Software compliance now a sitting Black Duck

Organizations developing software now have the option of cross-checking in-house code with that from the open source community as Black Duck Software launches its products to the local market.

Black Duck Software began in 2002 amid the heated intellectual property infringement debate between The SCO Group and IBM. Its products and services are aimed at businesses wanting to identify and control the introduction of licensed software code into their own products.

Black Duck maintains a "KnowledgeBase" of open source projects covering about 700 licences, which is reviewed by a team of attorneys to determine how it can be used with in-house or vendor software products.

Both open source and third-party code, licensed from other companies, can then be compared to the in-house source code with Black Duck's ProtexIP Web application.

Black Duck sales engineer Ronan Fagan said one customer, the machinery giant Caterpillar, has "a ton of software" and was required by its client to "vet" the software and ensure everything it developed did not impede any licensing restrictions.

"Caterpillar used ProtexIP to give it a clean bill of health and the deal went ahead," Fagan said.

Likewise Motorola, which has more than 600MB of code in its Razr phone, used ProtexIP to verify its code as it could not afford to recall phones when GPL code was discovered after a product release.

There is ProtexIP Linux server product and ProtexIP on-demand service which is typically used by companies during mergers and acquisitions.

"SCO is suing people based on copyright infringement and while we don't want to spread fear it is a very real threat," Fagan said. "It's OK to use open source, but you want to make sure you're within the licence restrictions. If you're using the GPL you need to make your code open source."

Ironically, Black Duck, itself a user of open source code, is keeping its application code under tight wraps.

"We don't want to make our code open source," Fagan said.

Fagan said existing manual checking processes are not scalable and ProtexIP assigns a role to people involved in the software development lifecycle - including lawyers, administrators, and developers.

Once the code analysis is complete organizations can identify IP and licence issues, manage licences, and review auditing and documentation.

Black Duck's software is being distributed in Australia by Open Channel Solutions.

Pia Waugh, director of open source consulting firm Waugh Partners, said software compliance is the latest area of interest and hurdle the industry needs to overcome, particularly in the government sector.

"Government departments want to show due diligence and that the software they are getting is compliant," Waugh said, adding a lot of government departments are developing software and need to check for compliance to be able to open source it.

"There is a lot of publicly funded software in the research sector, but if they feel they can't open source it, it ends up entombed [so] publicly funded software is not publicly available.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark