Black Duck Software is beta testing a software product that aims to help Linux developers assess the intellectual property (IP) risks associated with the re-use of program code. The company expects to ship in mid-May its Black Duck product, comprising a giant database of software source code and associated licensing information, and a client-server source code comparison tool.

According to CEO Doug Levin, Black Duck was founded in part with embedded Linux developers in mind. Levin notes, “Over the last couple of years, companies that embedded developers are working for — telcos, consumer electronics companies, etc. — have sensitized them to the need to respect licenses irrespective of the fact that code gets embedded.”

Black Duck also targets enterprise developers and software and device vendors.

Black Duck does not offer insurance or indemnification services against copyright infringement suits, such as have been offered by Open Source Risk Management, Novell, Red Hat, and the OSDL, although it may in time partner with insurance providers, according to Levin. Rather, Black Duck software simply aims to help developers and managers find re-used code and discover its licensing terms.

Black Duck was designed as a software solution because many corporations are “reluctant to have source code leaving the premises,” according to Levin. The Black Duck server installation requires 200GB of storage. Several client applications are available, including a command-line tool and an Eclipse plugin.

The database and server application

According to CTO Palle Pedersen, Black Duck's database contains “fingerprints” of “a very large number” of software packages. The fingerprints contain hashes and checksums that enable matches to be detected even in cases where the re-used code has been modified to a fairly high degree. “It will put more of an obstacle on people who intend to steal code. If a thousand data points are being checked on, we only have to find one of them.”

Still, admit Pedersen and Levin, Black Duck is mainly intended to discover unintentional, rather than willful code misuses. Intentionally obfuscated code could be snuck past Black Duck, with a great deal of work. “But, then, it might not be a copyright violation any more, in that case,” says Pedersen.

According to Levin, Black Duck employs a team of analysts who spider the Web in search of program source code and licenses. The company also employs a team of attorneys specializing in open source law to interpret the data.

Black Duck pushes source code and license updates out to its customer databases using technology “a lot like Norton anti-virus,” according to Levin. “Most companies will allow us to do the automatic updates. We send it in through port 80. It runs in the background, and developers are not really aware of update process. Although, there are separate views of the updates which have occured for the administrator or key users.”

Levin adds that updates are “periodic,” and can't be predicted. “We might have three updates one week, and 16 the next,” he says.

The client-side application

Black Duck includes command-line and Eclipse-based clients designed to fit easily into developers' work flow, according to Pedersen: “The clients work at a speed similar to other development tools, such as compilers.” Pedersen adds that scanning a 20-30k source code file happens “nearly instantaneously.”

“It's designed not to be an encumbrance,” adds Levin.

Black Duck provides a punchlist of licensing issues
(Click to enlarge)
False positives are also possible, given the high granularity of the inspection process, but can be “marked off so they don't show up everytime,” according to Pedersen.

Black Duck identifies applicable source licenses, including user-added licenses
(Click to enlarge)
In addition to re-used software detection, Black Duck provides licensing information and complete license text for over 150 software licenses, including “OSI-approved licenses, non-open-source approved licenses, and some proprietary licenses from Intel and Oracle and others,” according to Levin. The software also lets customers add their own source code files and licenses.

Black Duck knows about hundreds of source code licenses
(Click to enlarge)
“Black Duck enables managers, attorneys, business development, finance people and executives to view data that accumulates as a result of developers using open source software,” says Levin.

Black Duck shows dynamic view of threats over time
(Click to enlarge)
Asked if Black Duck itself was based on any re-used code, such as MySQL or Postgres, Pedersen replied, “Generally, we have created it as a proprietary platform. We are running on our own software.”

The bottom line

Levin recommends that Black Duck be used in conjunction with a Open Source Software (OSS) best practices that include involving attorneys early on, setting up an internal OSS review board with frequent meetings, and management developing a questionaire for developers about their use of OSS and its benefits.

Levin says that Black Duck has been beta testing for seven weeks, at 30 large customer sites. He notes that a company in Asia was able to use the beta version to discover copyright violations in work it contracted from a third-party.

The final version of Black Duck is expected to ship in mid-May, and will be available to enterprise customers for about $1,000 per seat, with volume licensing discounts available. Separate licensing models will be offered to vendors, consulting firms, and university customers.

---

 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.