Code scanning, registry services ease OSS license compliance
May 17, 2004 — by LinuxDevices Staff — from the LinuxDevices Archive — 1 viewsBlack Duck has launched two services to help commercial software developers, enterprise buyers, and Linux developers manage software intellectual property (IP). One scans source code for snippets of open source software (OSS), and identifies potential license conflicts. The other is a registry for source code that passes the scan.
Source code scanning software
Black Duck's protexIP/development source code scanning and license conflict resolution software was announced in early April. It has been beta tested for 5-1/2 months, by 20 firms, including three doing embedded Linux development, according to Black Duck CEO Douglas A. Levin.
ProtexIP/development comprises a central database server containing 30GB of open source software “codeprints,” according to Levin, along with Web-based client software intended to run on the desktops of software engineers, QA managers, product managers, lawyers, auditors, and related service providers.
The server component of protexIP/development includes a “business rules engine” enabling companies to establish and implement open source software best practices and policies related to specific licenses. The client software scans code at speeds similar to other development tools, such as compilers, according to Levin, identifying known code excerpts and creating a punchlist of potential license conflicts that can be interactively resolved by software engineers or cleared by the company's legal counsel.
According to Levin, in testing, protexIP/development identified intentionally obfuscated open source code excerpts in “a high percentage” of cases.
The software also includes a License Calculator that Black Duck says lets users view the consequences of combining software governed by different licenses before embarking on a project.
Registry service
Black Duck customers wishing to document that their code has been scanned with protexIP/development can apply for inclusion in the protexIP/registry. This is done by submitting required documentation, including the auditable log file that protexIP/development generates, termed a “Project License Profile” (PLP). The PLP file contains information on open source software in use, license conflicts, and actions taken to resolve conflicts. Projects that comply with the Black Duck criteria will qualify to be registered, and at the option of the developer can be listed in the official protexIP/registry on Black Duck's Website.
According to Levin, inclusion in the protexIP/registry also provides a timestamp that could help a developer apply for a patent or otherwise protect their intellectual property.
Quotes from early customers and others
Red Hat VP Karen Bennet said, “We employ hundreds of developers working on millions of lines of code. Black Duck enables us to automate a manual process, saving time and resources while fitting into the software development practices that are already in place.”
Karen Faulds Copenhaver, a partner at Testa, Hurwitz and Thibeault, LLP, said, “With increases in open source software usage, offshore development, expanded due diligence inquiries, and concern regarding intellectual property litigation, software companies must be vigilant. Black Duck's service will help developers, investors, attorneys, and others to assess and manage IP risk more effectively and efficiently.”
Levin adds, “As forward-thinking companies implement open source review committees and other best practices, [we] can help them make sure that their corporate policies and new processes are being followed.”
Availability
Annual subscriptions to protexIP/development, including codeprint database and software updates, start at $2,500 per user, with volume discounts available. The protexIP/registry is available to customers for $1,000 per submitted release. Black Duck invites interested parties to apply for a whitepaper with additional details.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.