15. Are there any legal concerns or ramifications from open source development (on the user, developer, organization)?

[MichaelRimler]

Are there any legal concerns or ramifications from open source development (on the user, developer, organization)?

[KatjaGlassConsulting]

This is often an argument why legal entities (companies) do not want to publish open source. There is a high knowledge gap.

Here is a nice overview around this topic: https://opensource.guide/legal/

[KatjaGlassConsulting]

Knowledge gap:
Code Snippets from papers - per default all content written down is copyright. When we publish a paper without assigning a license to the code, it cannot be copy & pasted by anyone. Legally that's not allowed. Many people are not aware - in such cases there is an under-awareness.

PS: ideas can be taken, the content can be re-programmed, basic commands can be copied (no knowledge snippets).

[rossfarrugia]

There's probably overlap here with the PHUSE OS guidance which talks a lot about licensing considerations.

[epijim]

This PHUSE Open Source Guidance answers this after breaking it down into these categories:

• risks using OS
• And then in the releasing OS section it goes into a few sub-categories (e.g. liability, reputation, etc)

It would be great to also have any suggestions to improve the guidance passed back into the guidance doc for longevity

[epijim]

For the topic of what licences are ok for different use cases, that's something we have been actively discussing internally at Roche. As a caveat - currently SaMD work is done in languages like python (still relevant I assume though).

The main concern is what licences we are ok with depends on the context of the project - e.g. is the delivery a TLG, or is the delivery a commercialised API end point (e.g. a prediction model). To respond to this we can ideally stratify our internal python/R repositories (in our case the repos on PPM), based on the types of licences present.

At the pan-pharma level, I'm also hoping the R Validation Hub's regulatory repo will also facilitate this as a collective effort.

pharmaR/regulatory-r-repo-wg#66

[andyofsmeg]

The main concern I hear from legal colleagues (I have no legal qualifications) is that we might be using software with a license that means we need to release all of our code publicly. But this is usually a misplaced concern due to the package/library model. In general, I am only generating brand new code that I developed myself. I am neither modifying, nor distributing the source language itself (or any other dependent packages). That goes for any analysis code I write as well as package development (regardless of the fact that any R package that I develop is completely useless without other packages). However, if I were to build and sell a product (eg medical device), that included an R/python distribution (+ packages) as part of that product, then there are several, otherwise permissive licenses that can be restrictive (including GPL-2, as implied in #15 (comment)).

The main problem I've come across is where someone starts using packages with specific details that might, say, restrict only for academic usage. These are few and far between but, as a rule, IT teams should be regularly scanning installations to check for such packages.