[bad416f1f5a2]

If your job is to pick the dependencies, your job is also to understand what picking those dependencies means.

It rings hollow to throw your hands up at the license part and say - “not my job”. It is. Understanding the legal risk of that dependency is as important as understanding the technical risk.

If your company doesn’t have a license policy, ask for a lawyer to draft that. But I’ve worked at some pretty penny-ante companies before and even they had an acceptable license policy.

If yours truly doesn’t have one, part of your job as the person building the software is to get one drafted.

[rmk]

Engineers generally have the responsibility of picking dependencies subject to legal constraints - they have zero understanding or inclination to understand licensing terms. That's generally fine at companies with established legal departments. The enforcement of legal constraints is done by the legal department, which will usually employ at least one full-time counsel who specializes in IP law, and it is generally completely outside engineers' purview. In fact, this is Standard Operating Procedure at almost every company of this size, including at Nutanix, which is a mid-size, public, enterprise hardware/software company whose shares are traded on NASDAQ.

It's really not the engineers' job to pick the dependencies per se, but to pick them subject to constraints that are laid out by management. There is certainly no ethical quandary or abdication of moral responsibilities in this setup: engineers will pick among choices that are pre-vetted by people who know the legal ramifications best and have a fiduciary responsibility to shareholders to make sure the company does not run afoul of applicable law.