Black Duck Partners with SourceForge for IP Protection

by Timothy Prickett Morgan

Having recently got some competition from Palamida in the software intellectual property tracking business, Black Duck Software, the originator of the idea of tracking the source of source code in open source and commercial software development projects, has been turning up the heat to build its business and keep ahead of the competition. One of its key partners is turning out to be VA Software, one of the early commercializers of Linux and the owner of SourceForge distributed, open source development community.

Black Duck was founded in December 2002, only a few months before the SCO Group launched its $3 billion lawsuit against IBM alleging that Big Blue has allowed Unix intellectual property (controlled by SCO) to get into the open source Linux operating system. Had something like the protexIP product created by Black Duck been around a decade earlier--and had it been widely endorsed by the IT community--this kind of situation might have been avoided. (And a fair argument can be made that such seals of approval and clean bills of health ought to be required for closed, open, and mixed source programs that are available as commercial products--whether they are sold with traditional software licenses or under an open source, services model. But that is another story. . . .)

Black Duck's protexIP program uses fuzzy logic, pattern recognition, and statistical ranking to match code in developer-created applications against code snippets in a knowledge base. This spring, when Black Duck launched an online version of its tool, protexIP had over 40 gigabytes of open source fingerprints--key code snippets--that allow programs from thousands of open source projects (with more than 450 different licenses) to be identified--even if you take out licenses, comments, attributions, and other elements. ProtexIP went into alpha in September 2003, into beta in December 2004, and into release 1.0 in May 2004; an updated 1.1 release came out in October 2004. Black Duck then signed partnerships with Open Source Development Labs, Red Hat, and CollabNet, and these open source development organizations use protexIP to make sure the programs that are developed under their wings are compliant with all of the various licensing terms out there in open source land. In April of this year, the protexIP OnDemand service, which allows programmers to log into a remote knowledge base and scan their code rather than running the protextIP tool locally on their networks, was launched.

Shortly thereafter, Palamida launched its alternative to protextIP, which is called IP Amplifier 3.0. Palamida came on pretty strong, saying its code snippet repository had more than 38 million snippets covering more than 40,000 open source projects, including both source and binary versions of the snippets that allow IT project managers to check both source and compiled versions of applications for license violations.

In June, Black Duck came back at Palamida by forging an alliance with VA Software. Under that alliance, customers who acquired the commercial versions of the SourceForge distributed development platform--the same one that is used to now manage well over 100,000 open source projects out there on the Internet--would be able to acquire an integrated product that combined the protexIP code scanner and repository with VA's SourceForge Enterprise Edition. In addition to integrating their programs, Black Duck and VA Software agreed to co-market and sell the integrated product.

Yesterday, Black Duck and VA Software announced the flip side of the deal. In June, VA Software's customers were given access to protexIP, and with the deal announced yesterday, Black Duck's customers who may or may not use the SourceForge development tools will nevertheless be able to make use of a full repository of the SourceForge projects that is now housed at Black Duck's data center and scan their own code against that repository. This is obviously a very big deal for Black Duck, since it needs all the code in SourceForge to create its code snippets. Having a fully replicated and authorized version of SourceForge in its own data center and woven into the protexIP service is about the only way this could possibly work, short of milking the SourceForge site continuously from the outside. Equally importantly, because Black Duck will have a replicated version of the SourceForge site, when people add new projects, the protextIP service will be linked into those new projects immediately. Black Duck doesn't have to keep track of which projects are in SourceForge any more, and it can then more fully automate the process of creating the code snippet fingerprints that identify each project in SourceForge.

Financial terms of both halves of the Black Duck-VA Software partnership were not divulged.