Open Source Cloud Authors: Liz McMillan, Zakia Bouachraoui, Pat Romanski, Elizabeth White, Yeshim Deniz

Related Topics: Linux Containers

Linux Containers: Article

Black Duck Software

What are they doing to support deployment of Linux and other open source software?

LWM's senior contributing analyst, Bill Claybrook, spoke with Doug Levin (CEO and president), Palle Pedersen (CTO), and Karen Faulds Copenhaver (executive VP and general counsel) of Black Duck Software in Waltham, MA, about the company and their role in helping Linux and open source software succeed in the enterprise.

LWM: Doug, Palle, and Karen, thanks for talking with us. Doug, can you tell us when and why you founded Black Duck Software?
Doug Levin:
I started Black Duck Software about five months before SCO filed its lawsuit against IBM in March 2003 to address two primary concerns. First, I wanted to support the expanded use of Linux and open source software and accelerate the use of Linux and open source software, especially in corporations. Second, to save on software development costs, corporations need to reuse software. To do this they have to know something about the contents of the code since various people developed it, and features and functionality were added to it over time. I thought it was an important initiative to encourage reuse of software.

LWM: On your Web site, you describe Black Duck Software as an IP risk management company. Can you elaborate on that?
It's a combination of a couple of things. We enable people to deal with the issues of copyright infringement. We also offer support in the licensing of open source software and Linux distributions. Ultimately we are helping companies address the challenges of IP risk management, which is receiving a lot of focus following the Sarbanes-Oxley Act of 2002 - legislation affecting corporate governance, business controls, financial disclosure, etc.

LWM: Do people come to you to talk just about open source licensing?
Our Black Duck protexIP/development information service can be used in three areas, one of which is as a license management system for all open source licenses and combinations of proprietary and open source licenses - independent of the other things that we address. We also have companies using it as a development management system to provide an audit trail for both U.S.-based soft-ware developers and outsourced soft-ware developers in countries where there is not as much respect for IP as there is in the U.S. The third area is in due diligence of technology to review content and license compliance prior to acquisition.


LWM: You're experts in open source licensing. Do you handle all open source licenses with your software?
We have 160 open source licenses in our KnowledgeBase that we track, including 53 from theOSI.org Web site. There are many others that people have created in one form or another. Part of our Black Duck protexIP/development information service involves providing our customers with updates to the licenses database in the KnowledgeBase.

LWM: Who are your targeted customers?
We target large enterprises, including large hardware/software vendors and governments that are currently using (or have a desire to use) open source software and Linux and have a desire to use more.

LWM: With so many open source licenses and so much open source code on the Web, it's difficult to deal with complicated licensing compatibility issues when combining open source software from various sources. How does Black Duck software help developers?
Palle Pedersen:
Our Black Duck protexIP/development information service is designed to help a development team work together to manage IP and licensing compliance. When it's integrated into existing development tools, it applies IP management best practices throughout the development life cycle - from the concept phase to ready to ship.

Throughout the development process, Black Duck protexIP/development helps developers monitor and track their source code, including identifying where the code came from. It automatically recognizes when any of thousands of open source programs, even small blocks of code, are inserted into the source code. It does this by comparing the inserted code with the open source code represented in our KnowledgeBase. If there is an issue, the service informs users and managers and creates a list of code combination conflicts that need to be remedied by developers or cleared by the company's legal counsel.

The information service can be used even if it's not integrated into development tools. Developers can periodically run their code against the open source code in the Black Duck KnowledgeBase to determine if there are potential conflicts and potential licensing issues. At the end of development, the information service aids the legal staff in license validation before the product is shipped. The other information service, Black Duck protexIP/registry, allows users of protexIP/development the opportunity to follow a registration procedure and enroll their code in the Black Duck protexIP/registry. By participating in the Black Duck Registration program, developers can provide assurance to their customers and insurers that they adhere to best practices for protecting IP.

LWM: Can you briefly describe the Black Duck KnowledgeBase?
KnowledgeBase contains in-depth information about open source licenses. The information services that we just discussed use this database to automatically review code modules and their licenses. Our lawyers and technologists have developed proprietary methods of making software licenses machine-readable. KnowledgeBase also has a database of about 35GB of representations of open source code in it, against which we can compare customer code during the development process to detect various code and licensing conflicts. To create the database, we created something that we refer to as CodePrint technology. This technology is applied to all known open source software projects in various repositories on the Internet to create the CodePrint database within the KnowledgeBase. Source code is categorized according to the applicable licensing element. There is currently no proprietary code in the KnowledgeBase. Customers can add their own code, and they can add third-party code if they have a source license for it.

LWM: Today you can scan source code and compare it to the open source code in your KnowledgeBase. Can you scan and compare binary code?
Today, we can scan source code only; however, a future version of Black Duck protexIP/development will be able to look at binary code as well.

LWM: How would a company such as IBM with a lot of proprietary code use your Black Duck protexIP/development information service?
They could use it in the ways we talked about earlier to determine if open source code has crept into one of their packaged software products, such as AIX. They could also use it to determine if and where Linux and AIX share source code, but they would still have to manually determine whether such source code originally came from Linux, AIX, or another project or product. For future products, they could use protexIP/development during the development process to help address questions about source code origin. Their Global Services consulting organization could use Black Duck to assist their customers in the management of software development projects to uncover instances of intentional or accidental open source code insertions.

LWM: I've been waiting to ask this question since we started talking. Could your products be used in the SCO/IBM lawsuit?
Karen Copenhaver:
The lawsuit is a two-party contractual disagreement and within it there are many claims and one small part of it is related to copyright infringement. Many of the code complaints/issues are related to proprietary two-party code exchanges between IBM, SCO, Novell, and others, and we have no knowledge of them. The lawsuit is trying to track many different sources of code through many different paths to determine origins. The Black Duck technology might provide a useful tool for lawyers to keep track of source code and to trace code sources.

LWM: The Open Source Risk Management (OSRM) company that indemnifies its customers against patent infringement claims says that Linux code may infringe on 283 patents - 60 owned by IBM and 27 owned by Microsoft. I have not seen a description of these patents, but it seems that this review of patents has instilled fear into potential Linux and open source customers. What is your view of this?
OSRM is dealing with completely different issues than we are. We deal with copyright issues, and they are focused on bringing the community together to share in the risk of patent infringement. We are interested in reducing the risk of copyright infringement claims by allowing people to manage the use of copyrighted materials.

LWM: Can you help alleviate some of these fears?
Simply put, we encourage the use of open source software by helping companies manage some of the issues related to copyright infringement and license compliance in code that is being developed in the U.S. as well as being outsourced abroad. We do not address patents. We differ from OSRM and want to avoid contributing to fear or the other elements of doubt that OSRM may have caused by announcing potential litigation related to patents.

LWM: A number of proprietary software companies have been (or are contemplating) open sourcing some of their code. What help can you be to these companies?
There are two types of people who we can help in this instance - end users and vendors. We can help end users via our registry service that we talked about earlier, and we can help vendors with the internal management of their software projects, with copyright and license compliance and with various other IP issues related to their projects.

LWM: Black Duck is focused on helping accelerate the use of Linux and open source software in enterprises. Do you have any open source code or projects?
Not yet. Our intention over time is to do open source projects. We are proprietary today for a specific reason - integrity. We have to maintain the integrity of our KnowledgeBase and the integrity of our software because we have to have one consistent KnowledgeBase that we control. But there are information services that we will offer in the future that will be open source. Our goal is to offer a wide variety of information services.

LWM: What is your interaction with the Linux and open source communities?
We keep in touch with the leading standards bodies such as the Free Software Foundation, OSDL, and with the Linux distributors. We just started shipping our first release in late May. That's when we began intensive business development activities. We just had an announcement with Red Hat and other announcements with Linux distributors are forthcoming. The bottom line is that Black Duck Software is a neutral, trusted third party. We work with everybody.

LWM: Do you have any final comments?
Yes, I have a couple. I thought that the recent LinuxWorld in San Francisco represented another step forward in the maturation of the industry. The open source community may be emerging as a balanced party in the overall Linux world equation.I found this LinuxWorld to be a very open source-related show as opposed to previous shows that were very Linux centric. Many discussions/presentations at the show were about companies doing full and varied deployments of applications using Linux and open source software and it wasn't just about deployments at one or two big companies such as FedEx, Morgan Stanley, etc. Many, many different types of companies were talking about their production use of Linux and open source software.

More Stories By Bill Claybrook

Bill Claybrook is President of New River Marketing Research, a marketing research firm that focuses on Linux, open source software, and commercial grid computing. He performs primary research and helps marketing organizations plan for new product offerings and develop go-to-market strategies, as well as develop marketing analysis content. Prior to entering commercial computing and marketing research, he was Associate Professor of Computer Science at Virginia Tech and the University of Connecticut, as well as Professor of Software Engineering at the Wang Institute of Software Engineering.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.