Black Duck Software, an information services company offering IP risk management and mitigation solutions, on Monday announced the immediate commercial availability of its first comprehensive source-code services program, protexIP for software IP management.
The service provides open-source license validation and management, code detection, software registry, training, consulting and support. Within it, there are two offerings: protexIP/development and protexIP/registry.
The services aim to help commercial software developers and enterprise buyers manage software intellectual property (IP).
To do that, Black Duck protexIP/developmentSM has an extensive license and source-code knowledge base that can be used to rapidly identify instances of open-source software (OSS) and associated license conflicts in developers code trees.
Its companion service, Black Duck protexIP/registrySM, enables software vendors to place their code in the knowledge base after it has been scanned for IP violations by the protexIP/development module.
The point of protexIP is to help software developers enjoy the benefits of working with open-source software by mitigating any IP risks that might exist throughout the development life cycle.
Today, companies that seek to address IP issues in their software development do so by tasking developers, management and in-house legal counsel with reviewing code for possible IP violations.
“Most software companies care greatly about the issues of software licensing and copyright infringement, but its been a grueling, manual process to stay in compliance,” said Douglas A. Levin, president and CEO of Black Duck Software Inc.
“Black Ducks automated solutions take much of the complexity and pain out of finding and tracking open-source code in source code.”
In an eWEEK.com interview, Levin said the solutions also can be used in reverse. Once a company has placed its code in the knowledge base, “It can also check suspicious program code on the Net to see if their program has been leeched out into the Internet.”
As it comes from Black Duck, the knowledge base contains the codeprints—a unique digital signature—of OSS source code from Linux.org, SourceForge.org, Apache.org, PHP.org and Python.
Levin said Black Duck is trying to cover the most frequently visited and active projects such as Linux and Apache, along with less active programs.
“We have a spider team who spend all their days finding open-source repositories and rendering codeprints of projects,” Levin said. “We currently have 35GB of codeprints in our database. By late 2005, we expect it to go to 200GBs taking into account the growth of open-source projects.”
Obeying Business Policies
With the knowledge base, developers can go all the way down to the individual line level. But Levin added that a company doesnt have to get down to such a low level. “Companies have different attitudes—some companies want a lot of minute details, others only want to see major copyright violations; we give them a volume knob,” he said.
“Companies were telling us that the long-term value resided in an updated knowledge base and the ability to add their own data to the knowledge base, so we provide online updates and software upgrades to customers.”
The server component of the software also can be set to obey business rules and policies that can be instituted on a companywide basis or on a developer-by-developer basis.
Black Duck can be set, for instance, so that use of any code governed by the GPL is flagged as not being usable by the developer, while code licensed under the BSD license isnt flagged and can be used.
Neither Black Duck nor the companys other customers can see the code that developers place in a company-specific knowledge base. It resides on the developers local server.
But users can extend permissions to people outside the corporate firewall to access the data. “You could, for example, let an outsourcer or a trusted partner on an extranet get at your customized knowledge base with your permission,” Levin said.
He said Black Duck is “looking for partners, but practically speaking, we will have to offer some initial consulting and training services just to get some people going.”
“As the worlds leading provider of open-source solutions to the enterprise, we employ hundreds of developers working on millions of lines of code,” Karen Bennet, vice president of application and tools development at Red Hat Inc., said in a statement.
“Black Duck enables us to automate a manual process, saving time and resources while fitting into the software development practices that are already in place.”
Subscriptions to Black Ducks service offerings are available now. Annual subscriptions to Black Duck protexIP/development are priced starting at $2,500 per user. Volume discounts are available.
Subscriptions include ongoing updates to the software and the Black Duck license and source-code knowledge base. The protexIP/registry is available to customers for $1,000 per submitted release.