What's The Rule For Embedding Open Source Software?

I just talked with two CIOs who have different takes on embedding open source software in their companies' products. One sees it as standard practice, the other approaches it like a snake in a bag.One gentleman is the CIO of an engine manufacturing company. He says the engineers in his firm regularly embed open source software in the company's products. From what he was saying, it sounded like this was a standard practice in his industry, and that he didn't have much to do with it. Otherwise, his company didn't use much open source software in its IT environment.

The other gentleman is the CIO of a company that provides computing services to financial firms. He says his company is careful to prevent any open source software from creeping into the products and services it sells.

"We try to manage where we use open source software, to manage the IP risk in open source," he says.

Many vendors today have built their software strategies around open source software, like IBM with Linux. And while IBM seems to have beaten down the liability issues around Linux represented by the SCO Group, still there are reasons to be concerned. That's why he says he's careful to keep track of where and how open source software is used within his organization. Also, "anybody can download anything over the Internet," he says.

There's technology that checks software code against known open source projects, like that from Black Duck Software, which CIOs should make it a point to use, he says.

So, what's the rule on embedding open source software in products? Is that a good thing or a bad thing? Or does it vary by industry -- some where it's standard practice and some where it should be approached with caution?