sábado, 21 de abril de 2018

Ficha del recurso:


Vínculo original en Developer

Fecha de publicación:

viernes, 11 de diciembre de 2009

Última actualización:

lunes, 14 de diciembre de 2009

Entrada en el observatorio:

lunes, 14 de diciembre de 2009



Archivado en:

Open Source Licensing Detection Gets More Competitive

This week, the company announced new OLEX services to provide license discovery and compliance.

Weins said the difficulty in license identification is that open source software is often bundled together in sophisticated ways. As a result, a single open source project can often have additionally open source projects inside of it—with bits of code inside that can all be under different licenses.

"It's not as simple as saying this particular application is licensed under Apache and being done with it," Weins said.

The issue has led to a number of high-profile legal spats over the last two years. For instance, the Software Freedom Law Center has settled out-of-court disputes with at least four different vendors over license violation issues that arose because of open source code buried with their software. Related Articles

The business of license identification is one that Black Duck software has been involved in since 2002. For CEO Tim Yeaton, it's a business that has evolved over the last few years to be about more than just license identification.

"We've expanded our capabilities from just being a compliance platform to being a full-on, open source lifecycle adoption platform," Yeaton said. "We enable customers to search and select open source components, validate them against their process, put in workflows to automate polices, catalogue the resulting components and then attach them directly to their existing development infrastructure."

Black Duck began its broader lifecycle adoption effort nearly two years ago with the launch of its Code Center application.

OpenLogic's Weins said she felt her company could offer a new competitive choice by producing fewer false positives than rivals. She also added that OpenLogic's new services are cloud-focused and leverage the power of Hadoop open source technology to deliver fast, accurate scans.

Black Duck's Yeaton noted that his company has hosted and Software-as-a-Service offerings. He added that his concern is false negatives more so than false positives.

"If you've built a quality tool, done right, there is no such thing as a false positive—there are only things that you'd rather not see because they create noise," Yeaton said, adding that scans can produce a lot of granular information that a user may not want or need.

He also said that Black Duck has filtering and automation features that lets users customize the information returned from a compliance scan, though they're not enabled by default.

"The way we built our product and the way it's deployed by default is that it provides access to all the information," Yeaton said. "So shame on us for not helping customers upfront to filter. We are getting smarter to help customers to configure their systems."

But Yeaton said the real issue for him is false negatives—that is, code that isn't detected.

"There is clutter, because you got more information than you want, but you can turn on a filter," he said. "But there is real corporate risk of a false negative ... you don't find something that you're supposed to."