LWM's senior contributing analyst, Bill Claybrook, spoke with Doug Levin (CEO and president), Palle Pedersen (CTO), and Karen Faulds Copenhaver (executive VP and general counsel) of Black Duck Software in Waltham, MA, about the company and their role in helping Linux and open source software succeed in the enterprise.

LWM: Doug, Palle, and Karen, thanks for talking with us. Doug, can you tell us when and why you founded Black Duck Software?
Doug Levin: I started Black Duck Software about five months before SCO filed its lawsuit against IBM in March 2003 to address two primary concerns. First, I wanted to support the expanded use of Linux and open source software and accelerate the use of Linux and open source software, especially in corporations. Second, to save on software development costs, corporations need to reuse software. To do this they have to know something about the contents of the code since various people developed it, and features and functionality were added to it over time. I thought it was an important initiative to encourage reuse of software.

LWM: On your Web site, you describe Black Duck Software as an IP risk management company. Can you elaborate on that?
Levin: It's a combination of a couple of things. We enable people to deal with the issues of copyright infringement. We also offer support in the licensing of open source software and Linux distributions. Ultimately we are helping companies address the challenges of IP risk management, which is receiving a lot of focus following the Sarbanes-Oxley Act of 2002 - legislation affecting corporate governance, business controls, financial disclosure, etc.

LWM: Do people come to you to talk just about open source licensing?
Levin: Our Black Duck protexIP/development information service can be used in three areas, one of which is as a license management system for all open source licenses and combinations of proprietary and open source licenses - independent of the other things that we address. We also have companies using it as a development management system to provide an audit trail for both U.S.-based soft-ware developers and outsourced soft-ware developers in countries where there is not as much respect for IP as there is in the U.S. The third area is in due diligence of technology to review content and license compliance prior to acquisition.

 

LWM: You're experts in open source licensing. Do you handle all open source licenses with your software?
Levin: We have 160 open source licenses in our KnowledgeBase that we track, including 53 from theOSI.org Web site. There are many others that people have created in one form or another. Part of our Black Duck protexIP/development information service involves providing our customers with updates to the licenses database in the KnowledgeBase.

LWM: Who are your targeted customers?
Levin: We target large enterprises, including large hardware/software vendors and governments that are currently using (or have a desire to use) open source software and Linux and have a desire to use more.

LWM: With so many open source licenses and so much open source code on the Web, it's difficult to deal with complicated licensing compatibility issues when combining open source software from various sources. How does Black Duck software help developers?
Palle Pedersen: Our Black Duck protexIP/development information service is designed to help a development team work together to manage IP and licensing compliance. When it's integrated into existing development tools, it applies IP management best practices throughout the development life cycle - from the concept phase to ready to ship.

Throughout the development process, Black Duck protexIP/development helps developers monitor and track their source code, including identifying where the code came from. It automatically recognizes when any of thousands of open source programs, even small blocks of code, are inserted into the source code. It does this by comparing the inserted code with the open source code represented in our KnowledgeBase. If there is an issue, the service informs users and managers and creates a list of code combination conflicts that need to be remedied by developers or cleared by the company's legal counsel.

The information service can be used even if it's not integrated into development tools. Developers can periodically run their code against the open source code in the Black Duck KnowledgeBase to determine if there are potential conflicts and potential licensing issues. At the end of development, the information service aids the legal staff in license validation before the product is shipped. The other information service, Black Duck protexIP/registry, allows users of protexIP/development the opportunity to follow a registration procedure and enroll their code in the Black Duck protexIP/registry. By participating in the Black Duck Registration program, developers can provide assurance to their customers and insurers that they adhere to best practices for protecting IP.

LWM: Can you briefly describe the Black Duck KnowledgeBase?
Levin: KnowledgeBase contains in-depth information about open source licenses. The information services that we just discussed use this database to automatically review code modules and their licenses. Our lawyers and technologists have developed proprietary methods of making software licenses machine-readable. KnowledgeBase also has a database of about 35GB of representations of open source code in it, against which we can compare customer code during the development process to detect various code and licensing conflicts. To create the database, we created something that we refer to as CodePrint technology. This technology is applied to all known open source software projects in various repositories on the Internet to create the CodePrint database within the KnowledgeBase. Source code is categorized according to the applicable licensing element. There is currently no proprietary code in the KnowledgeBase. Customers can add their own code, and they can add third-party code if they have a source license for it.

LWM: Today you can scan source code and compare it to the open source code in your KnowledgeBase. Can you scan and compare binary code?
Pedersen: Today, we can scan source code only; however, a future version of Black Duck protexIP/development will be able to look at binary code as well.

LWM: How would a company such as IBM with a lot of proprietary code use your Black Duck protexIP/development information service?
Pedersen: They could use it in the ways we talked about earlier to determine if open source code has crept into one of their packaged software products, such as AIX. They could also use it to determine if and where Linux and AIX share source code, but they would still have to manually determine whether such source code originally came from Linux, AIX, or another project or product. For future products, they could use protexIP/development during the development process to help address questions about source code origin. Their Global Services consulting organization could use Black Duck to assist their customers in the management of software development projects to uncover instances of intentional or accidental open source code insertions.

LWM: I've been waiting to ask this question since we started talking. Could your products be used in the SCO/IBM lawsuit?
Karen Copenhaver: The lawsuit is a two-party contractual disagreement and within it there are many claims and one small part of it is related to copyright infringement. Many of the code complaints/issues are related to proprietary two-party code exchanges between IBM, SCO, Novell, and others, and we have no knowledge of them. The lawsuit is trying to track many different sources of code through many different paths to determine origins. The Black Duck technology might provide a useful tool for lawyers to keep track of source code and to trace code sources.

LWM: The Open Source Risk Management (OSRM) company that indemnifies its customers against patent infringement claims says that Linux code may infringe on 283 patents - 60 owned by IBM and 27 owned by Microsoft. I have not seen a description of these patents, but it seems that this review of patents has instilled fear into potential Linux and open source customers. What is your view of this?
Copenhaver: OSRM is dealing with completely different issues than we are. We deal with copyright issues, and they are focused on bringing the community together to share in the risk of patent infringement. We are interested in reducing the risk of copyright infringement claims by allowing people to manage the use of copyrighted materials.

LWM: Can you help alleviate some of these fears?
Levin: Simply put, we encourage the use of open source software by helping companies manage some of the issues related to copyright infringement and license compliance in code that is being developed in the U.S. as well as being outsourced abroad. We do not address patents. We differ from OSRM and want to avoid contributing to fear or the other elements of doubt that OSRM may have caused by announcing potential litigation related to patents.

LWM: A number of proprietary software companies have been (or are contemplating) open sourcing some of their code. What help can you be to these companies?
Levin: There are two types of people who we can help in this instance - end users and vendors. We can help end users via our registry service that we talked about earlier, and we can help vendors with the internal management of their software projects, with copyright and license compliance and with various other IP issues related to their projects.

LWM: Black Duck is focused on helping accelerate the use of Linux and open source software in enterprises. Do you have any open source code or projects?
Levin: Not yet. Our intention over time is to do open source projects. We are proprietary today for a specific reason - integrity. We have to maintain the integrity of our KnowledgeBase and the integrity of our software because we have to have one consistent KnowledgeBase that we control. But there are information services that we will offer in the future that will be open source. Our goal is to offer a wide variety of information services.

LWM: What is your interaction with the Linux and open source communities?
Levin: We keep in touch with the leading standards bodies such as the Free Software Foundation, OSDL, and with the Linux distributors. We just started shipping our first release in late May. That's when we began intensive business development activities. We just had an announcement with Red Hat and other announcements with Linux distributors are forthcoming. The bottom line is that Black Duck Software is a neutral, trusted third party. We work with everybody.

LWM: Do you have any final comments?
Levin: Yes, I have a couple. I thought that the recent LinuxWorld in San Francisco represented another step forward in the maturation of the industry. The open source community may be emerging as a balanced party in the overall Linux world equation.I found this LinuxWorld to be a very open source-related show as opposed to previous shows that were very Linux centric. Many discussions/presentations at the show were about companies doing full and varied deployments of applications using Linux and open source software and it wasn't just about deployments at one or two big companies such as FedEx, Morgan Stanley, etc. Many, many different types of companies were talking about their production use of Linux and open source software.