A Dutch software engineer and an Irish political scientist have just published tools to help firms avoid violating open source licences.
The website hosting the tools was unveiled here, yesterday.
The tool audits the contents of compiled software, explained Shane Coughlan, former legal expert at the Free Software Foundation Europe (FSFE), in his video introduction.
The set of Python scripts read binary code and automatically compares it to source code. It extracts file systems and then starts to identify strings and search for known symbols. It feeds the results to a knowledge base and in a matter of minutes reports on the open source components it uncovered.
Now that should help companies discover that they overlooked their use of open source.
“This tool automates what I have been doing by hand for many years”, grinned Armijn Hemel, a software engineer specialising in open source licence compliance. He is the main author of a 2008 guide on the topic and at times assists the GPL-Violations Project, which bruises many a company’s nose by uncovering licence problems.
“A hundred and fifty cases were settled just before or after filing charges”, boasted Hemel. Examples include Fortinet, which in 2005 was found to conceal their use of open source code using cryptography and D-Link, convicted by a German court in 2006.
And open source is no longer used only for routers and switches. Firmware sleuths like Hemel are now also studying consumer electronics including projectors and television sets.
But taking companies to court is not the highest purpose for the Binary Analysis project, urges Hemel. “We would rather help companies comply with free and open source licences.”
He finds manufacturers often are completely oblivious of what is in their firmware. Such appliances are typically built in far away countries, and their unknown developers could either accidentally include open source components, or forget to document that they did.
Most companies whose firmware the engineer has pried apart, wish to abide by the rules, but don’t know their way around the open source licences. “Others invest lots of time and money to be compliant. They find it not funny at all to see our tool take them down in less than two minutes.”
(copyright 2010 Gijs Hillenius. All rights reserved)