IT Week: What do developers have to gain by using Black Duck software to manage open-source development projects?
Levin: What our software seeks to address is code complexity combined with the need to manage composites and licences. Lots of different bits of code have been put together in a distributed manner at multiple sites producing a complex mix of proprietary, open-source and third-party modules and composites, which creates structural issues. In many cases, the binaries are present as well as the source code; Black Duck’s ProtexIP looks at both.

But haven’t developers always been taught to keep tight manual control of their code revisions?
They have, but the number of revisions now being turned out, and the period of time between those revisions, has changed a lot over recent years. We found senior members of the engineering team in one company who were an entire generation behind their colleagues – they assumed they had the current version but did not realise they were a whole point release out. In the past, developers may have produced two to three revisions over an 18-month cycle. Now we are talking about two to three revisions a month – the open-source development community can be extremely dynamic and is constantly reviewing the code.

How do licence management issues affect open-source software?
Many companies subscribe to unapproved variations of the 60 approved open-source licences currently available. Also, many open-source solutions have multiple or dual licences. Keeping track of those is a challenge, not least because there are now multiple pieces of differently licensed code within individual projects, which might include proprietary and third-party licences as well. In 2003, you would have expected a project to use two or three open-source licences, now that figure is up to 15 or 20.

Does Black Duck face any competition in this market?
We mostly compete with companies that have done their own home-grown licence management solutions, usually a couple of cobbled-together functions like string search. But these do not provide any auditing capabilities or mapping of particular licence issues. What we do is a literal side-by-side comparison of code segments and blocks, and we go though thousands of lines of code.

What are the consequences for companies that fail to track their open-source licences properly?
Several European companies have already run into open-source licensing and legal issues, and there is an organisation called gpl-violations. org that has sued 118 companies. There is a risk in using open-source code, but it can be managed.

About Doug Levin
Doug Levin is founder and chief executive of Massachusetts-based Black Duck Software.
Before setting up Black Duck in 2002, Levin served as chief executive of MessageMachines and X-Collaboration Software.