Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
GNU is Not Unix

The Open-Source Detector 340

McDutchie writes "With open-source related lawsuits on the rise, a market is developing for automated tools that detect the presence of open-source code within larger application development environments. Palamida Inc. stepped in with IP Amplifier 3.0, essentially a search tool and a database that consists of more than 38 million of the most commonly used open-source files. Something Google-inspired called CodeRank is claimed to match code against the database. Hmm... maybe someone should run it on this, or even this." Of course, some open source code is perfectly welcome in commercial software, even if that software's code is not itself open; it's no secret or surprise that Microsoft, for instance, has taken advantage in some products of BSD-licensed code.
This discussion has been archived. No new comments can be posted.

The Open-Source Detector

Comments Filter:
  • I wonder... (Score:4, Interesting)

    by 0x461FAB0BD7D2 ( 812236 ) on Wednesday May 04, 2005 @08:38AM (#12430654) Journal
    Could this tool be used in reverse?

    For example, one could write a bug-filled line of code, perhaps something with a buffer-overflow. This could then be matched with open-source projects and projects with buffer overflows are found. Of course, this could also be used to find vulnerabilities and so on.
    • Re:I wonder... (Score:5, Insightful)

      by FidelCatsro ( 861135 ) <fidelcatsro@gmail.cOPENBSDom minus bsd> on Wednesday May 04, 2005 @09:03AM (#12430831) Journal
      Glad to know im not the only one worrying about this.The tool has an anual use fee in the tens of thousands , now the only people using this are not going to be companys who worry that GPL code may slip in(most will have a fairly good clue if it has and not want it publicised) its going to be people who want to try and make some money with patent litegation.
    • No, because it only detects the exact same code - as someone else pointed out above, simply rewriting the OSS code would be enough to defeat it. Very few buffer overflows are written identically. One place you could use it to look for vulnerabilities, though, would be looking for older (vulnerable) versions of libraries in staticly compiled programs
  • by marcovje ( 205102 ) on Wednesday May 04, 2005 @08:41AM (#12430672)

    >Of course, some open source code is perfectly >welcome in commercial software, even if that >software's code is not itself open; it's no secret >or surprise that Microsoft, for instance, has taken >advantage in some products of BSD-licensed code.

    This example (socket code) often pops up, and is often used in GPL advocacy.

    Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.
    • Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.

      Granted. However, if they do so, their horse isn't so high when they harp on and on about having strict intellectual property controlls. *They* benefit from the work of others, how can they call it a cancer?
      • *They* benefit from the work of others, how can they call it a cancer?

        Because the GPL spreads out to affect more than just the GPLed code that was originally introduced and its subsequent modifications.

        • No it doesn't. It only affects code that is combined with the GPL code and released. You can use the code with your own code to your heart's content, but if you want to distribute GPL code then any code combined with it needs to be GPL (or GPL compatible) as well.

          But of course you accepted the license when you used the code so that shouldn't cause you any problems. It's entirely voluntary. If you decide you want to release your code, but not GPL it, you can just replace the GPL code with more of your own.
          • No it doesn't. It only affects code that is combined with the GPL code and released. You can use the code with your own code to your heart's content, but if you want to distribute GPL code then any code combined with it needs to be GPL (or GPL compatible) as well.

            Indeed. Of course, "combined" in GPL-speak can mean "linked", so you can end up with code completely unrelated to any GPLed code having to be GPLed because it's magically become "combined" with the GPLed code.

            As I said, the problem is the GPL

    • Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.

      Microsoft does not have the moral right to use it because it prevents the exact same thing from happening again. It seems to concentrate on shoveling money from governments (US included) into it's bank even after reaping the benefits of public funded open software.

      The obvious double standards is what we look down upon.

      • THe 'publically funded open software' is still available for you to use and build on. Microsoft has the moral right, just as you yourself do, and microsofts use of that code in no way detracts from your use of the same code. You both have the same advantages and the same starting position.
    • Some would argue that since it's immoral for them to be writing closed source operating systems, it is more moral to try and stop them doing this.
    • No one licence -- BSD, GPL, other oss, or any of the closed source licences -- are always ideal. Anyone who thinks there is one true licence isn't very smart. Advocate what is appropriate.
    • by argent ( 18001 )
      Note however that the TCP/IP work was done under a DARPA grant, paid for by the US government, so it is not only legal, but even moral right for Microsoft to use this code.

      Not only that but whenever I've been present when someone has asked the people who wrote the code if it's OK for Microsoft to use it, they didn't say "we can't stop them", they said "we want them to use it".

      I don't see how you can possibly come up with a more ethical or moral justification for it than that.
      • by WNight ( 23683 )
        Microsoft has lobbied to keep the US government from using open source and has done their best to hurt open source and the people involved in it.

        I'd say that's a good argument for them being prevented from using any open-source of public domain project. After all, it is communism...

        But yeah, the point of the BSD license is to get closed-source companies like MS to use the standards. They in no way deserve it, but it's in everyone's best interests that they do.
  • high costs? (Score:4, Interesting)

    by moz25 ( 262020 ) on Wednesday May 04, 2005 @08:43AM (#12430691) Homepage
    Palamida charges $50,000 to $250,000 for an annual subscription to IP Amplifier. Cost depends upon the size of the customer's development environment.

    That seems rather steep. Are they doing something really complicated or is this something that a well-maintained (open-source?) project could do? Of course they are storing a major amount of information (i.e. all of sourceforge/freshmeat).
    This might in fact be a feature that sourceforge might want to implement (for a fee): doing a search in their database.

    On the other hand, it might make more sense to check against proprietary source, data and images. They are, by their nature, harder to find.

    Also: when outsourcing parts of a project, wouldn't a contract have to state explicitly conditions such as not stealing/borrowing code from elsewhere? It would be a minimum requirement that the licensing of any (sub-)code would have to fit the overall product.
    • There's a copy/paste detector that works with Java, C, PHP, and Ruby here [].

      But, like some other folks have said, the hard part is keeping all the open source code handy for comparison purposes...
  • Be careful of FUD (Score:4, Insightful)

    by Anonymous Coward on Wednesday May 04, 2005 @08:44AM (#12430699)
    The whole advantage of open source is you are not tied to the whims of the original developer.

    This seems to be a resurrection of an old attack strategy, pretend that open source is such an burdensome onerouse license that you have to hunt open source code down like a virus.

    Its not something to be encouraged!
  • sigh (Score:4, Insightful)

    by Turn-X Alphonse ( 789240 ) on Wednesday May 04, 2005 @08:45AM (#12430700) Journal
    The whole concept of code seems to scream "Some will be the same". Very basic things will look very similar between several things and with the current "justice" system and ignorance of most people this is going to screw OSS.

    I just think it's pathetic that we live in an era where people trying to do something nice gets stabbed in the back for it..
  • The company has some other bussiness such as , outsourcing

    For companies engaging outsourced developers, Palamida:

    * Reduces your exposure to inadventant IP risksTake hold of software outsourcing by quickly assessing the origins of software IP sourced from contractors.
    * Helps the origins and ownership of third-party code.
    * Gets the most of out open source and externally developed tools.
    * Increases efficiency, consistency and understanding.

    Now its wonderfull theat they help people get the most out of OSS software but i dont like the fact they are making outsourcing easier .This is not so much a problem where i live but in the USA as i understand it many people are loosing their jobs in the tech industry thanks to companys trying to save a fair bit by outsourcing to cheaper areas .

    The Outsourcer: A Best-in-Class Tool for Best-in-Class Processes

    Outsourcers are playing an increasingly crucial role in global software development. Large, medium and small companies are looking to tap developers in the hopes of advancing their own software IP and business opportunities.


    Again , I wouldnt want to do bussiness with a company that promotes this behavious , i am all for globalistation , but not for screwing people over as the companys seek to hype profits by exploiting cheap labout , Now safely aparently.. Perhaps i missunderstand the term outsourcing in this sense , though to me it always say "Contracters so we dont have honour the workers rights, localy or globaly".

    <ecode>For M&A teams, Palamida helps:

    * Identify and quantify IP issues early in the deal.
    * Improve certainty before closure, increasing your closure rate.
    * Reduce your legal exposure.
    * Immediately value software innovation and intellectual property.
    * Tap into the most up-to-date software IP database available.
    * Secure the best possible valuation.

    <b>* Speed your assessment of open source and third-party code.</b>

    Again my second problem is there strong patent support here .It just makes me as someone who uses and contributes to OSS uneasy.(just my opinion and how i feel , not a statment of fact )

    IP Diligence, Compliance Enforced

    On to the legal section ,Their bussines model is basicaly that of enforcing IP rights , sure that may help us find companys abusing GPL code , but it also swings both ways and can open up a whole host of patent cases against GPL software.

    For counsel, Palamida:

    * Improves the timeliness and quality of legal diligence
    * Automates compliance processes.
    * Provides real time information on your code base.
    * Adapts to your business processes and workflow.

    Fair enough this can be usefull in this day and age , allowing you to pay them to make sure your not infringing on any patents , But this just dosn't work on 90% of the OSS projects out there , i am betting it costs a fair whack.Most people using this on OSS are IMHO going to be looking to enforce a patent case ala SCO.The potential minefield here is not fun.

    or the open source community, Palamida:

    * Supports and evangelizes on the use of open source software.
    * Boosts productivity by spending time developing and not worrying.
    * Pushes forward in unison with legal and business staff.
    * Materially reduces open source compliance concerns.
    * Creates new business by proving the merits of open source technology

    Now that is alot better ,I can strongly respect what they are doing here .Still i dont like that they keep harping on about IP compliance..

    I am probably just being paranoid an

  • by putko ( 753330 ) on Wednesday May 04, 2005 @08:55AM (#12430777) Homepage Journal
    I worked at a ruthless company. Part of the culture was to get results as fast as possible and completely ignore things like licenses, rules and laws, if it helped to make money.

    We certainly would have violated the GPL in a second, given that one couldn't really prove damage to the other party (aging idealist hippies with beards who were naive enough to give away software with a silly "license").

    The ripoff of commercial software was driving me nuts though -- it seemed quite wrong, esp. given that we were raking in the dough and were not paying just because we could easily avoid it through technical measures.

    However, part of the "culture" was that we were so busy that we were sloppy about the misdeeds. We wouldn't have had time to cover our tracks.

    Such tools would have caught us, so I'm guessing such tools will lead to finding many similar violators.
  • It's good that a company is offering a comprehensive solution for this, and one that already contains lots of FOSS code.

    Contrary to the company's claims of being "groundbreaking", that's not new: plagiarism detectors, code duplication detectors, etc. have been around for a while.
  • by Pastis ( 145655 ) on Wednesday May 04, 2005 @09:52AM (#12431241)
    this tool can help you to make sure you change just enough the stolen implementation so that the tool won't detect the similarities, giving you an approval stamp without too much work :)
  • So this article got me thinking about what it would take to make a program which automatically scans binary software for OS code. I imagine it is possible but it would be an interesting programming problem.

    One early thought is that you could scan for matching arithmetic operations. Walk through the assembely and keep a table of register contents/memory contents/constant loads to regenerate algabraic operations. By transforming these operations to some canonical form one could match algabraic operations
  • by Shazow ( 263582 ) <andrey.petrov@s[ ] ['haz' in gap]> on Wednesday May 04, 2005 @11:39AM (#12432226) Homepage
    For one of our second year programming assignments, our lecturer posted a bunch of example code that she used during lecture.

    It was sockets in C. The code was very poorly written, it actually contained a couple of GOTO statements. One of the files contained a typo in the commenting, so I figured... Let's google it!

    And wouldn't you know it, several hundred results.

    I'm not sure what I was angry at: Our lecturer not giving any indication that she didn't write the code, or not citing her sources, or giving us such crappy code to start with...

    But needless to say, I was angry. :D Still am! *shakes fist*

    So, to tie this to the topic, nothing works better than searching for typos! :D Google does a decent job for those who don't have access to a fancy OSS database.

    - shazow

I've got a bad feeling about this.