The product from San Francisco-based Palamida promises to give
customers a full understanding of the origin, version, location and
licence of open source and other third party code in their software
products and applications.
While open source software can be used in commercial products,
vendors must comply with the licence terms. The risk of misuse was
highlighted last month when the
UK
subsidiary of
security software firm Fortinet settled a lawsuit over its alleged
non-compliance with the terms of the General Public Licence (GPL),
which underpins the distribution of most open source software. So
any software house need to be aware of what third party code has
been used in development projects.
Palamida's product checks for copying by searching against its
massive database of open source files, pulled from 40,000 of the
most commonly used open source projects.
CEO
Mark
Tolliver says his company's database is the world's largest and
that its product,
IP
AMPlifier 3.0, reduces software
compliance efforts "from weeks to hours."
Annual subscriptions are not cheap: pricing ranges from $50,000
to $250,000, depending on the size of the buyer. This gets you
software to scan for binary, source code, images, icons, text
documents and XML, checking whether any of your resources were in
fact cut 'n' pasted from elsewhere. It is looking for fingerprint
matches – which can be given away by project names, licenses,
licence texts, licensor information, project release numbers, or
any of its billions of source code snippets.
The company says its Knowledge Repository is many terabytes in
size. But a compression algorithm is applied to put this on a size
more manageable for storing on the customer's system.
"We specifically designed the software to work behind our
customers' firewall because early feedback from customers indicated
that this is an incredibly sensitive area for them, and they would
certainly feel uncomfortable about 'sending' their code to any
server outside their firewalls," a company spokesperson told
OUT-LAW. "The only communication the customer has with Palamida is
that we send updates of the Compliance Library to the
customer."
Susan McKiernan, an
IT
lawyer with Pinsent Masons,
the law firm behind OUT-LAW.COM, said:
"There are only so many ways of writing the same instruction –
so there is a good chance that software like this will flag matches
where there has been no copying. There is no infringement if two
people happen to write identical code independently – it's only a
problem when one person copies another's work. But that is a common
problem. So software like this may help with a firm's compliance
efforts."
McKiernan added: "It's a clear indication of straightforward
copying when the comments within code are duplicated, or better
still, the errors. And that, presumably, is what will ring the
alarm bells in this product."
