Feeds

Software compliance is not just about licensing

What about reusable code?

New hybrid storage solutions

Comment For many companies, software compliance is just about making sure that all copies of a particular application in use have a valid vendor licence.

There's plenty of software around to try and ensure that all licences are valid and all users covered, to stop organisations like the Federation Against Software Theft (FAST) from claiming damages on behalf of its members for fraudulent use.

However, something that is far more insidious and dangerous is being seen as developers start to use chunks of reusable code in creating their own applications, composite applications and mash-ups.

The problem lies within the various licencing agreements that there are around software made available for public usage. As well as the main ones, such as the General Public Licence (GPL), the Apache Software Licence (ASL), and the Eclipse Public Licence (EPL), there's a whole host of others, such as the Common Development and Distribution Licence (CDDL), the Fair Licence, and the Beer Licence (where you undertake to buy the licensor a beer if you ever meet him).

The majority of the public use licences are not particularly restrictive, but there are conditions in some of them which can lead to nightmares for companies further down the line.

Let us take as an example the GPL licence in its current version 2 form. Essentially, under section 2 of the Terms and Conditions of Copying, Distribution and Modification, if you happen to utilise a piece of code that has been distributed under the GPL - just one piece - then the whole of the final released code that includes that GPL code in it also has to be distributed under the GPL.

Consider the ramifications of this - as a commercial entity, you want to create functional software as rapidly as possible. Functions which are deemed as "commodity" are available from the web, and it makes sense to utilise these functions to speed up overall development. Your developers then come up with the next "killer application", and you start selling it on the open market.

Just as you're going for IPO, someone in the community points out that 100 lines of code used within your one million lines were licenced under the GPL. All of a sudden, all your 1 million lines of code have to be covered by GPL - the code has to be made available to anyone, and you cannot apply restrictions on the redistribution of such code - or its modification. You still own the copyright - but that's no use when your customer base and those who you were hoping would invest in you are deserting you in droves.

Even if you are in the open source movement yourself, you may want to utilise a different licence for the final code - but you may find that you are forced into a specific one through the code chunks that have been utilised in one part of the overall application. As the move towards utilising more of these publically available pieces of functional code to speed up development accelerates, there's the risk that we spend more time either checking through all the different licences that have been used - or fighting various actions in court.

So, what can be done? Prevent your developers from using pre-written reusable code chunks? Not really - such usage means that time to capability and to market is much enhanced. Ensure that all code is held against a copy of the licence, and then distribute each chunk under its own licence separately? Not viable, and anyway, the developers won't read the licences.

A small US company, Black Duck, seems to have a solution. It provides a capability for code to be searched at both a string matching level and at a pattern matching level to identify code that has come from an environment where the code is licenced. It can then flag all of these pieces of code and ensure that the developer or legal department is aware that this may raise issues.

The developer and/or organisation concerned can then make a decision as to how this is all rolled up - does the overall code go out under a specific licence, does the intellectual property code get packaged separately to the open code so as to maintain the fidelity of the commercial code, or is the code that has been utilised to be replaced with in-house code so as to by-pass the possible ramifications of the other licenced code?

All of these are valid options, and knowing what code is problematic, what all the various licences are, and what the ramifications are means that time to capability and market are not compromised, while the business value of the code is maximised. Also, end users are safeguarded against claims against licence misuse - a point that has taxed many who were originally caught up in SCO's patent and licence claims around Linux.

For many, running such a capability at the end of development may be sufficient, but Black Duck's tooling provides the best return by integrating it into the whole development process, so a licence audit trail can be kept - and so that any possible issues can be dealt with as soon as possible.

Black Duck could take this approach further to look at areas such as digital rights management (DRM) around picture, sound and video, increasingly sensitive areas as such content proliferates on the internet. Although the domain skills would need to be built up, the approach of scanning files for direct copyright notices and for pattern matching against known copyright content will be similar. That Black Duck has chosen to focus for the moment, and not to stretch itself too thin is probably sensible, but OEM deals for the underlying technology should not be too far off.

All told, the area is a minefield for the unwary. For software developers, whether in the ISV community, within end-user development groups or the open source community itself, such a facility has solid value, and a product like Black Duck's is well worth considering.

Copyright © 2007, Quocirca

New hybrid storage solutions

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.