Open Source Cloud Authors: Stackify Blog, Vaibhaw Pandey, John Walsh, Liz McMillan, Pat Romanski

Related Topics: Linux Containers

Linux Containers: Article

Black Duck Software

What are they doing to support deployment of Linux and other open source software?

LWM's senior contributing analyst, Bill Claybrook, spoke with Doug Levin (CEO and president), Palle Pedersen (CTO), and Karen Faulds Copenhaver (executive VP and general counsel) of Black Duck Software in Waltham, MA, about the company and their role in helping Linux and open source software succeed in the enterprise.

LWM: Doug, Palle, and Karen, thanks for talking with us. Doug, can you tell us when and why you founded Black Duck Software?
Doug Levin:
I started Black Duck Software about five months before SCO filed its lawsuit against IBM in March 2003 to address two primary concerns. First, I wanted to support the expanded use of Linux and open source software and accelerate the use of Linux and open source software, especially in corporations. Second, to save on software development costs, corporations need to reuse software. To do this they have to know something about the contents of the code since various people developed it, and features and functionality were added to it over time. I thought it was an important initiative to encourage reuse of software.

LWM: On your Web site, you describe Black Duck Software as an IP risk management company. Can you elaborate on that?
It's a combination of a couple of things. We enable people to deal with the issues of copyright infringement. We also offer support in the licensing of open source software and Linux distributions. Ultimately we are helping companies address the challenges of IP risk management, which is receiving a lot of focus following the Sarbanes-Oxley Act of 2002 - legislation affecting corporate governance, business controls, financial disclosure, etc.

LWM: Do people come to you to talk just about open source licensing?
Our Black Duck protexIP/development information service can be used in three areas, one of which is as a license management system for all open source licenses and combinations of proprietary and open source licenses - independent of the other things that we address. We also have companies using it as a development management system to provide an audit trail for both U.S.-based soft-ware developers and outsourced soft-ware developers in countries where there is not as much respect for IP as there is in the U.S. The third area is in due diligence of technology to review content and license compliance prior to acquisition.


LWM: You're experts in open source licensing. Do you handle all open source licenses with your software?
We have 160 open source licenses in our KnowledgeBase that we track, including 53 from theOSI.org Web site. There are many others that people have created in one form or another. Part of our Black Duck protexIP/development information service involves providing our customers with updates to the licenses database in the KnowledgeBase.

LWM: Who are your targeted customers?
We target large enterprises, including large hardware/software vendors and governments that are currently using (or have a desire to use) open source software and Linux and have a desire to use more.

LWM: With so many open source licenses and so much open source code on the Web, it's difficult to deal with complicated licensing compatibility issues when combining open source software from various sources. How does Black Duck software help developers?
Palle Pedersen:
Our Black Duck protexIP/development information service is designed to help a development team work together to manage IP and licensing compliance. When it's integrated into existing development tools, it applies IP management best practices throughout the development life cycle - from the concept phase to ready to ship.

Throughout the development process, Black Duck protexIP/development helps developers monitor and track their source code, including identifying where the code came from. It automatically recognizes when any of thousands of open source programs, even small blocks of code, are inserted into the source code. It does this by comparing the inserted code with the open source code represented in our KnowledgeBase. If there is an issue, the service informs users and managers and creates a list of code combination conflicts that need to be remedied by developers or cleared by the company's legal counsel.

The information service can be used even if it's not integrated into development tools. Developers can periodically run their code against the open source code in the Black Duck KnowledgeBase to determine if there are potential conflicts and potential licensing issues. At the end of development, the information service aids the legal staff in license validation before the product is shipped. The other information service, Black Duck protexIP/registry, allows users of protexIP/development the opportunity to follow a registration procedure and enroll their code in the Black Duck protexIP/registry. By participating in the Black Duck Registration program, developers can provide assurance to their customers and insurers that they adhere to best practices for protecting IP.

LWM: Can you briefly describe the Black Duck KnowledgeBase?
KnowledgeBase contains in-depth information about open source licenses. The information services that we just discussed use this database to automatically review code modules and their licenses. Our lawyers and technologists have developed proprietary methods of making software licenses machine-readable. KnowledgeBase also has a database of about 35GB of representations of open source code in it, against which we can compare customer code during the development process to detect various code and licensing conflicts. To create the database, we created something that we refer to as CodePrint technology. This technology is applied to all known open source software projects in various repositories on the Internet to create the CodePrint database within the KnowledgeBase. Source code is categorized according to the applicable licensing element. There is currently no proprietary code in the KnowledgeBase. Customers can add their own code, and they can add third-party code if they have a source license for it.

LWM: Today you can scan source code and compare it to the open source code in your KnowledgeBase. Can you scan and compare binary code?
Today, we can scan source code only; however, a future version of Black Duck protexIP/development will be able to look at binary code as well.

LWM: How would a company such as IBM with a lot of proprietary code use your Black Duck protexIP/development information service?
They could use it in the ways we talked about earlier to determine if open source code has crept into one of their packaged software products, such as AIX. They could also use it to determine if and where Linux and AIX share source code, but they would still have to manually determine whether such source code originally came from Linux, AIX, or another project or product. For future products, they could use protexIP/development during the development process to help address questions about source code origin. Their Global Services consulting organization could use Black Duck to assist their customers in the management of software development projects to uncover instances of intentional or accidental open source code insertions.

LWM: I've been waiting to ask this question since we started talking. Could your products be used in the SCO/IBM lawsuit?
Karen Copenhaver:
The lawsuit is a two-party contractual disagreement and within it there are many claims and one small part of it is related to copyright infringement. Many of the code complaints/issues are related to proprietary two-party code exchanges between IBM, SCO, Novell, and others, and we have no knowledge of them. The lawsuit is trying to track many different sources of code through many different paths to determine origins. The Black Duck technology might provide a useful tool for lawyers to keep track of source code and to trace code sources.

LWM: The Open Source Risk Management (OSRM) company that indemnifies its customers against patent infringement claims says that Linux code may infringe on 283 patents - 60 owned by IBM and 27 owned by Microsoft. I have not seen a description of these patents, but it seems that this review of patents has instilled fear into potential Linux and open source customers. What is your view of this?
OSRM is dealing with completely different issues than we are. We deal with copyright issues, and they are focused on bringing the community together to share in the risk of patent infringement. We are interested in reducing the risk of copyright infringement claims by allowing people to manage the use of copyrighted materials.

LWM: Can you help alleviate some of these fears?
Simply put, we encourage the use of open source software by helping companies manage some of the issues related to copyright infringement and license compliance in code that is being developed in the U.S. as well as being outsourced abroad. We do not address patents. We differ from OSRM and want to avoid contributing to fear or the other elements of doubt that OSRM may have caused by announcing potential litigation related to patents.

LWM: A number of proprietary software companies have been (or are contemplating) open sourcing some of their code. What help can you be to these companies?
There are two types of people who we can help in this instance - end users and vendors. We can help end users via our registry service that we talked about earlier, and we can help vendors with the internal management of their software projects, with copyright and license compliance and with various other IP issues related to their projects.

LWM: Black Duck is focused on helping accelerate the use of Linux and open source software in enterprises. Do you have any open source code or projects?
Not yet. Our intention over time is to do open source projects. We are proprietary today for a specific reason - integrity. We have to maintain the integrity of our KnowledgeBase and the integrity of our software because we have to have one consistent KnowledgeBase that we control. But there are information services that we will offer in the future that will be open source. Our goal is to offer a wide variety of information services.

LWM: What is your interaction with the Linux and open source communities?
We keep in touch with the leading standards bodies such as the Free Software Foundation, OSDL, and with the Linux distributors. We just started shipping our first release in late May. That's when we began intensive business development activities. We just had an announcement with Red Hat and other announcements with Linux distributors are forthcoming. The bottom line is that Black Duck Software is a neutral, trusted third party. We work with everybody.

LWM: Do you have any final comments?
Yes, I have a couple. I thought that the recent LinuxWorld in San Francisco represented another step forward in the maturation of the industry. The open source community may be emerging as a balanced party in the overall Linux world equation.I found this LinuxWorld to be a very open source-related show as opposed to previous shows that were very Linux centric. Many discussions/presentations at the show were about companies doing full and varied deployments of applications using Linux and open source software and it wasn't just about deployments at one or two big companies such as FedEx, Morgan Stanley, etc. Many, many different types of companies were talking about their production use of Linux and open source software.

More Stories By Bill Claybrook

Bill Claybrook is President of New River Marketing Research, a marketing research firm that focuses on Linux, open source software, and commercial grid computing. He performs primary research and helps marketing organizations plan for new product offerings and develop go-to-market strategies, as well as develop marketing analysis content. Prior to entering commercial computing and marketing research, he was Associate Professor of Computer Science at Virginia Tech and the University of Connecticut, as well as Professor of Software Engineering at the Wang Institute of Software Engineering.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...