainers and communities with respect—engaging early before dropping large changes, asking politely for missing licenses, and handling compliance issues with a genuine five-part apology: recognition, responsibility, remorse, restitution, and reform. He closed by urging firms to invest in their open source programs and upstream communities (including security and sustainability efforts) and flagged emerging trends that might reshape the landscape, especially the rise of AI-generated code and the ongoing shift toward source-available models.
Presentation Slides
