[SGVLUG] Four Tips To Avoid Open Source Legal Problems

Michael B. Parker MBParker at Cytex.com
Fri Jul 7 14:21:33 PDT 2006 

Jeremy writes (re
http://www.cio.com/archive/070106/et_main.html?source=cioinsider ):

	"The article isn't talking about tracking down all violations of
open source licenses, it's just pointing out that anyone with a lot to
lose should take steps to find and minimize the risks that they're
unknowingly taking."

Thanks for the synopsis, Jeremy!  I wish the article was written so
clearly.  With unqualified headlines as "Assume You'll Get Caught"
perhaps the author "CHRISTOPHER LINDQUIST", wants to get the maximum
scare factor, but I guess it was written for CIO.com who we might assume
readers have a lot to loose, but this still I think should be clearly
qualified.    And, in agreement with Dustin, "copyright violations in
any 
 proprietary product.  I doubt it is uncommon.", I suspect while this
helps, for the majority of code and people out there, it will do little.

To seemingly write with such unqualification, I wonder if the author has
a stake in one of these tools, as Black Duck.  Google for "(Chris OR
CHRISTOPHER LINDQUIST) Black-Duck" yields 217 references (way beyond
this one article) so it might be possible.

Anyway, Dustin's point of roughly "running 'strings' can [often] tell
you.  Should work for a binary for any platform, too." leads me to think
that it might be possible for a produt which MIGHT meaningfully detect a
lot of source code reuse if some sort of "running strings" were in the
original source.  While GUI code uses running strings often, many
algorithm code doesn't.  However, perhaps something could be made to
insert some identifying hard-to-remove logic into SOURCE CODE that would
be easy detect (even in a compiled binary) and hard to remove even by a
programmer with the source, unless he/she understood the source well.  I
don't know, maybe it's wishful thinking to create this watermark
deliberately in source.  

But, even without source watermarking, it seems if some form of
binary/executable  scanning was included in matching code (as looking
for running strings, maybe common assembly/virtual-machine frags to
figerprint), it would go potentailly dramatically further towards
detecting source code reuse as binary/executables are SEVERAL TIMES more
freely distributed than underlying source, especially in proprietary
products.

Thoughts?  Heard of this?

Mike Parker, of http://www.Cytex.com  
-- MIT CS Grad,  Army Officer,  IT Consultant & Software Architect
-- now helping create http://www.CommuniDB.com : "Turn your writings
into money"
-------------- next part --------------
An embedded message was scrubbed...
From: "Dustin Laurence" <dustin at laurences.net>
Subject: Re: [SGVLUG] Four Tips To Avoid Open Source Legal Problems
Date: Fri, 7 Jul 2006 13:55:30 -0700
Size: 4180
Url: http://www.sgvlug.net/pipermail/sgvlug/attachments/20060707/700e8b2e/attachment-0001.mht

More information about the SGVLUG mailing list