[SGVLUG] Four Tips To Avoid Open Source Legal Problems

Jeremy Leader jleader at alumni.caltech.edu
Fri Jul 7 13:37:22 PDT 2006 

on 07/07/2006 12:40 PM Michael B. Parker  wrote (in part):
> Looking up some of the tools:
>  * www.blackducksoftware.com/ondemand/overview.html lets you keep the
> source code at your location, only sending "Code Prints" of it back to
> match with their source database.  This `source "Code Prints"' (on brief
> Google search for that) seems to be a Black Duck idea; I'd love to know
> how it works - can't find any details on quick search.

I suspect this might be something like "shingle-printing", which is used 
by search engines to identify partially similar web pages.

> But what I'm wondering: it seems if someone abuses licensing, as uses
> GPL code for a commercial product I would guess, as long as the maker
> doesn't release their source openly, it will be hard for this to be
> caught many times it would seem: only if another user eventually spots
> the similarity AND reports it.  A long-term investor in the code might
> want the source code scanned to prevent that risk.  Of course, to prove
> duplication, if not obvious, ac *court order* would still (likely) be
> needed to reveal the sources (and still a bit of work to compare them,
> though these tools, if used there too, could make that much easier to
> compare).

I think the selling point for the tools is that it's a risk with a huge 
downside (for a big company), even if the probability of detection is 
fairly low.

> Overall, 
>  - unless we somehow require globally reported "Code Prints" of
> everybody's source code, akin to "simply" scanning everyone's hard disks
> (and report their contents) for copyright infringement (and "just" for
> that we must hope),
>  - tools like this (for source code violation detection) would only seem
> of very limited use: 
> 
>  -- only seemingly important for long-term code owners (or big code
> buyers) to scan their acquired code for licensing violations THAT
>  --- they don't already know about (the programmers didn't bother to
> check or report to them already), 

Lots of companies probably have lots of code that was written by 
programmers who aren't at the company any more, or was written by 
contractors.

>  --- AND even when found, if they're not ever publicly releasing this
> code (just the executables), then only the obvious ones (from the UI)
> they would really need to worry about: to correct, or maybe just
> cover-up.

The article specifically talked about cases where people were able to 
demonstrate that a piece of code was improperly copied, just from its 
external behavior.  After all, they don't initially have to *prove* it 
was copied, they just have to get enough evidence to get a judge to 
issue a subpoena for the source.

> Am I missing something?  Thoughts?

The article isn't talking about tracking down all violations of open 
source licenses, it's just pointing out that anyone with a lot to lose 
should take steps to find and minimize the risks that they're 
unknowingly taking.

> Mike Parker, of http://www.Cytex.com  
> -- MIT CS Grad,  Army Officer,  IT Consultant & Software Architect
> -- now helping create http://www.CommuniDB.com : "Turn your writings
> into money"

-- 
Jeremy Leader
jleader at alumni.caltech.edu
leaderj at yahoo-inc.com (work)

More information about the SGVLUG mailing list