Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Open Source License Auditing Tools Still Need Someone Knowledgeable Behind The Wheel
Yesterday my colleague Charles Babcock brought us the news about <a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=205918228&subSection=News" target="_blank">HP's release of the FOSSology tool</a>, a license-auditing application that promises to help organizations cut through the thickets of software licenses that can come with open source programs. When you get down to it, though, it's just a tool: the real decisions about software licensing have to and always
January 25, 2008
3 Min Read
Yesterday my colleague Charles Babcock brought us the news about HP's release of the FOSSology tool, a license-auditing application that promises to help organizations cut through the thickets of software licenses that can come with open source programs. When you get down to it, though, it's just a tool: the real decisions about software licensing have to and always must be made by warm, breathing bodies.
As Charles explained in his summary, FOSSology is an application that analyzes source code repositories of software to determine what licensing schemes are in effect for that software. The license scheme(s) used by a given piece of code is typically described in a header prepended to the code; FOSSology crunches this information and tries to determine as best it can what licenses are being used, how they vary, and where they may clash. A single project can have a whole congeries of different software licenses in effect; it's not always obvious what's being used or even if the code a given license is attached to is being employed.
To that end, the program's also been attuned not only to look for the texts of known licenses like the GPL, but to look for key phrases that indicate a license may be in effect (e.g., "This program is licensed..."), but it can't determine what they are offhand, and so they're broken out into their category ("Phrases"). Found texts are highlighted with differences broken out so you can see what text the program has tagged as being a likely suspect for a license.
For an absorbing demonstration of how the program works, go check out the movies that have been posted on the FOSSology site. My favorite, since it's the most concrete and easy to follow, is one where FOSSology is set loose on Abiword and appears to detect an incompatible license scheme in the source ... but the answer may be a little more complex than that. Go watch the video; it's nifty just on the level of basic geekery, and it also gives you an idea of how nuanced this issue can be. (The full rundown of screenshots and demos is available here.)
As you can see from the demo, FOSSology is just a way to break this information out and make it more digestible. It doesn't make licensing decisions for you -- no more so than, say, a spellchecker or grammar program can force you to shed unorthodox spelling or enrich your vocabulary. That means it has to be piloted and implemented by people who already have an understanding of what's compatible with what and why.
Proprietary and open software both carry different kinds of responsibilities with them for their use. It's not uncommon for the plethora of licenses out there to be wielded as a cudgel against open source: e.g., you better watch out, or you'll discover you have to give your software away, or some variant on that. The way I see it, FOSSology is just one more way to shut those people up.
About the Author(s)
You May Also Like
NIST Cybersecurity Framework 2.0: Changes, impacts, and opportunities for your InfoSec program
10 Considerations to Building Hybrid Mesh Firewall
Hybrid Mesh Firewall: An Essential Solution for Today's Distributed Enterprise
*State of Accounting and Legal Services
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Accelerationâ€‹