The Open-Source Detector

McDutchie writes "With open-source related lawsuits on the rise, a market is developing for automated tools that detect the presence of open-source code within larger application development environments. Palamida Inc. stepped in with IP Amplifier 3.0, essentially a search tool and a database that consists of more than 38 million of the most commonly used open-source files. Something Google-inspired called CodeRank is claimed to match code against the database. Hmm... maybe someone should run it on this, or even this." Of course, some open source code is perfectly welcome in commercial software, even if that software's code is not itself open; it's no secret or surprise that Microsoft, for instance, has taken advantage in some products of BSD-licensed code.

GPL violations!

[jeroenb]

appears to be the whole point of this tool anyway.

Re:DLL encryption will render this ineffective

[jdmetz]

This tool is meant for commercial software companies to use, to ensure that they are not mistakenly using GPL code in their programs. It is not for open source developers to find misuses of their own code.

Re:windows already has some

[Bill_the_Engineer]

Why hasn't anyone gone after MS for this?

You have confused Open Source with GPL. There is nothing wrong with using Open Source in applications as long as the license permits it.

Why should Microsoft be singled out for it? Expecially when we had people taking GPL'ed code and selling it as closed source...

No Gurantee Against reimplentation

[neomage86]

Usually the key to things is not the actual implementation used, but the algorithm behind it. This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas. There are so many different ways of doing the same thing that this would be trivial. All this does is mean that someone who wants to use GPL code in their closed project must change a few stylistic things around. Open Source software, OTOH, is open to a much higher level of scrutiny, since anyone can see exactly what is going on underneath the hood. It will still be fun to run it against old software though ;-)

Re:GPL violations!

[Jim_Callahan]

Fair enough, I guess. Way to streamline the process of flooding the nation with pointless lawsuits. Maybe between this and medical malpractice, we'll finally be buried under a mile of paper and preserved for future generations of africans to excavate, like in that children's book I read once. Forgot the title.

Ouch.

[91degrees]

Talk about paranoid.

Okay, I can appreciate the need to protect your intellectual property, but what sort of a control freak will go through megabytes of files to work out if some guy may have used a few lines of your code?

I thought the RIAA was overly protective of their rights, but it seems the open source commuity feels exactly the same way.

Re:No Gurantee Against reimplentation

[kagemaru]

Usually the key to things is not the actual implementation used, but the algorithm behind it.

That's fine. Algorithms cannot/should not be copyrighted or patented.

Re:DLL encryption will render this ineffective

[FooBarWidget]

"Mistakenly using GPL code"? How can anyone use GPL code on accident? You downloaded a tarball, you extracted it, you opened it in a text editor, you copied and pasted the code. And then you tell your boss that you did that "on accident"?
Can anyone explain this to me?

Re:No Gurantee Against reimplentation

[Erwos]

"This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas."

I wouldn't be so sure about that. Reputable colleges and universities do exactly that sort of check in CS courses - there are any number of tools designed to check for cheating, and they are not fooled by anything so trivial as changing variable names or swapping a couple statements. They are pretty good at catching cheaters, too.

You are correct in that it can't check "some [random] binary", but this tool was made to run against source.

I'm trying to remember where I'm not allowed to reimplement other people's ideas to begin with, though.

-Erwos

Be careful of FUD

[Anonymous Coward]

The whole advantage of open source is you are not tied to the whims of the original developer.

This seems to be a resurrection of an old attack strategy, pretend that open source is such an burdensome onerouse license that you have to hunt open source code down like a virus.

Its not something to be encouraged!

sigh

[Turn-X Alphonse]

The whole concept of code seems to scream "Some will be the same". Very basic things will look very similar between several things and with the current "justice" system and ignorance of most people this is going to screw OSS.

I just think it's pathetic that we live in an era where people trying to do something nice gets stabbed in the back for it..

Re:No Gurantee Against reimplentation

[Anonymous Coward]

> This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas.

What the fuck are you talking about ?

GPL is a based on copyright. You can't copy/paste the code.

Re-implementing the algos is fine, and have always been.

It is 100% FUD to pretend that code become tainted because you looked a GPL source. Don't spread this. Microsoft would LOVE people to beleive that. It would end up like this in interviews:

- Did you contributed to an open-source project ?
- Well, I once fixed a bug in mozilla
- Sorry, our lawyers said we can't hire you
- Why ?
- You would contamine our IP

Repeat after me. GPL is COPYRIGHT. There is no IP involved. There have NEVER been.

Re:Bah... humbug.

[asliarun]

This sounds more like an auditing software. It looks like this tool would allow you to scan an existing codebase to check for the existence of open-source code nuggets. Considering the licensing minefields that exist today, it's probably a good thing for a release manager to do before a "release to production". This is especially so because a lot of developers routinely copy-paste code from the net and usually don't read the license accompanying the code.

IMHO, this is quite an innovative tool, and would save a release or a project manager a lot of headaches in terms of legal compliance.

Re:windows already has some

[DrSkwid]

How can a perfectly acceptable use of BSD code (BSD code in non-OSS projects) be abuse ?

The BSD goal is good code, not open code.

Re:DLL encryption will render this ineffective

[Vo0k]

Except decrypting the code before running it takes significant portion of CPU time, effectively making the "open source alternatives" much faster. Hiding, obscuring, obfuscating, all that creates a lot of overhead...

And of course it can be done by examining the memory dump instead of executable file. It must be decrypted to run.

Re:DLL encryption will render this ineffective

[cortana]

Maybe you farmed it out to Elbonia, and got back thinly-veiled rip of some Free Software code.

Re:No Gurantee Against reimplentation

[Anonymous Coward]

Usually the key to things is not the actual implementation used, but the algorithm behind it. This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas

I don't understand how this differs from the BitKeeper situation. Reverse engineering is OK. And it sure is a hell of a lot easier if you get source code.

In fact, if reverse engineering from GPL code was not allowed within the GPL, the GPL could be used by unscrupulous people to protect their algorithms against reverse engineering and reimplementation. Just publish the source code, and no one can ever again claim they had a "clean room" reimplementation.

Re:No Gurantee Against reimplentation

[MartinG]

This tool can't possibly ensure that some binary wasn't made by someone who looked at the open source version, and just reimplemented the same ideas.

Good. So long as all they are doing is gathering ideas there is nothing wrong with that. Its like me reading harry potter and then writing a book about wizards. Of course I should be allowed to.

Next you'll be telling us that someone could just look at an application working and then write their own implementation incorporating some of the same ideas. Should they be stopped from that as well? Oh wait, they can be. That's what software patents are often used for.

Re:I wonder...

[FidelCatsro]

Glad to know im not the only one worrying about this.The tool has an anual use fee in the tens of thousands , now the only people using this are not going to be companys who worry that GPL code may slip in(most will have a fairly good clue if it has and not want it publicised) its going to be people who want to try and make some money with patent litegation.

Re:The BSD license argument

[Spoing]

No one licence -- BSD, GPL, other oss, or any of the closed source licences -- are always ideal. Anyone who thinks there is one true licence isn't very smart. Advocate what is appropriate.

Trolling by submitter

[Anonymous Coward]

For the submitter to assume that Microsoft has GPL code is nothing short of trolling. Internally, Microsoft has a strict policy against GPL code. And by the tons of good programmers they have, it is ludicrous to suggest that they need GPL code anyway. The core Windows kernel, IIS, .NET,etc are so different from their OSS counterparts that it would be impossible to import algorithms, let alone code. As for the BSD code, that code has been in the kernel for over a decade. AFAIK, that code has been rewritten and changed several times. They can't change the external characteristics as that would break backwards compatibility. On the other hand, what I would like to know is how many OSS projects reverse engineer Microsoft products to implement functionality. It doesn't matter whether Microsoft's EULAs are moral or not - once you agree to one, you are legally and morally bound to follow it. Don't like it? Dont use MS products. Did anyone notice that the Firefox popup blocked notification changed to look like the IE 6 SP2 blocker?

Simple...

[Kjella]

...seriously, have you looked at how well people respect copyright? Do you expect employees to cease being human when they walk in the door? All it takes is one worker to "download a tarball, extract it, open it in a text editor, copy and past the code", then tell his boss the task is done.

Kjella

Re:The BSD license argument

[elrous0]

Unless they printing counterfeit bills (and I don't think they are), Microsoft does not "generate" any money. Only the government can do that.

Tell me, when someone at work says "Boy, it's a real monkey on my back" do you find yourself wondering why there is no monkey behind them?

-Eric

Re:windows already has some

[shrykk]

The GPL is less free than BSD because it does not grant the licensee as many freedoms.

No, the GPL is more free because it does not permit anyone to take away anyone else's freedom. Say I write some GPL code. You are free to use it, modify it, sell it if you want, but you may not tell any later user or developer that they can't enjoy the same freedoms you have enjoyed.

Scenario 1: Person A writes some GPL code. Person B uses it and modifies it, and releases the code. Everyone else is free to use that code as they wish, as long as they don't try to restrict anyone else's rights.
Scenario 2: Person A writes some BSD-licensed code. Person B uses it, modifies it and starts selling it as a shrink-wrapped product. All his users are restricted by EULAs. They can't have the source code, they can't legally share the program, and they're stuck if B discontinues the product.

In which scenario do you think the licensees have more freedom? It's free as in liberty, not free as in 'free ride'.

Stop thinking small!

[argent]

Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.

Not only that but whenever I've been present when someone has asked the people who wrote the code if it's OK for Microsoft to use it, they didn't say "we can't stop them", they said "we want them to use it".

I don't see how you can possibly come up with a more ethical or moral justification for it than that.

Re:windows already has some

[cortana]

The reason I said "regardless of whether you think it is good or bad" was to ignore discussions such as this.

It is very simple: the BSD license is more free, because it grants more freedoms.

Yes, to take this to its logical extreme means that anarchy is maximum freedom. No, this would not be a good thing; but by trying to argue that the GPL is more free (when you should have said that it is better for the user of Person A's software) you have already accepted that unlimited freedom isn't such a good thing anyway.

Re:The BSD license argument

[drsmithy]

*They* benefit from the work of others, how can they call it a cancer?

Because the GPL spreads out to affect more than just the GPLed code that was originally introduced and its subsequent modifications.

For those in the dark side of the force,

[Pastis]

this tool can help you to make sure you change just enough the stolen implementation so that the tool won't detect the similarities, giving you an approval stamp without too much work :)

Re:I wonder...

[cahiha]

I hear this argument a lot, and it's got one fatal flaw -- you cannot use GPL code legally without opening your source.

Correct.

This line of argument seems to be along the lines of "of course you can use GPLed code - just don't get caught", and it's always worried me. Correct me if I'm wrong, I frequently am!

No, that's not what it means. What it means is that the penalties and consequences of violating the GPL are not automatically that your source code itself falls under the GPL. In fact, placing your code under the GPL after the fact is not even sufficient as a legal remedy--it is simply not relevant to anything.

By analogy, if you park in a no-parking zone, the penalty and consequence is not automatically that your car gets towed; maybe you'll get a fine or maybe your car gets disabled instead. And it certainly isn't sufficient for you to say "my bad" and just drive away--you still got a ticket and will have to pay that.

How the copyright holder and how the courts deal with you if you violate the GPL depends on your behavior and on your product. You seem to think that forcing a company to GPL its code is the worst thing that can happen to it if they violate the GPL, but that's not true. On the other hand, that may be too severe a consequence. Either way, changes to the license of the code that was used to violate the GPL after the fact simply aren't relevant to the legal issue of the GPL violation. The only way they may enter is part of a voluntary negotiated settlement, if the copyright holder on the GPL'ed software agrees to accept that as a remedy.

Re:I wonder...

[Anonymous Coward]

No, that's not the point of the argument, the point of the argument is that illegally using GPL'd code is no different than illegally using proprietary code that you haven't properly licensed - it's a copyright violation, plain and simple.

Some people try to paint the GPL as even more dangerous by claiming that unlike proprietary code where you'd only have to pay damages, the GPL would force you to open up all your code and "take away" all of your "intellectual property".

The point isn't that corporations would be deliberately using code that they don't have a right to use, the point is that a large enough corporation can never trust all of its employees.

Re:No Gurantee Against reimplentation

[shaitand]

The reason you are tainted from looking at shared source is the two headed. First the license itself prevents you from utilizing the knowledge with contract law. Second, everything there is software patented.

Copyright does not require a cleanroom implementation. Patents do. Open source code is not patented.

Re:The BSD license argument

[WNight]

But you're just parroting the Microsoft line. They didn't make hardware cheap - the Apple2, C64, and a host of other computers were cheaper than any IBM clone you could buy for quite a while. Did Microsoft make the IBM clones cheaper? No, they charged for what had always been free in the PC world - an OS, that made computers more expensive.

They didn't make the office suite mainstream, that was already happening. Sure, it kept happening while they were around, but it's not like they made something happen that wouldn't have otherwise.

OLE and similar technologies aren't bad, but they're nothing the market wasn't exploring at the time. Apple's OS does the same things.

As for the IDE, they do release the most popular, but that's a function of market share. They didn't invent it - the first I used was Borland C in the early 90s and it was a pale copy of what commercial IDEs were on big iron. As for mainstreaming rapid application development... whoa - where to start?

And I'll take issue with your taking issue with my comment on prices. Microsoft's sole price advantage has always been working on commodity hardware. Arguably this is Intel's doing - the cross licensing they did to be a military supplier and the "clone" market this caused made the x86 the defacto standard. Microsoft just rode the cheap Taiwanese hardware market.

Sure, many Microsoft products are now cheap, and many people who couldn't have had an office suite in the 80s now have one, but they'd have one on whatever hardware and OS existed - every type of product Microsoft makes was already around on other platforms. It might have been WordPerfect or Appleworks, but they were already around in the mid 80s and seem to

You simply miss the perspective you'd have gained if you watched the PC revolution unfold instead of listening to Microsoft tell the story.

Seeing as how Microsoft hasn't brought us anything that other companies wouldn't have bought (likely with less criminal actions involved), their anti-open source policies, and their format and licensing lock-in, I stand by my statement that a PC is more costly today and the market worse off than it would have been if Microsoft hadn't become an OS monopoly and illegally leveraged that into market share dominance in other areas.