LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Eclipse signs up Black Duck

[Posted September 6, 2006 by corbet]

Black Duck Software was profiled on LWN by Pamela Jones just over one year ago. This company sells a product which enables companies to verify the sources of software in products that they ship; in particular, it seems oriented toward helping proprietary software vendors avoid unwitting violation of licenses like the GPL. This product includes "code prints" of thousands of free software releases; these prints can be compared against a program to determine if any of that program's code came from one of those projects. It seems like a product which could bring some peace of mind to company managers who worry about whether their programmers might be using free code in projects which are not intended for free release.

Whether the database of code prints (much of which is obtained through a "special relationship" with SourceForge) constitutes a derived product from the free software code it is "compiled" from is an interesting question - but one for a different article.

Today's topic involves this Black Duck press release stating that the Eclipse project has purchased Black Duck's "protexIP" product to verify licenses in the Eclipse code base. From the PR:

"Companies worldwide are capitalizing on applications developed by the Eclipse community, and many software vendors sell products that are dependent on Eclipse," said Mike Milinkovich, executive director of Eclipse Foundation. "For that reason, it is absolutely vital for us to analyze our code before we release it to our community."

At first blush, it might seem a little strange that a free software project would purchase a proprietary tool to help ensure that no free code is incorporated by mistake. There are, however, a couple of reasons why Eclipse might want to take this step:

  • Eclipse is distributed under the Eclipse Public License. It is a free license, with copyleft-type requirements, but it is not a GPL-compatible license. So the incorporation of any GPL-licensed code into Eclipse would be a bad idea.

  • Black Duck has been expanding its database with thousands of "code prints" claimed from proprietary programs. Thus, the product should be able to detect attempts to use proprietary code in cases where that code has been fingerprinted by Black Duck.

So, if there are people within Eclipse who are worried about those types of code contamination, perhaps using Black Duck's products will help them to sleep a bit better at night.

One wonders, however, about what sort of commercial pressures might have pushed Eclipse to make this decision. While Black Duck would, beyond doubt, like to see this adoption as the beginning of a trend in the free software world, some of us may feel a little differently. It would be a sad day if we came to the point that free software projects had to buy this sort of service to be taken seriously in the commercial world. Releasing software is a remarkably easy process - at least, for those of us who are not under the control of large corporate legal departments. Loading up the process with expensive validation bureaucracy in the name of license compliance seems like a step in the wrong direction.

(Log in to post comments)

Eclipse signs up Black Duck

Posted Sep 7, 2006 9:24 UTC (Thu) by madhatter (subscriber, #4665) [Link]

Whether the database of code prints (much of which is obtained through a "special relationship" with SourceForge) constitutes a derived product from the free software code it is "compiled" from is an interesting question - but one for a different article.

Indeed; I hope it's an article we'll read here shortly, as I think it's a question that needs to be asked loudly.

Eclipse signs up Black Duck

Posted Sep 7, 2006 14:46 UTC (Thu) by sepreece (subscriber, #19270) [Link]

Not sure about other licenses, but from a GPL perspective, wouldn't inclusion in the database be "mere aggregation" that wouldn't require that the rest of the database be GPLed, even if the actual code were included?

Alternatively, it could be argued that what is in the database is simply a description of the original code, not the code itself and not an object-code version of the code, at least in the normal sense of "object". Assuming the original code can't be reconstructed from the signatures in the database, it probably wouldn't be considered a "translation". You could also argue that building that description was, at most, "use" of the code.

Of course, you could also argue the other side. It's not at all clear how the license would be read for something like this, that is entirely orthogonal to the normal use of code.

On the other hand, why would anyone want to claim it was infringing? It certainly doesn't interfere with the market for the original code and the use of Black Duck is presumably to the benefit of free software projects...

Java and value

Posted Sep 7, 2006 14:50 UTC (Thu) by coriordan (guest, #7544) [Link]

This might be particularly tempting to Eclipse because Java has viewable source but is proprietary. Maybe that's what they're afraid of.

...but this isn't enough to justify accepting software under non-free terms. It should have been rejected.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds