Free advice (as in beer): Know your compliance/OSLD vendors

Software developers who doubt that violating an open source license is a costly mistake should look into cases involving Motorola, Acer and Progress Software.

Each company was in violation of the General Public License for software and suffered tens of thousands of dollars in fees and out of court settlements with the Free Software Foundation (FSF) Inc. and German watchdog group gpl-violations.org. In the case of Progress Software Corp., the losses were reportedly in the tens of millions.

You can potentially avoid those types of headaches with the implementation of an open source license detection (OSLD) system.

Currently, only two vendors -- Waltham, Mass.-based Black Duck Software Inc. and San Francisco-based Palamida Inc. -- offer OSLD products, and both companies' products have merit in the eyes of analysts.

The analogy that [license violation] is like a virus is really adept in that they are both very small invaders of a body that can result in the shut down of the entire system. Richard Monson-Haefel Senior analystBurton Group

Why invest in OSLD?

Today, the ease with which developers can integrate open source code into a proprietary product or contribute proprietary code into an open source project is incredible, said Burton Group analyst Richard Monson-Haefel.

"If a company is using open source software, it behooves you to use one of these [OSLD] products, and it is particularly important for companies that are product vendors because they are at greater risk of violating license policy," Monson-Haefel said.

The Midvale, Utah-based analyst added that with an Internet connection, there is very little to prevent either scenario for occurring. "For commercial companies to protect themselves from legal risks and loss of intellectual property, they must be able to detect when open source code is used by their products and when code from their proprietary products has leaked into the open source community," he said.

Even if a developer is careful in monitoring code, proprietary software can still leak into open source software without the knowledge or permission of the company that owns it. Such was the case when the SCO Group Inc. filed a $1 billion lawsuit against IBM in 2003 for allegedly contributing proprietary code from SCO's System V Release 4 Unix kernel code to Linux.

The license as a virus

Monson-Haefel said developers should be aware that all it takes for a violation is a few lines of code or a borrowed algorithm. In most cases, the violation is unintentional but the result is the same.

"The analogy that [license violation] is like a virus is really adept in that they are both very small invaders of a body that can result in the shut down of the entire system.

An OSLD primer: OSLD products have two primary components: an open source scanner and a code print repository. The code print repository is usually a huge database, created and populated by the vendor, which contains billions of code prints from hundreds of thousands of open source projects. The scanner is a utility that reads source or binary code and creates code prints based on proprietary algorithms and digest-generating algorithms.   There are three areas in which OSLD products distinguish themselves in terms of architecture: the precision of code prints, the size and speed of the repository and the physical distribution of product components. -- Excerpt from Burton Group report "Open Source License Detection: Protecting Your Intellectual Property"

"Even if it is a snippet of open source code, you are still responsible for adhering to the license. In most cases, people never know the difference, but if someone finds 100 lines of code from an open source project, that could result in the open sourcing of the entire product," Monson-Haefel explained.

Black Duck CEO and president Doug Levin said this was the case with a Web services customer that found 36 of the 10,000 lines of code within its product had been borrowed from the open source memory module of a game found on the code repository SourceForge.net.

"Software developers who find these issues need to remediate and create an audit trail to show who did what to the code and when," Levin said. You can easily reference the documentation then -- either at the end of the project when a customer wants to see code or when a company is financed or sold.

Whether large or small, the companies in need of license detection systems share the same needs. Palamida co-founder and vice president of marketing Theresa Friday said that her company's third-largest customer, Cisco Systems, has as much to lose with its IP affairs as San Francisco-based open source IT management vendor GroundWork, also a Palamida customer.

For more on OSS licensing: GNU GPL initiative takes on licensing threats

Which to choose?

Both of today's OSLD vendors are worth a look, but ultimately it will be the individual needs of the user that will determine which is selected.

"There isn't a clear victor between Black Duck and Palamida, as each offers some advantages over the other. Black Duck has better reporting of violations, and some customers say Palamida runs faster and has a larger database," Monson-Haefel said.

In a report released this month, Burton Group recommended that software development firms trial run each product. The best way to conduct a trial, the report said, is to purposefully infuse an open source piece of code into the larger code base and see which product is able to discover it.