There have been lots of discussions about licenses among the Cocoon team recently, and I've been confronted with the same problematic with a new customer doing business in legally sensitive areas.

Every company should ask themselves which Open-Source licenses are ok for them: I have suggested to my customer that they establish a list of such licenses, or rather two lists: one for internal use of software and one for redistribution of software to customers. Find out what your rights and obligations are in the various situations where you use or ship software.

It boils down to just a few license families (Apache, BSD, GPL, LGPL, etc.) so it's not that hard to create such lists. Later, you won't need endless discussions about whether code from project X or Y can be included in your shipped product.

It's not hard to be clean about licenses, even when distributing commercial software. It's just another of those things that you must consider upfront when starting to use new tools: find out about your rights and obligations to avoid problems down the road.

People should just do their homework, and not expect projects like Cocoon, which aggregate a lot of software from various projects and sources, to sort out all the legal issues for them.

Is this all evident? It should, but considering for example my county's recent lighweight treatment of the ASF license (i.e. grab the code, ship it, you're fine) it doesn't look so evident for many people.