Open Source Licensing Detection Gets More Competitive
With the current economic recession, open source software is a route that some enterprise developers are increasingly considering as a lower-cost alterative to proprietary solutions. However, one of the potential issues with open source software adoption is license complianceensuring that developers and enterprises are not in violation with a particular license.
There are a few companies in the market today with solutions to help serve the need for open source license identification, including Black Duck, Palamida and now OpenLogic. The business itself is also evolving from just being about detecting licenses to becoming part of an entire open source software adoption lifecycle process.
OpenLogic is an open source stack and services support vendor. While it provides commercial support for open source softwaremost recently including the Red Hat Enterprise Linux clone, CentOSOpenLogic's flagship service is OpenLogic Exchange (OLEX), which enables enterprises to manage their open source usage.
This week, the company announced new OLEX services to provide license discovery and compliance.
Weins said the difficulty in license identification is that open source software is often bundled together in sophisticated ways. As a result, a single open source project can often have additionally open source projects inside of itwith bits of code inside that can all be under different licenses.
"It's not as simple as saying this particular application is licensed under Apache and being done with it," Weins said.
The issue has led to a number of high-profile legal spats over the last two years. For instance, the Software Freedom Law Center has settled out-of-court disputes with at least four different vendors over license violation issues that arose because of open source code buried with their software.
The business of license identification is one that Black Duck software has been involved in since 2002. For CEO Tim Yeaton, it's a business that has evolved over the last few years to be about more than just license identification.
"We've expanded our capabilities from just being a compliance platform to being a full-on, open source lifecycle adoption platform," Yeaton said. "We enable customers to search and select open source components, validate them against their process, put in workflows to automate polices, catalogue the resulting components and then attach them directly to their existing development infrastructure."
Black Duck began its broader lifecycle adoption effort nearly two years ago with the launch of its Code Center application.
OpenLogic's Weins said she felt her company could offer a new competitive choice by producing fewer false positives than rivals. She also added that OpenLogic's new services are cloud-focused and leverage the power of Hadoop open source technology to deliver fast, accurate scans.
Black Duck's Yeaton noted that his company has hosted and Software-as-a-Service offerings. He added that his concern is false negatives more so than false positives.
"If you've built a quality tool, done right, there is no such thing as a false positivethere are only things that you'd rather not see because they create noise," Yeaton said, adding that scans can produce a lot of granular information that a user may not want or need.
He also said that Black Duck has filtering and automation features that lets users customize the information returned from a compliance scan, though they're not enabled by default.
"The way we built our product and the way it's deployed by default is that it provides access to all the information," Yeaton said. "So shame on us for not helping customers upfront to filter. We are getting smarter to help customers to configure their systems."
But Yeaton said the real issue for him is false negativesthat is, code that isn't detected.
"There is clutter, because you got more information than you want, but you can turn on a filter," he said. "But there is real corporate risk of a false negative ... you don't find something that you're supposed to."