Finding compatibility issues in open source software is tedious and complex. Roblimo explains why organizations that look for compliance issues are a valuable asset to the FOSS community.
This was, of course, the question I immediately asked FOSSA founder Kevin Wang. His answer, via email:
- Auditing tools like Black Duck or Palamida work best for things like M&A and due diligence; they were designed for those use cases to work with large detail-rich scans, bundled with human review and expert services for one-off transactions (something we’re not focusing on).
However, we see companies hit roadblocks when they try to integrate or scale this into an ongoing workflow. It’s unrealistic to do large-scale code audits in real-time development, especially as we’re using more OSS than ever before and making releases faster than ever before (many of our customers have tried!)
So to make OSS compliance work for an ongoing workflow, we actually had to take a completely different approach. While we do scan code, we work on top of build and code analysis rather than a registry-based approach. Then, we layered a lot more capabilities to make the tool smarter, easier and faster — ultimately to the point where you can run it per-commit during development rather than when you can afford to run, say, a quarterly code audit.
In the blog post Kevin links to in the preceding paragraph, he says, “Every time code is casually shared, it passes on a slew of unknown license and copyright responsibilities for every subsequent developer that uses or spreads the code. Today, developers have no easy way to see what’s inside the code they get. As more code is used/written/shared, legal obligations and risk cascade across the community. Even if your developers diligently avoid casual code sharing, they likely rely on code that doesn’t — and if they’re using a modern language/build system, their tools are automatically pulling in thousands of OSS libraries from casual developers.”
This is a good point. You don’t just need to know how the program you’re using is licensed, but about all the code and dependencies behind it (or hidden inside it). There are a lot of dubious snippets out there on code-sharing sites that may have been posted by employees somewhere who had no right to make them public. If so, and the hammer comes down on them, you don’t want it to come down on your company.
So code licensing compliance is a big deal, to the point where Kevin managed to raise seed capital of $2.2 million almost effortlessly from an impressive group of “angel” investors through world-famous Bain Capital. We have heard, from someone not authorized to tell us, that Kevin had more millions he could have had for the asking, but that he decided to take only the funding he thought he really needed, not all he could get.
Obviously, these people believe Kevin and FOSSA offer something his competitors don’t. For more about FOSSA, its investors, and what the company is up to, including some testimonials from current customers, check this press release.
Okay, (yawn) so this is yet another Silicon Valley company started by a guy so young that he’s only been legally able to buy beer for a year or two. This is true. But it’s also proof that some smart investors figure it’s worth investing in a company that will sink or swim along with FOSS acceptance, so FOSSA is part of a virtuous spiral wherein a new company wants to make it easier (and safer legally) for enterprises to use and write open souce software, which will hopefully lead to more FOSS use and creation, which will lead to more companies supporting FOSS in one way or another, and so on… until hopefully, in a rosy future, virtually all computer tasks can be performed with nothing but FOSS.
This is still a bit of a dream, but it’s a good one. Meanwhile, we’ll check back with Kevin and FOSSA in a month or two and see how they’re doing. You always get nothing but optimism during a company’s initial PR blast (disclosure: masterminded in this case by my old friend Jill Ratkevic), so the time to really find out what’s going on with a company and the market it’s in is after things have had a chance to shake down, and reality has set in. That’s when we’ll interview Kevin for real.
Note to readers about free software video editing: I now have KDEnlive installed and running on Linux Mint, but the learning curve has turned out to be (let’s say)… substantial. I’ve managed to effortlessly ingest several MP4 clips, a few still images, and two MP3 audio files, which is a big deal compared to free software video editors only a few years ago. (Yay!) Now I need to scare up time to actually do some editing in KDEnlive!)
Robin "Roblimo" Miller
Latest posts by Robin "Roblimo" Miller (see all)
- Dealing With Real-Life, Everyday Security Threats - April 13, 2017
- No, Evil Hackers Aren’t After You - March 17, 2017
- Should the U.S. Army Have Its Own Open Source License? - March 9, 2017