I came across this editorial fear mongering about software property management by the CEO of Palamida. He tries to relate it to the Grokster case (and gets it wrong).
His argument works this way:
- Programmers are using open source components. (He refers to both your own ignorant overworked drones working at midnight then plays the xenophobia/tribalism card and suggests those pesky offshore consultants might be doing you in as well).
- These open source components have licenses you need to respect. (Agreed.)
- It's complex. (Agree much less.)
- You might get sued (with incorrect hand waves at Grokster and SCO). (Disagree.)
- You need to educate yourself. (Well he at least got that right.)
He never once mentions that his company sells a nifty tool that scans software for matches against open source projects. A wander through the Palamida web site and a read of the white paper demonstrates it suffers the same problems as other tools in this space.
The tools all claim to scan your source against a library of open source signatures, as if open source is somehow the cause of this problem. The assumption is that developers must be stripping copyright notices or directly plagiarizing code fragments (otherwise a file tree walk with grep would find the relevant copyrights.) The second assumption is that you must be in violation of the license.
The real problem however is that such tools (and I'm assuming they perform well and are robust) can't find the problem with all the other third party code sources that could show up in your source code (text books, portals like MSDN and the O'Reilly Network, third party library code from Oracle, RogueWave, etc.). These third party corporate backed sources are more likely to litigate than a free or open source software project that wants you to comply with the license, and the scanning tools won't find those problems.
I wrote about open source risk management in the enterprise earlier when it came to SCO.
Free and open source developers (including the ones lurking inside your walls) likely know more about intellectual property than the average commercial software or enterprise developer. There are even straight forward books in this space [Rosen, St. Laurent]. Education is key. Fear is not. Tools will only leave you with a false sense of security. (I wonder if the tool vendors will indemnify you for any infringement law suits from "third parties" because the tool vendor didn't get the signature database complete?)