Slashdot Mirror

Code fingerprinting for license compliance is very possible. Have a look at the BlackDuck Hub product https://www.blackducksoftware....; there are others who offer similar services. Their back-end was a heap of non-scaling, my-first-code-project junk but the basic scanning tech worked quite well.

It'd be a pita, and the idea of EU slowly transforming into another China or Russia in an attempt to stop the extremists its policies are creating is pretty unappealing. But they could make it happen if they were determined/stupid enough.

When he started there was no such thing as an entire operating system of free software and no hardware you could run it on. This exists today - it didn't then. It's not as readily and easily available as it should be - but it exists. And, as he rightfully pointed out, if he had compromised the ideal of that existing - it would still not exist at all. It only exists because he never settled for less than that.

Well evil tounges would suggest that without Linus we'd still be waiting on GNU/Hurd. GCC forked off and became ECGS. "Linux libc" forked away from glibc and was only later "gnu-ified" again like ECGS. The rest the FSF made seems mostly to be small utilities, for sure having a GNU/free ls, awk, sed, grep etc. is important but hardly the showstopper. His one (admittedly huge) crowning achievement was writing the GPL, but most the projects seemed to refuse his leadership.

And even then the adoption by some of the core players seemed to be more by chance than ideological success, like Linus primarily wanted to see what other developers were doing to learn so he could run it on his box. User freedom was never a big deal for him nor most other Linux kernel core developers, which is why the GPLv3 was met with a "meh". X11 and Wayland doesn't use the GPL. Apache isn't using the GPL. Android isn't using the GPL except the kernel. It is popular? Yes. Is it the only commonly used open source license? Very far from it.

According to Black Duck GPLv3 + LGPLv3 + Affero GPL = ~10% of all projects and GPLv2 + LGPLv2 ~20% so most projects haven't really been following Stallman since 2007. And that's not counting the non-GPL licenses, my impression is that the Apache license has gained a lot of popularity particularly with corporations like Google (Android), Apple (Swift) and Microsoft (ASP.Net). The kernel is the one project that seems to get away with copyleft because you can run any userspace on top. And because it doesn't really crack down on shims and driver blobs.

Explain why BlackDuck ranks MIT as the most popular license in use, with GPL v2 trailing a few points behind?

https://www.blackducksoftware....

From that chart, the only way GPL is "the most popular license on the planet" is if you add GPL2 and GPL3 together, and since they're very different licenses, that'd be more than a little disingenuous of you.

> Not cow-towing to the fail that is GPL 3

What are you talking about? The GPLv3 has been a great success. True, there are about 3 times as many GPLv2 projects (and twice as many LGPLv2 than LGPLv3). But you have to consider that a) a much larger proportion of GPLv2 projects will not be active (i.e., dead GPLv2 projects are unlikely to make a switch), and b) many GPLv2 projects will not want to switch simply because of the effort required (it may not even be possible in some cases, such as with Linux) or apathy to the politics of their licence. As more new projects emerge, the GPLv3 is only likely to take up a larger share of all GPL'ed projects.

(Source)

after GPL V3 the numbers were flat for the first quarter (as businesses looked it over) and then it has been a straight down curve ever since. look up the numbers yourself, it makes a pretty little bell curve.

OK, let's see: in december GPL+LGPL+AGPL were at 57% according to the Black Duck report on the decline of the GPL. Now, according to the daily updated data by Black Duck, GPL2/3+LGPL2.1/3 are at 56.33%, put in AGPL and older GPL lincences and you get to 57%.

OMG!!111!! That's the flattest bell curve I've ever seen!

You left out the part where the pro-GPL study comes from the authors and advocates of the GPL.

Thanks for the hint (its astounding the way that accusations from shills so often point you in the direction of what they themselves are doing). You left out the fact that the original data came from a Microsoft partner involved in Codeplex. Immediately I saw your post I thought to search for that.

Broader? Hogwash. If you dig into the KnowledgeBase figures they list only a little over 13765+984+409=15158 GPL family projects. While the Debian stats say:

The last Debian release, Squeeze, which emerged in February 2011, had 28,126 packages of which 26,271, representing 93 per cent, were under the GPL family.

So the one saying there is a decline is missing at least 10,000 GPL projects, plus quite possibly more that are not in Debian. Seems to be it's their figures that are incredibly narrow and wrong.

IMHO, it is faster, easier, and all around better than puppet...not to mention it was a Black Duck Software Open Source Rookie last year. http://www.blackducksoftware.com/rookies/

Here are the numbers ! 1.80% for MS-PL http://osrc.blackducksoftware.com/data/licenses/

In addition to my previous reply, I went to the trouble of finding some open source license adoption statistics for you. I'm sure there are bunches of other data sources available via Google.

There ARE commercial tools for this. Black Duck comes to mind - my employer uses it to search for and manage all usage of open source [ http://www.blackducksoftware.com/code-center ]

And it's impossible for anyone to be familiar with every piece of GPL'd code out there, and it's impossible to build a database of such code.

Well, at least one company is trying to do just that, and to help companies avoid this very problem.

"The GPL has a place in some shared infrastructure, but the newest rev (gplv3) was a complete failure. It tried to dictate what developers could do with their own creations"

Where does it say that. The main difference is that it prevents other developers suing you are the end users for patent violations and prevents the 'tivoization' of the code when used in embedded devices. Similarly to GPL 2, those that modify the code but don't redistribute it are under no obligation to distribute their own code.

'No surprise that the GPLv3 was rejected by the marketplace'

According to BlackDuckSoftware up to 12059 projects were released under GPL 3. How do you spin this into 'rejected by the market place'.

Sorry, I thought I vetted those links thoroughly in preview before posting. The first quote does appear on this page as of today.

You're right, though, I did gloss over the difference between "using a language" in a project and using it exclusively for that project. But the point still stands that they did not break down the second set of numbers, so whichever of these new projects use C++ or C# (with or without C), they had to come in at less than 20% (Javascript's total).

What's their methodology? How can you tell a valid line of C from its valid C++ equivalent? It's too bad the actual numbers are locked away in Blackduck's proprietary knowledge base. Maybe if it were open source, we could find out which projects use a single language and which use more than one.

Take another look.

Take your own advice.

On this page they say:

"Over 90% of open source code is written in the major languages: C, C++, Java, Javascript and C#"

And on this page they say:

"47% of these newly created projects used the C language. Java came in as the number two language of choice at nearly 28%. Third was Javascript at over 20%."

Both your links went to the same page, which doesn't include the first quote. The first quote (which comes from this page, not the one you linked) refers to the percentage of lines of code in the 170,000 open source projects in Black Duck's database that are in one of the four languages listed in that quote, the second refers to the percentage of 17,000 newly created open source projects from 2008 that use one or more of the languages listed in that quote. They aren't measuring the same thing (one measures lines of code, the other measues projects using any code in the languages, not the lines of code used), and they aren't drawing from the same universe (one is 170,000 open source projects, most of which are not new; the other is the 17,000 of those projects that are new in 2008.) You are drawing an invalid conclusion by ignoring these differences.

is here.

Take another look. On this page they say:

"Over 90% of open source code is written in the major languages: C, C++, Java, Javascript and C#"

And on this page they say:

"47% of these newly created projects used the C language. Java came in as the number two language of choice at nearly 28%. Third was Javascript at over 20%."

...which adds up to 95%, so unless there's some seriously bad math here, they included C++ and C# in that 47% which they refer to as "the C language."

Take another look. On this page they say:

"Over 90% of open source code is written in the major languages: C, C++, Java, Javascript and C#"

And on this page they say:

"47% of these newly created projects used the C language. Java came in as the number two language of choice at nearly 28%. Third was Javascript at over 20%."

...which adds up to 95%, so unless there's some seriously bad math here, they included C++ and C# in that 47% which they refer to as "the C language."

Actually, I think these guys know what they're talking about. It's just the Slashdotted, watered down version which makes them look as if they don't.

Anyway, here is their actual press release

Thanks for that.

Let's compare "here" with the summary. "Here":

47% of these newly created projects used the C language. Java came in as the number two language of choice at nearly 28%. Third was Javascript at over 20%. In the world of scripting, nearly 18% of the projects chose to use Perl

Summary:

47 per cent â" of new projects last year used C. [...] Next in popularity after C came Java, with 28 per cent. In scripting, JavaScript came out on top with 20 per cent, followed by Perl with 18 per cent.

I note that 47+28+20+18 > 100, so somewhere there's a move from one "percentage pie" to the next. I would like to know which language is in which pie, and more importantly why, and why there aren't numbers for one big pie with everyone in it. I'd also like to know why the summary (which is taken from the register) and the "here" seem to be ambiguous, when read together, about which pie javascript goes into.

I don't think malice is a good explanation for all of this, so I'll assume incompetence. That goes well with the 98%-of-everything-is-crap law ;)

Seriously, who ever heard of that company? Anyway, here is their actual press release, including a bogus list with 10 random apps I never heard of.

And by the way, Python got 10%.

I have a friend who started Black Duck Software (blackducksoftware.com). FOSSology is not the same thing as Palamida and Black Duck... they actually track the code that's copyrighted and tell you what the license was originally, not just tell you what license is stated in the file.

The link, in TFA's list of businesses who've raised $12 million to fund open source software/services, points to Black Duck Inn and Properties..

Did he even check his references??

Managers are under the mistaken impression that if i just use spring or Jakarta Commons, the company MUST open up the whole project in which it is used (like a proprietrary trading system) to Open Source.
Many managers don't realize that just "using" Spring does NOT force you to open up your systems.

Reality is much less important than the beliefs of the guy with the checkbook.

Also, just because you haven't heard about it doesn't mean it isn't happening. Companies like Black Duck software are raking in the cash, as are practically every IP lawyer in the US. They charge $20,000 to perform an automated audit on 100MB of source code, and small developers are beating down their doors to use their tool because the lawyer they paid to make sure they had their asses covered told them it was a good idea.

You hear about BSA audits because the BSA is trying to make an example out of the targets. You never hear about internal audits, but they are happening in all sorts of places where they never would have been considered before. Everybody is afraid of being the target of the next SCO or NTP.

I don't know this, but I would imagine they use software from either Blackduck or Palamida. While these are not foolproof, they are good at finding tainting from open source.

There is software to look through all the source code a company claims to own, http://blackducksoftware.com./ I'd rather have software do it than have to look by hand.

Black Duck

Black Duck will have read this book and if you mayebe sorta think you might want to read the book, you'd do well to hit their website and see what they do. IF you write commercial or licensed software and you hope to get some real milage out of open source and not be SCO fodder, then a little time invested by somebody in your organization to know the ins and outs of mixing sources that come under various licenses is a prudent investment.

This summer I had the opportunity to work for BlackDuckSoftware.com. Black Duck has built software to help developers (from individuals to large corporations) manage their use of open source software. Essentially, the software enables firms to track the usage of open source code, determine conflicts (if any) and suggest methods of compliance. It takes into account methods of combining code, whether the code is for internal use or public distribution, any number of other considerations that involve open source license compliance. It is able to deal with code licensed under *all* of the certified open source licenses as well as many other proprietary licenses.

While it is not insurance, and does not provide any kind of indemnification, it is a damn good management tool. Its goal is to allow companies to make use of open source code in such a way that full compliance is facilitated, and to avoid any uh-oh moments that happen after code is commerically released.

I worked on the development of the license interpretation module. It involved reading (and re-reading) 50+ licenses and parsing their terms such that compatibility determinations and compliance requirements could be generated for every possible combination of license, code, distribution, concatenation, link, modularization, etc. of a software product. It was exhausting (and sometimes tedious) work, and it certainly made it easy to tell which licenses were written by lawyers, which by coders, and which were written with input from both. It gave me new understanding of why unenlightened legal departments sometimes shy away from open source. Nonetheless, the reality is these licenses exist, are in use today, and are all valid until some court says otherwise. Licensors (i.e. coders in the community) have every right to expect their terms to be adhered to.

Being a geek myself, and a law student, it was pretty gratifying to see that a company wanted to build a product that helped managers to understand and not fear the open source phenomenon. Further, I think the product will really help firms stay fully compliant when they decide to use open source code. And that, in the end, is all our community can ask for.

cleetus

Ah yes Black Duck tracking 100+ FOSS licenses, compatibility .. against source, downloads, installs from 100K+ projects ...

But then one might just consider GPL compatibility update per blog