Open Source Cloud Authors: Pat Romanski, Elizabeth White, Yeshim Deniz, Harry Trott, Liz McMillan

Related Topics: Linux Containers

Linux Containers: Article

Black Duck Software

What are they doing to support deployment of Linux and other open source software?

LWM's senior contributing analyst, Bill Claybrook, spoke with Doug Levin (CEO and president), Palle Pedersen (CTO), and Karen Faulds Copenhaver (executive VP and general counsel) of Black Duck Software in Waltham, MA, about the company and their role in helping Linux and open source software succeed in the enterprise.

LWM: Doug, Palle, and Karen, thanks for talking with us. Doug, can you tell us when and why you founded Black Duck Software?
Doug Levin:
I started Black Duck Software about five months before SCO filed its lawsuit against IBM in March 2003 to address two primary concerns. First, I wanted to support the expanded use of Linux and open source software and accelerate the use of Linux and open source software, especially in corporations. Second, to save on software development costs, corporations need to reuse software. To do this they have to know something about the contents of the code since various people developed it, and features and functionality were added to it over time. I thought it was an important initiative to encourage reuse of software.

LWM: On your Web site, you describe Black Duck Software as an IP risk management company. Can you elaborate on that?
It's a combination of a couple of things. We enable people to deal with the issues of copyright infringement. We also offer support in the licensing of open source software and Linux distributions. Ultimately we are helping companies address the challenges of IP risk management, which is receiving a lot of focus following the Sarbanes-Oxley Act of 2002 - legislation affecting corporate governance, business controls, financial disclosure, etc.

LWM: Do people come to you to talk just about open source licensing?
Our Black Duck protexIP/development information service can be used in three areas, one of which is as a license management system for all open source licenses and combinations of proprietary and open source licenses - independent of the other things that we address. We also have companies using it as a development management system to provide an audit trail for both U.S.-based soft-ware developers and outsourced soft-ware developers in countries where there is not as much respect for IP as there is in the U.S. The third area is in due diligence of technology to review content and license compliance prior to acquisition.


LWM: You're experts in open source licensing. Do you handle all open source licenses with your software?
We have 160 open source licenses in our KnowledgeBase that we track, including 53 from theOSI.org Web site. There are many others that people have created in one form or another. Part of our Black Duck protexIP/development information service involves providing our customers with updates to the licenses database in the KnowledgeBase.

LWM: Who are your targeted customers?
We target large enterprises, including large hardware/software vendors and governments that are currently using (or have a desire to use) open source software and Linux and have a desire to use more.

LWM: With so many open source licenses and so much open source code on the Web, it's difficult to deal with complicated licensing compatibility issues when combining open source software from various sources. How does Black Duck software help developers?
Palle Pedersen:
Our Black Duck protexIP/development information service is designed to help a development team work together to manage IP and licensing compliance. When it's integrated into existing development tools, it applies IP management best practices throughout the development life cycle - from the concept phase to ready to ship.

Throughout the development process, Black Duck protexIP/development helps developers monitor and track their source code, including identifying where the code came from. It automatically recognizes when any of thousands of open source programs, even small blocks of code, are inserted into the source code. It does this by comparing the inserted code with the open source code represented in our KnowledgeBase. If there is an issue, the service informs users and managers and creates a list of code combination conflicts that need to be remedied by developers or cleared by the company's legal counsel.

The information service can be used even if it's not integrated into development tools. Developers can periodically run their code against the open source code in the Black Duck KnowledgeBase to determine if there are potential conflicts and potential licensing issues. At the end of development, the information service aids the legal staff in license validation before the product is shipped. The other information service, Black Duck protexIP/registry, allows users of protexIP/development the opportunity to follow a registration procedure and enroll their code in the Black Duck protexIP/registry. By participating in the Black Duck Registration program, developers can provide assurance to their customers and insurers that they adhere to best practices for protecting IP.

LWM: Can you briefly describe the Black Duck KnowledgeBase?
KnowledgeBase contains in-depth information about open source licenses. The information services that we just discussed use this database to automatically review code modules and their licenses. Our lawyers and technologists have developed proprietary methods of making software licenses machine-readable. KnowledgeBase also has a database of about 35GB of representations of open source code in it, against which we can compare customer code during the development process to detect various code and licensing conflicts. To create the database, we created something that we refer to as CodePrint technology. This technology is applied to all known open source software projects in various repositories on the Internet to create the CodePrint database within the KnowledgeBase. Source code is categorized according to the applicable licensing element. There is currently no proprietary code in the KnowledgeBase. Customers can add their own code, and they can add third-party code if they have a source license for it.

LWM: Today you can scan source code and compare it to the open source code in your KnowledgeBase. Can you scan and compare binary code?
Today, we can scan source code only; however, a future version of Black Duck protexIP/development will be able to look at binary code as well.

LWM: How would a company such as IBM with a lot of proprietary code use your Black Duck protexIP/development information service?
They could use it in the ways we talked about earlier to determine if open source code has crept into one of their packaged software products, such as AIX. They could also use it to determine if and where Linux and AIX share source code, but they would still have to manually determine whether such source code originally came from Linux, AIX, or another project or product. For future products, they could use protexIP/development during the development process to help address questions about source code origin. Their Global Services consulting organization could use Black Duck to assist their customers in the management of software development projects to uncover instances of intentional or accidental open source code insertions.

LWM: I've been waiting to ask this question since we started talking. Could your products be used in the SCO/IBM lawsuit?
Karen Copenhaver:
The lawsuit is a two-party contractual disagreement and within it there are many claims and one small part of it is related to copyright infringement. Many of the code complaints/issues are related to proprietary two-party code exchanges between IBM, SCO, Novell, and others, and we have no knowledge of them. The lawsuit is trying to track many different sources of code through many different paths to determine origins. The Black Duck technology might provide a useful tool for lawyers to keep track of source code and to trace code sources.

LWM: The Open Source Risk Management (OSRM) company that indemnifies its customers against patent infringement claims says that Linux code may infringe on 283 patents - 60 owned by IBM and 27 owned by Microsoft. I have not seen a description of these patents, but it seems that this review of patents has instilled fear into potential Linux and open source customers. What is your view of this?
OSRM is dealing with completely different issues than we are. We deal with copyright issues, and they are focused on bringing the community together to share in the risk of patent infringement. We are interested in reducing the risk of copyright infringement claims by allowing people to manage the use of copyrighted materials.

LWM: Can you help alleviate some of these fears?
Simply put, we encourage the use of open source software by helping companies manage some of the issues related to copyright infringement and license compliance in code that is being developed in the U.S. as well as being outsourced abroad. We do not address patents. We differ from OSRM and want to avoid contributing to fear or the other elements of doubt that OSRM may have caused by announcing potential litigation related to patents.

LWM: A number of proprietary software companies have been (or are contemplating) open sourcing some of their code. What help can you be to these companies?
There are two types of people who we can help in this instance - end users and vendors. We can help end users via our registry service that we talked about earlier, and we can help vendors with the internal management of their software projects, with copyright and license compliance and with various other IP issues related to their projects.

LWM: Black Duck is focused on helping accelerate the use of Linux and open source software in enterprises. Do you have any open source code or projects?
Not yet. Our intention over time is to do open source projects. We are proprietary today for a specific reason - integrity. We have to maintain the integrity of our KnowledgeBase and the integrity of our software because we have to have one consistent KnowledgeBase that we control. But there are information services that we will offer in the future that will be open source. Our goal is to offer a wide variety of information services.

LWM: What is your interaction with the Linux and open source communities?
We keep in touch with the leading standards bodies such as the Free Software Foundation, OSDL, and with the Linux distributors. We just started shipping our first release in late May. That's when we began intensive business development activities. We just had an announcement with Red Hat and other announcements with Linux distributors are forthcoming. The bottom line is that Black Duck Software is a neutral, trusted third party. We work with everybody.

LWM: Do you have any final comments?
Yes, I have a couple. I thought that the recent LinuxWorld in San Francisco represented another step forward in the maturation of the industry. The open source community may be emerging as a balanced party in the overall Linux world equation.I found this LinuxWorld to be a very open source-related show as opposed to previous shows that were very Linux centric. Many discussions/presentations at the show were about companies doing full and varied deployments of applications using Linux and open source software and it wasn't just about deployments at one or two big companies such as FedEx, Morgan Stanley, etc. Many, many different types of companies were talking about their production use of Linux and open source software.

More Stories By Bill Claybrook

Bill Claybrook is President of New River Marketing Research, a marketing research firm that focuses on Linux, open source software, and commercial grid computing. He performs primary research and helps marketing organizations plan for new product offerings and develop go-to-market strategies, as well as develop marketing analysis content. Prior to entering commercial computing and marketing research, he was Associate Professor of Computer Science at Virginia Tech and the University of Connecticut, as well as Professor of Software Engineering at the Wang Institute of Software Engineering.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
I think DevOps is now a rambunctious teenager - it's starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
Announcing Poland #DigitalTransformation Pavilion
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
CloudEXPO | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
The best way to leverage your CloudEXPO | DXWorldEXPO presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering CloudEXPO | DXWorldEXPO will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at CloudEXPO. Product announcements during our show provide your company with the most reach through our targeted audienc...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...