Whose Code Is It, Anyway?
To see in detail how the right tools can help manage compliance without driving developers crazy, I checked in with Doug Levin and John Riley of Black Duck Software. Black Duck focuses on one kind of compliance managementmanaging software-licensing requirements.
Riley points to the fact that developers today commonly "gather various components, such as open-source code, software from outsourcers, and their own company's proprietary code, and glue them together to make finished applications." This assembly model of software development often shortens project schedules, cuts costs, and improves quality.
But it also creates a piece of software that is a complex mix of intellectual property. Ignoring or downplaying the legal risks inherent in the assembly model is neither a viable business strategy nor a good career move for an individual, Riley advises.
You can implement company policies for the use of intellectual property, but it would be foolish to assume that policies are always followed or effective. You still need to be able to analyze the code for the intellectual property obligations embedded in it. Despite all your training and policies, somebody could have downloaded a piece of code from the Internet and incorporated it into your code base. So how do you ensure that your code is a good software citizen?
"Some companies choose to piece together home-grown solutions," Levin says. "The usual set-up includes some combination of open-source tools (such as GREP, CheckSUM, and String Search engines), which they use in conjunction with Google, along with tools like Krugle, Koders, etc."
Black Duck was set up to provide the tools to deal with exactly this problem.
The key component of Black Duck's protexIP is a huge searchable online knowledge base of open-source licensing information. You can create and store queries to speed subsequent searches, check all sorts of file types and languages. The knowledge base contains over 200 million code prints, which is what they call the form in which they represent code for search and comparison.
The product comes in a pro version that is single-user and an enterprise version that builds validation into a collaborative model and includes tools for managing software licenses. It's not enough to know that a particular chunk of code that you are using is owned by so-and-so; you need to know what license applies and to be able to evaluate your use of the code for compliance with the terms of the licenseor rather, your legal department needs to be able to do that. They give you that.
But tools only work in the right environment. As Levin points out, a company putting a tool like protexIP in place needs to create policies and rules and procedures for handling automated code review, assign responsibilities, and implement whatever organizational changes are necessitated by replacing manual/visual code review by an automated system. So it's still, at least in part, a people problem.
I'd kinda hoped it could all be automated.
Michael is DDJ's editor-at-large. He can be contacted at [email protected].