| Software tool aims to assess IP risks of re-used code |
Apr. 08, 2004
Black Duck Software is beta testing a software product that aims to help Linux developers assess the intellectual property (IP) risks associated with the re-use of program code. The company expects to ship in mid-May its Black Duck product, comprising a giant database of software source code and associated licensing information, and a client-server source code comparison tool.
According to CEO Doug Levin, Black Duck was founded in part with embedded Linux developers in mind. Levin notes, "Over the last couple of years, companies that embedded developers are working for -- telcos, consumer electronics companies, etc. -- have sensitized them to the need to respect licenses irrespective of the fact that code gets embedded."
Black Duck also targets enterprise developers and software and device vendors.
Black Duck does not offer insurance or indemnification services against copyright infringement suits, such as have been offered by Open Source Risk Management, Novell, Red Hat, and the OSDL, although it may in time partner with insurance providers, according to Levin. Rather, Black Duck software simply aims to help developers and managers find re-used code and discover its licensing terms.
Black Duck was designed as a software solution because many corporations are "reluctant to have source code leaving the premises," according to Levin. The Black Duck server installation requires 200GB of storage. Several client applications are available, including a command-line tool and an Eclipse plugin.
The database and server application
According to CTO Palle Pedersen, Black Duck's database contains "fingerprints" of "a very large number" of software packages. The fingerprints contain hashes and checksums that enable matches to be detected even in cases where the re-used code has been modified to a fairly high degree. "It will put more of an obstacle on people who intend to steal code. If a thousand data points are being checked on, we only have to find one of them."
Still, admit Pedersen and Levin, Black Duck is mainly intended to discover unintentional, rather than willful code misuses. Intentionally obfuscated code could be snuck past Black Duck, with a great deal of work. "But, then, it might not be a copyright violation any more, in that case," says Pedersen.
According to Levin, Black Duck employs a team of analysts who spider the Web in search of program source code and licenses. The company also employs a team of attorneys specializing in open source law to interpret the data.
Black Duck pushes source code and license updates out to its customer databases using technology "a lot like Norton anti-virus," according to Levin. "Most companies will allow us to do the automatic updates. We send it in through port 80. It runs in the background, and developers are not really aware of update process. Although, there are separate views of the updates which have occured for the administrator or key users."
Levin adds that updates are "periodic," and can't be predicted. "We might have three updates one week, and 16 the next," he says.
The client-side application
Black Duck includes command-line and Eclipse-based clients designed to fit easily into developers' work flow, according to Pedersen: "The clients work at a speed similar to other development tools, such as compilers." Pedersen adds that scanning a 20-30k source code file happens "nearly instantaneously."
"It's designed not to be an encumbrance," adds Levin.
Black Duck provides a punchlist of licensing issues
(Click to enlarge)
False positives are also possible, given the high granularity of the inspection process, but can be "marked off so they don't show up everytime," according to Pedersen.
Black Duck identifies applicable source licenses, including user-added licenses
(Click to enlarge)
In addition to re-used software detection, Black Duck provides licensing information and complete license text for over 150 software licenses, including "OSI-approved licenses, non-open-source approved licenses, and some proprietary licenses from Intel and Oracle and others," according to Levin. The software also lets customers add their own source code files and licenses.
Black Duck knows about hundreds of source code licenses
(Click to enlarge)
"Black Duck enables managers, attorneys, business development, finance people and executives to view data that accumulates as a result of developers using open source software," says Levin.
Black Duck shows dynamic view of threats over time
(Click to enlarge)
Asked if Black Duck itself was based on any re-used code, such as MySQL or Postgres, Pedersen replied, "Generally, we have created it as a proprietary platform. We are running on our own software."
The bottom line
Levin recommends that Black Duck be used in conjunction with a Open Source Software (OSS) best practices that include involving attorneys early on, setting up an internal OSS review board with frequent meetings, and management developing a questionaire for developers about their use of OSS and its benefits.
Levin says that Black Duck has been beta testing for seven weeks, at 30 large customer sites. He notes that a company in Asia was able to use the beta version to discover copyright violations in work it contracted from a third-party.
The final version of Black Duck is expected to ship in mid-May, and will be available to enterprise customers for about $1,000 per seat, with volume licensing discounts available. Separate licensing models will be offered to vendors, consulting firms, and university customers.
Related Stories:
(Click here for further information)
|
|
|
FUEL Database on MontaVista Linux
Whether building a mobile handset, a car navigation system, a package tracking device, or a home entertainment console, developers need capable software systems, including an operating system, development tools, and supporting libraries, to gain maximum benefit from their hardware platform and to meet aggressive time-to-market goals.
Breaking New Ground: The Evolution of Linux Clustering
With a platform comprising a complete Linux distribution, enhanced for clustering, and tailored for HPC, Penguin Computing¿s Scyld Software provides the building blocks for organizations from enterprises to workgroups to deploy, manage, and maintain Linux clusters, regardless of their size.
Data Monitoring with NightStar LX
Unlike ordinary debuggers, NightStar LX doesn¿t leave you stranded in the dark. It¿s more than just a debugger, it¿s a whole suite of integrated diagnostic tools designed for time-critical Linux applications to reduce test time, increase productivity and lower costs. You can debug, monitor, analyze and tune with minimal intrusion, so you see real execution behavior. And that¿s positively illuminating.
Virtualizing Service Provider Networks with Vyatta
This paper highlights Vyatta's unique ability to virtualize networking functions using Vyatta's secure routing software in service provider environments.
High Availability Messaging Solution Using AXIGEN, Heartbeat and DRBD
This white paper discusses a high-availability messaging solution relying on the AXIGEN Mail Server, Heartbeat and DRBD. Solution architecture and implementation, as well as benefits of using AXIGEN for this setup are all presented in detail.
Understanding the Financial Benefits of Open Source
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss.
Embedded Hardware and OS Technology Empower PC-Based Platforms
The modern embedded computer is the jack of all trades appearing in many forms.
Data Management for Real-Time Distributed Systems
This paper provides an overview of the network-centric computing model, data distribution services, and distributed data management. It then describes how the SkyBoard integration and synchronization service, coupled with an implementation of the OMG¿s Data Distribution Service (DDS) standard, can be used to create an efficient data distribution, storage, and retrieval system.
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
|
|
|
|
|
news feed