Slashdot Mirror
Tracking Code to Its Origins?
openbear writes "While doing a code review for a closed source project at work I came across a few files that were stolen from an open source project. The individual that did this was dumb enough to leave the original license in one of the files, however he was smart enough to remove all trace of where the code came from. He since quit the organization, so we (the developers) can't get to him to find out where he got this code from. Now management wants us to ship the product as is (with the stolen code intact) because we can't point to the original source of his questionable code. A few of us scoured sourceforge and several apache projects but couldn't find anything matching. My question is: What is the best way to track down where this code originated from. Is there an organization that would help? A tool? A website?"
You'd better speak to your corporate lawyer. If you don't have one, get one. I'd advise bringing a camera... it's gonna be a real Kodak(TM) Moment when he first understands what you're saying.
You didn't mention what license this is. Is it the GPL? If so, that means that you have actually managed to stumble on one of the rare situations where the GPL is actually viral! If you release this code, you will be legally obligated to provide source to any customer, just for the asking!
If it's not one of the 'viral' licenses, then you haven't got a problem anyhow.
This isn't even a copyright law issue per se; the onus is on you/your company to find the source of the code, and get permission to use it, or face the consequences of not doing so. This is a general principle in the law.
The law only rarely lets "I tried as hard as I could!" be an excuse. If you can't get permission, you can't use it, end of (legal) story.
You are asking for it. Hate to say it, but consult a lawyer! Consult a lawyer! Consult a lawyer!
"The individual that did this was dumb enough to leave the original license in one of the files,..."
:)
Did he leave on good terms? Was he angry at anyone when he left?
I just thought of a great way to mess with a company if I'm a coder who doesn't care about references. Insert the GPL into a bunch of my source files that I spent a lot of time on. As long as I was working alone on that code they wouldn't know I didn't swipe it from a GPL project. They may evenspend a bunch of time looking for the original source. They may even post a slashdot story about it.
I supposed you tried calling this guy and asking him.
We know the code was stolen because he admitted that he didn't write it and "borrowed it from the Internet". He consistently refused to tell us where "from the Internet" that he got it. The whole thing seems way too suspicious for it to be legal.
Several of us spoke with him before he left and got nowhere. He admitted that he didn't write the code and that he "borrowed it from the Internet". That is all he would tell us. He refused to tell us where he "borrowed" it from. He since left the company, so we can't threaten him with disciplinary actions. The main point of going through this search is 1) for ethical reasons and 2) to make sure that we never hire this guy back as a contractor again.
There is more than just that one file. There are about twelve classes that were "borrowed". Besides, like I said in a different post, the project is at the stage where only "show-stopping" bugs and things with management approval get in. At this point my main objectives are to 1) be able to prove this guy stole code so I can convince management to let me replace it, and 2) make sure he is never able to do contract work with our company again.
Believe me, this whole thing is/has taken way to much of my time. I'm just trying to stay focused on doing the ethical thing.