[SGVLUG] Four Tips To Avoid Open Source Legal Problems

Fri Jul 7 12:40:51 PDT 2006

Thanks, Dennis, for spotting this article!
http://www.cio.com/archive/070106/et_main.html?source=cioinsider

Though interesting stuff, I found the article (and related articles)
hard to skim, so here's my (shorter) take:

I found the most interesting part of the article was the technology to
enforce (mostly open) source code licensing use:

	"Assume You'll Get Caught ... Source-code compliance tools from
the likes of Black Duck and Palamida, which can scan millions of lines
of code and compare them with huge databases of known software, allow
companies to locate (and locate pretty quickly) previously created
code-even if variable names and white space have been modified by the
borrower.  [--Interesting idea]

	Black Duck's client list has grown more than 300 percent during
the past year and now includes 11 Fortune 500/Global 500 companies. Its
hosted code assessment service, ProtexIP/OnDemand, has been downloaded
by hundreds of companies and has been used in more than 140 merger and
acquisition due diligence transactions totaling an estimated $9 billion,
according to the company. Searches for suspicious code are becoming de
rigueur during the due diligence surrounding mergers and acquisitions.
The culture surrounding open-source and free software has had an impact
as well. Whistle-blowers have outed their employers over open-source
code misuse. Some GPL violations have also been called to the attention
of the world by interested users who notice suspiciously familiar
behavior in commercial products. ..."

Looking up some of the tools:
 * www.blackducksoftware.com/ondemand/overview.html lets you keep the
source code at your location, only sending "Code Prints" of it back to
match with their source database.  This `source "Code Prints"' (on brief
Google search for that) seems to be a Black Duck idea; I'd love to know
how it works - can't find any details on quick search.
 * www.palamida.com is the other tool, with slogan "Diligence Done"

But what I'm wondering: it seems if someone abuses licensing, as uses
GPL code for a commercial product I would guess, as long as the maker
doesn't release their source openly, it will be hard for this to be
caught many times it would seem: only if another user eventually spots
the similarity AND reports it.  A long-term investor in the code might
want the source code scanned to prevent that risk.  Of course, to prove
duplication, if not obvious, ac *court order* would still (likely) be
needed to reveal the sources (and still a bit of work to compare them,
though these tools, if used there too, could make that much easier to
compare).

Overall, 
 - unless we somehow require globally reported "Code Prints" of
everybody's source code, akin to "simply" scanning everyone's hard disks
(and report their contents) for copyright infringement (and "just" for
that we must hope),
 - tools like this (for source code violation detection) would only seem
of very limited use: 

 -- only seemingly important for long-term code owners (or big code
buyers) to scan their acquired code for licensing violations THAT
 --- they don't already know about (the programmers didn't bother to
check or report to them already), 
 --- AND even when found, if they're not ever publicly releasing this
code (just the executables), then only the obvious ones (from the UI)
they would really need to worry about: to correct, or maybe just
cover-up.

Am I missing something?  Thoughts?

Mike Parker, of http://www.Cytex.com  
-- MIT CS Grad,  Army Officer,  IT Consultant & Software Architect
-- now helping create http://www.CommuniDB.com : "Turn your writings
into money"

-------------- next part --------------
An embedded message was scrubbed...
From: "Dennis Birney" <DennisBirney at msn.com>
Subject: [SGVLUG] Four Tips To Avoid Open Source Legal Problems
Date: Thu, 6 Jul 2006 19:59:09 -0700
Size: 2722
Url: http://www.sgvlug.net/pipermail/sgvlug/attachments/20060707/32fb83c1/attachment.mht