Black Duck - But No SCO (IT-Director)

[Posted July 11, 2005 by corbet]

Robin Bloor looks at Black Duck and other topics on IT-Director. "What the technology does is analyze source code and 'finger print' it. (To be precise, it maps the pattern of the code, but it's easier to think of it as a fingerprint). It can then look at code and determine its origin, with some degree of certainty. Even code that is not identical or partly rewritten can be identified. This is a useful capability because companies can 'black duck' the applications they've written and make sure that no code has been pilfered from SourceForge and added in, in violation of some Open Source license. (Black Duck has some customers that have had to do a little recoding because they discovered such chunks of code)."

to post comments

Black Duck - But No SCO (IT-Director)

Posted Jul 11, 2005 21:19 UTC (Mon) by rm6990 (guest, #30921) [Link] (4 responses)

I don't understand something....they say they check to see if OSS code has been used in in-house applications. But doing so does not violate any licenses I am aware of, so why does it matter anyways?

Black Duck - But No SCO (IT-Director)

Posted Jul 11, 2005 21:30 UTC (Mon) by JoeBuck (guest, #2330) [Link] (3 responses)

Their target market appears to be companies that develop proprietary software and that don't trust their own employees' ethics or judgment. Presumably the company would then use Black Duck's tool to catch their own employees grabbing some free software off the net, stripping copyright notices off, and checking it in as their own work.

Black Duck - But No SCO (IT-Director)

Posted Jul 11, 2005 21:42 UTC (Mon) by rm6990 (guest, #30921) [Link] (2 responses)

It's useful for companies whose business is to write software. It's also useful for IT Departments that might like to know if Open Source has crept into their applications. It can also be used to test any code against any code, and thus the technology is often used under non-disclosure.

(Quoted from linked article)

Black Duck - But No SCO (IT-Director)

Posted Jul 12, 2005 0:55 UTC (Tue) by AnswerGuy (guest, #1256) [Link] (1 responses)

The earlier respondent's comment still stands. Companies are trying to
find out if some of their programmer's are unscrupulously merging open
source code into their applications while claiming it as their own work
(and presumably goofing off during all the time that they claim it took
them to write it).

Also a company that produces an in-house applications still has a legitimate interest in ensuring that they own their code outright. They may eventually wish to turn it into a proprietary product for their business partners or even their competitors. (Sometimes companies migrate out of one business and into an ancillary business by shifting from a direct supplier into a niche that provides products or services to the suppliers).

In any event the product sounds interesting though the technology sounds fairly similar to the sorts of analysis required by anti-virus software for detecting polymorphic viruses.

(In both cases you want to detect an underlying constant --- flows of execution or semantic patterns even in the face of various forms of obfuscation (identifier renaming, conditional reversal and redundant extraneous conditionals, etc).

The idea is to raise the bar so that plagiarists will have to do as much work to successfully obfuscate the stolen code as they would to just code up the implementation themselves.

JimD

Black Duck - But No SCO (IT-Director)

Posted Jul 12, 2005 2:00 UTC (Tue) by dmarti (subscriber, #11625) [Link]

Outsourcing could be another big area of concern here. If you hire an outside firm to develop something for you as a work for hire, it makes sense to make sure that you got your money's worth.

Black Duck - But No SCO (IT-Director)

Posted Jul 12, 2005 15:20 UTC (Tue) by cdmiller (guest, #2813) [Link]

So the obvious easy way out for companies is to adopt the use of a compatible open source license for their software, allowing the use of existing open source code bases.