The Open-Source Detector

McDutchie writes "With open-source related lawsuits on the rise, a market is developing for automated tools that detect the presence of open-source code within larger application development environments. Palamida Inc. stepped in with IP Amplifier 3.0, essentially a search tool and a database that consists of more than 38 million of the most commonly used open-source files. Something Google-inspired called CodeRank is claimed to match code against the database. Hmm... maybe someone should run it on this, or even this." Of course, some open source code is perfectly welcome in commercial software, even if that software's code is not itself open; it's no secret or surprise that Microsoft, for instance, has taken advantage in some products of BSD-licensed code.

I wonder...

Could this tool be used in reverse?

For example, one could write a bug-filled line of code, perhaps something with a buffer-overflow. This could then be matched with open-source projects and projects with buffer overflows are found. Of course, this could also be used to find vulnerabilities and so on.

Re:I wonder...

Glad to know im not the only one worrying about this.The tool has an anual use fee in the tens of thousands , now the only people using this are not going to be companys who worry that GPL code may slip in(most will have a fairly good clue if it has and not want it publicised) its going to be people who want to try and make some money with patent litegation.

Re:I wonder...

My employer already uses an internally-developed GPL-scanner tool which is required to be run across all sources before we release a new product version. The company also requires all developers to take yearly training on the issues of OSS and GPL. We do support the ideas of OSS and GPL, and put out OSS offerings of our own, but it would be financially devastating to us if our commercial products were forced to be open-sourced.

It's a widespread and unfortuate myth that your product automatically becomes subject to the GPL if you (accidentally or otherwise) violate the GPL by including GPL'ed code. In such a case, a copyright violation has been committed and you have to remove the code in question, and possibly pay damages -- but your product will not become open source (unless, of course, you choose to make it open source as a way of remedying the license violation).

The BSD license argument

>Of course, some open source code is perfectly >welcome in commercial software, even if that >software's code is not itself open; it's no secret >or surprise that Microsoft, for instance, has taken >advantage in some products of BSD-licensed code.

This example (socket code) often pops up, and is often used in GPL advocacy.

Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.

high costs?

Palamida charges $50,000 to $250,000 for an annual subscription to IP Amplifier. Cost depends upon the size of the customer's development environment.

That seems rather steep. Are they doing something really complicated or is this something that a well-maintained (open-source?) project could do? Of course they are storing a major amount of information (i.e. all of sourceforge/freshmeat).
This might in fact be a feature that sourceforge might want to implement (for a fee): doing a search in their database.

On the other hand, it might make more sense to check against proprietary source, data and images. They are, by their nature, harder to find.

Also: when outsourcing parts of a project, wouldn't a contract have to state explicitly conditions such as not stealing/borrowing code from elsewhere? It would be a minimum requirement that the licensing of any (sub-)code would have to fit the overall product.

Be careful of FUD

The whole advantage of open source is you are not tied to the whims of the original developer.

This seems to be a resurrection of an old attack strategy, pretend that open source is such an burdensome onerouse license that you have to hunt open source code down like a virus.

Its not something to be encouraged!

sigh

The whole concept of code seems to scream "Some will be the same". Very basic things will look very similar between several things and with the current "justice" system and ignorance of most people this is going to screw OSS.

I just think it's pathetic that we live in an era where people trying to do something nice gets stabbed in the back for it..

something about this dosn't make me as happy as ..

The company has some other bussiness such as , outsourcing

For companies engaging outsourced developers, Palamida:

* Reduces your exposure to inadventant IP risksTake hold of software outsourcing by quickly assessing the origins of software IP sourced from contractors.
* Helps the origins and ownership of third-party code.
* Gets the most of out open source and externally developed tools.
* Increases efficiency, consistency and understanding.

Now its wonderfull theat they help people get the most out of OSS software but i dont like the fact they are making outsourcing easier .This is not so much a problem where i live but in the USA as i understand it many people are loosing their jobs in the tech industry thanks to companys trying to save a fair bit by outsourcing to cheaper areas .

The Outsourcer: A Best-in-Class Tool for Best-in-Class Processes

Outsourcers are playing an increasingly crucial role in global software development. Large, medium and small companies are looking to tap developers in the hopes of advancing their own software IP and business opportunities.

<ecode>

Again , I wouldnt want to do bussiness with a company that promotes this behavious , i am all for globalistation , but not for screwing people over as the companys seek to hype profits by exploiting cheap labout , Now safely aparently.. Perhaps i missunderstand the term outsourcing in this sense , though to me it always say "Contracters so we dont have honour the workers rights, localy or globaly".

<ecode>For M&A teams, Palamida helps:

* Identify and quantify IP issues early in the deal.
* Improve certainty before closure, increasing your closure rate.
* Reduce your legal exposure.
* Immediately value software innovation and intellectual property.
* Tap into the most up-to-date software IP database available.
* Secure the best possible valuation.

<b>* Speed your assessment of open source and third-party code.</b>

Again my second problem is there strong patent support here .It just makes me as someone who uses and contributes to OSS uneasy.(just my opinion and how i feel , not a statment of fact )

IP Diligence, Compliance Enforced

On to the legal section ,Their bussines model is basicaly that of enforcing IP rights , sure that may help us find companys abusing GPL code , but it also swings both ways and can open up a whole host of patent cases against GPL software.

For counsel, Palamida:

* Improves the timeliness and quality of legal diligence
* Automates compliance processes.
* Provides real time information on your code base.
* Adapts to your business processes and workflow.

Fair enough this can be usefull in this day and age , allowing you to pay them to make sure your not infringing on any patents , But this just dosn't work on 90% of the OSS projects out there , i am betting it costs a fair whack.Most people using this on OSS are IMHO going to be looking to enforce a patent case ala SCO.The potential minefield here is not fun.

or the open source community, Palamida:

* Supports and evangelizes on the use of open source software.
* Boosts productivity by spending time developing and not worrying.
* Pushes forward in unison with legal and business staff.
* Materially reduces open source compliance concerns.
* Creates new business by proving the merits of open source technology

Now that is alot better ,I can strongly respect what they are doing here .Still i dont like that they keep harping on about IP compliance..

I am probably just being paranoid an

Will probably find many blatant violators.

I worked at a ruthless company. Part of the culture was to get results as fast as possible and completely ignore things like licenses, rules and laws, if it helped to make money.

We certainly would have violated the GPL in a second, given that one couldn't really prove damage to the other party (aging idealist hippies with beards who were naive enough to give away software with a silly "license").

The ripoff of commercial software was driving me nuts though -- it seemed quite wrong, esp. given that we were raking in the dough and were not paying just because we could easily avoid it through technical measures.

However, part of the "culture" was that we were so busy that we were sloppy about the misdeeds. We wouldn't have had time to cover our tracks.

Such tools would have caught us, so I'm guessing such tools will lead to finding many similar violators.

For those in the dark side of the force,

this tool can help you to make sure you change just enough the stolen implementation so that the tool won't detect the similarities, giving you an approval stamp without too much work :)

Re:DLL encryption will render this ineffective

This tool is meant for commercial software companies to use, to ensure that they are not mistakenly using GPL code in their programs. It is not for open source developers to find misuses of their own code.

Re:DLL encryption will render this ineffective

"Mistakenly using GPL code"? How can anyone use GPL code on accident? You downloaded a tarball, you extracted it, you opened it in a text editor, you copied and pasted the code. And then you tell your boss that you did that "on accident"?
Can anyone explain this to me?

Simple...

...seriously, have you looked at how well people respect copyright? Do you expect employees to cease being human when they walk in the door? All it takes is one worker to "download a tarball, extract it, open it in a text editor, copy and past the code", then tell his boss the task is done.

Kjella

Re:DLL encryption will render this ineffective

You downloaded a tarball, you extracted it, you opened it in a text editor, you copied and pasted the code. And then you tell your boss that you did that "on accident"? Can anyone explain this to me?

Muscle memory?

Re:DLL encryption will render this ineffective

It's not as hard as you make out to use GPL code by accident, especially library code. Consider the plight of a poor developer, forced with unmeetable deadlines and a fire-breathing boss with a P45 waiting (I've been there, it happens).

He needs to implement a specific piece of functionality and fast. He searches the web and finds some 'sample' code and thinks "just the job".

Copy.. paste..

You now have GPL code in your application, copied and pasted direct. Why? Malicious and callous hatred of free software? No, an accident. Carelessness. A quick fix in a tight spot.

It happens. I've seen it.

Re:DLL encryption will render this ineffective

Except decrypting the code before running it takes significant portion of CPU time, effectively making the "open source alternatives" much faster. Hiding, obscuring, obfuscating, all that creates a lot of overhead...

And of course it can be done by examining the memory dump instead of executable file. It must be decrypted to run.

Re:windows already has some

Why hasn't anyone gone after MS for this?

You have confused Open Source with GPL. There is nothing wrong with using Open Source in applications as long as the license permits it.

Why should Microsoft be singled out for it? Expecially when we had people taking GPL'ed code and selling it as closed source...

Re:windows already has some

Actualy thats a bit wrong , the nature of the BSD license allows people to do what the hell they want with it , so in essence you cant abuse the BSD license.
This is why some people love the BSD license as they see it as total freedom and i have much respect for it myself .
I just prefer the GPL way as we get back any changes and thats gaurenteed by the license(if the software is released , i belive its ok not to feed the changes if its an internal tool only)

Re:windows already has some

The GPL is less free than BSD because it does not grant the licensee as many freedoms.

No, the GPL is more free because it does not permit anyone to take away anyone else's freedom. Say I write some GPL code. You are free to use it, modify it, sell it if you want, but you may not tell any later user or developer that they can't enjoy the same freedoms you have enjoyed.

Scenario 1: Person A writes some GPL code. Person B uses it and modifies it, and releases the code. Everyone else is free to use that code as they wish, as long as they don't try to restrict anyone else's rights.
Scenario 2: Person A writes some BSD-licensed code. Person B uses it, modifies it and starts selling it as a shrink-wrapped product. All his users are restricted by EULAs. They can't have the source code, they can't legally share the program, and they're stuck if B discontinues the product.

In which scenario do you think the licensees have more freedom? It's free as in liberty, not free as in 'free ride'.

Re:windows already has some

The reason I said "regardless of whether you think it is good or bad" was to ignore discussions such as this.

It is very simple: the BSD license is more free, because it grants more freedoms.

Yes, to take this to its logical extreme means that anarchy is maximum freedom. No, this would not be a good thing; but by trying to argue that the GPL is more free (when you should have said that it is better for the user of Person A's software) you have already accepted that unlimited freedom isn't such a good thing anyway.

Re:No Gurantee Against reimplentation

This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas.

Um, last time I checked, this is a quite reasonable approach. You can paraphrase your book report in school, you can paraphrase your predecessor's speech, you can take photographs from famous vistas, and you can rewrite your own closed code inspired from Open Source algorithms.

Source code is protected by copyright-- that is, literal or near-literal copies containing the essence of expression. Open Source code doesn't require that reverse engineering must be done in a clinical clean-room black-box methodology. That's kinda the POINT of Open Source: show people how it's done.

Re:No Gurantee Against reimplentation

For students, paraphrasing is a part of learning. If you can read something that someone else wrote and rewrite it in your own words you probably know the material. If you go and photocopy a page in a book all you've learned is how to make photocopies.

Further, not everything that takes time is wasteful. Copyright is intended to protect the expression of ideas, not the underlying ideas. Thus, you don't protect the idea of love or even the words I love you, but you can protect the expression of love and the words I love you in the context of lyrics to a song possibly with a musical score.

Re:No Gurantee Against reimplentation

> This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas.

What the fuck are you talking about ?

GPL is a based on copyright. You can't copy/paste the code.

Re-implementing the algos is fine, and have always been.

It is 100% FUD to pretend that code become tainted because you looked a GPL source. Don't spread this. Microsoft would LOVE people to beleive that. It would end up like this in interviews:

- Did you contributed to an open-source project ?
- Well, I once fixed a bug in mozilla
- Sorry, our lawyers said we can't hire you
- Why ?
- You would contamine our IP

Repeat after me. GPL is COPYRIGHT. There is no IP involved. There have NEVER been.

Re:No Gurantee Against reimplentation

As far as I understand it, the GPL has a clause saying that any patents that cover the code being distributed must be licensed for everyone's free use. That's not the case with Microsoft's shared source.

Re:No Gurantee Against reimplentation

This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas.

Good. So long as all they are doing is gathering ideas there is nothing wrong with that. Its like me reading harry potter and then writing a book about wizards. Of course I should be allowed to.

Next you'll be telling us that someone could just look at an application working and then write their own implementation incorporating some of the same ideas. Should they be stopped from that as well? Oh wait, they can be. That's what software patents are often used for.