Open Source Cloud Authors: Elizabeth White, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui, Pat Romanski

Related Topics: Linux Containers

Linux Containers: Article

Black Duck Software

What are they doing to support deployment of Linux and other open source software?

LWM's senior contributing analyst, Bill Claybrook, spoke with Doug Levin (CEO and president), Palle Pedersen (CTO), and Karen Faulds Copenhaver (executive VP and general counsel) of Black Duck Software in Waltham, MA, about the company and their role in helping Linux and open source software succeed in the enterprise.

LWM: Doug, Palle, and Karen, thanks for talking with us. Doug, can you tell us when and why you founded Black Duck Software?
Doug Levin:
I started Black Duck Software about five months before SCO filed its lawsuit against IBM in March 2003 to address two primary concerns. First, I wanted to support the expanded use of Linux and open source software and accelerate the use of Linux and open source software, especially in corporations. Second, to save on software development costs, corporations need to reuse software. To do this they have to know something about the contents of the code since various people developed it, and features and functionality were added to it over time. I thought it was an important initiative to encourage reuse of software.

LWM: On your Web site, you describe Black Duck Software as an IP risk management company. Can you elaborate on that?
It's a combination of a couple of things. We enable people to deal with the issues of copyright infringement. We also offer support in the licensing of open source software and Linux distributions. Ultimately we are helping companies address the challenges of IP risk management, which is receiving a lot of focus following the Sarbanes-Oxley Act of 2002 - legislation affecting corporate governance, business controls, financial disclosure, etc.

LWM: Do people come to you to talk just about open source licensing?
Our Black Duck protexIP/development information service can be used in three areas, one of which is as a license management system for all open source licenses and combinations of proprietary and open source licenses - independent of the other things that we address. We also have companies using it as a development management system to provide an audit trail for both U.S.-based soft-ware developers and outsourced soft-ware developers in countries where there is not as much respect for IP as there is in the U.S. The third area is in due diligence of technology to review content and license compliance prior to acquisition.


LWM: You're experts in open source licensing. Do you handle all open source licenses with your software?
We have 160 open source licenses in our KnowledgeBase that we track, including 53 from theOSI.org Web site. There are many others that people have created in one form or another. Part of our Black Duck protexIP/development information service involves providing our customers with updates to the licenses database in the KnowledgeBase.

LWM: Who are your targeted customers?
We target large enterprises, including large hardware/software vendors and governments that are currently using (or have a desire to use) open source software and Linux and have a desire to use more.

LWM: With so many open source licenses and so much open source code on the Web, it's difficult to deal with complicated licensing compatibility issues when combining open source software from various sources. How does Black Duck software help developers?
Palle Pedersen:
Our Black Duck protexIP/development information service is designed to help a development team work together to manage IP and licensing compliance. When it's integrated into existing development tools, it applies IP management best practices throughout the development life cycle - from the concept phase to ready to ship.

Throughout the development process, Black Duck protexIP/development helps developers monitor and track their source code, including identifying where the code came from. It automatically recognizes when any of thousands of open source programs, even small blocks of code, are inserted into the source code. It does this by comparing the inserted code with the open source code represented in our KnowledgeBase. If there is an issue, the service informs users and managers and creates a list of code combination conflicts that need to be remedied by developers or cleared by the company's legal counsel.

The information service can be used even if it's not integrated into development tools. Developers can periodically run their code against the open source code in the Black Duck KnowledgeBase to determine if there are potential conflicts and potential licensing issues. At the end of development, the information service aids the legal staff in license validation before the product is shipped. The other information service, Black Duck protexIP/registry, allows users of protexIP/development the opportunity to follow a registration procedure and enroll their code in the Black Duck protexIP/registry. By participating in the Black Duck Registration program, developers can provide assurance to their customers and insurers that they adhere to best practices for protecting IP.

LWM: Can you briefly describe the Black Duck KnowledgeBase?
KnowledgeBase contains in-depth information about open source licenses. The information services that we just discussed use this database to automatically review code modules and their licenses. Our lawyers and technologists have developed proprietary methods of making software licenses machine-readable. KnowledgeBase also has a database of about 35GB of representations of open source code in it, against which we can compare customer code during the development process to detect various code and licensing conflicts. To create the database, we created something that we refer to as CodePrint technology. This technology is applied to all known open source software projects in various repositories on the Internet to create the CodePrint database within the KnowledgeBase. Source code is categorized according to the applicable licensing element. There is currently no proprietary code in the KnowledgeBase. Customers can add their own code, and they can add third-party code if they have a source license for it.

LWM: Today you can scan source code and compare it to the open source code in your KnowledgeBase. Can you scan and compare binary code?
Today, we can scan source code only; however, a future version of Black Duck protexIP/development will be able to look at binary code as well.

LWM: How would a company such as IBM with a lot of proprietary code use your Black Duck protexIP/development information service?
They could use it in the ways we talked about earlier to determine if open source code has crept into one of their packaged software products, such as AIX. They could also use it to determine if and where Linux and AIX share source code, but they would still have to manually determine whether such source code originally came from Linux, AIX, or another project or product. For future products, they could use protexIP/development during the development process to help address questions about source code origin. Their Global Services consulting organization could use Black Duck to assist their customers in the management of software development projects to uncover instances of intentional or accidental open source code insertions.

LWM: I've been waiting to ask this question since we started talking. Could your products be used in the SCO/IBM lawsuit?
Karen Copenhaver:
The lawsuit is a two-party contractual disagreement and within it there are many claims and one small part of it is related to copyright infringement. Many of the code complaints/issues are related to proprietary two-party code exchanges between IBM, SCO, Novell, and others, and we have no knowledge of them. The lawsuit is trying to track many different sources of code through many different paths to determine origins. The Black Duck technology might provide a useful tool for lawyers to keep track of source code and to trace code sources.

LWM: The Open Source Risk Management (OSRM) company that indemnifies its customers against patent infringement claims says that Linux code may infringe on 283 patents - 60 owned by IBM and 27 owned by Microsoft. I have not seen a description of these patents, but it seems that this review of patents has instilled fear into potential Linux and open source customers. What is your view of this?
OSRM is dealing with completely different issues than we are. We deal with copyright issues, and they are focused on bringing the community together to share in the risk of patent infringement. We are interested in reducing the risk of copyright infringement claims by allowing people to manage the use of copyrighted materials.

LWM: Can you help alleviate some of these fears?
Simply put, we encourage the use of open source software by helping companies manage some of the issues related to copyright infringement and license compliance in code that is being developed in the U.S. as well as being outsourced abroad. We do not address patents. We differ from OSRM and want to avoid contributing to fear or the other elements of doubt that OSRM may have caused by announcing potential litigation related to patents.

LWM: A number of proprietary software companies have been (or are contemplating) open sourcing some of their code. What help can you be to these companies?
There are two types of people who we can help in this instance - end users and vendors. We can help end users via our registry service that we talked about earlier, and we can help vendors with the internal management of their software projects, with copyright and license compliance and with various other IP issues related to their projects.

LWM: Black Duck is focused on helping accelerate the use of Linux and open source software in enterprises. Do you have any open source code or projects?
Not yet. Our intention over time is to do open source projects. We are proprietary today for a specific reason - integrity. We have to maintain the integrity of our KnowledgeBase and the integrity of our software because we have to have one consistent KnowledgeBase that we control. But there are information services that we will offer in the future that will be open source. Our goal is to offer a wide variety of information services.

LWM: What is your interaction with the Linux and open source communities?
We keep in touch with the leading standards bodies such as the Free Software Foundation, OSDL, and with the Linux distributors. We just started shipping our first release in late May. That's when we began intensive business development activities. We just had an announcement with Red Hat and other announcements with Linux distributors are forthcoming. The bottom line is that Black Duck Software is a neutral, trusted third party. We work with everybody.

LWM: Do you have any final comments?
Yes, I have a couple. I thought that the recent LinuxWorld in San Francisco represented another step forward in the maturation of the industry. The open source community may be emerging as a balanced party in the overall Linux world equation.I found this LinuxWorld to be a very open source-related show as opposed to previous shows that were very Linux centric. Many discussions/presentations at the show were about companies doing full and varied deployments of applications using Linux and open source software and it wasn't just about deployments at one or two big companies such as FedEx, Morgan Stanley, etc. Many, many different types of companies were talking about their production use of Linux and open source software.

More Stories By Bill Claybrook

Bill Claybrook is President of New River Marketing Research, a marketing research firm that focuses on Linux, open source software, and commercial grid computing. He performs primary research and helps marketing organizations plan for new product offerings and develop go-to-market strategies, as well as develop marketing analysis content. Prior to entering commercial computing and marketing research, he was Associate Professor of Computer Science at Virginia Tech and the University of Connecticut, as well as Professor of Software Engineering at the Wang Institute of Software Engineering.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...