Black Duck Blog

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
Last week the open source hosting giant sourceforge.net officially blocked access to its site by any users located in Cuba, Iran, North Korea, Sudan, and Syria. Sourceforge was compelled to do this by the United States Export Administration Regulations (EAR) which controls the transfer of encryption technology like software to countries outside the U.S. and to certain individuals within the U.S. The EAR contains detailed guidelines about what individuals and companies operating within the US may and may not do with encryption technology.

The EAR allows “publicly available” code like open source to be hosted on websites in the US and freely downloaded under a special rule called License Exception TSU. However, TSU still restricts “knowing” exports to country group E (the countries listed above). Simply making code available on a website is not knowledge and does not trigger “red flags.”

What is interesting is that US Commerce Department (Bureau of Industry and Security) has written an advisory opinion allowing free and anonymous downloads for “mass market” items as long as the hosting site is not capturing user contact information. “Mass market” is a legal term for commercial items that have applied for and received that designation from the BIS. Does the note on “mass market” bless the industry to allow open source downloads to country group E? Common sense might say ‘yes,’ but this is a legal question that would have to be settled by the BIS.

Mozilla General Counsel Harvey Anderson argued this point to the BIS. Mozilla noticed that users from country group E (namely Iran) were downloading Firefox which contains encryption. The Mozilla Foundation now had knowledge that the code was being exported to Iran – a clear violation of license exception TSU.  Mozilla made a voluntary disclosure of the situation to authorities who reviewed the facts and provided Mozilla with a no-violation letter.

Anderson was quoted in the press saying that this ruling was a victory for the open source movement and applies to the broader open source community. That might be true, but a definitive statement would have to come from the BIS itself. Anderson rightly encourages other organizations to seek legal counsel for their own situations.

Mozilla Firefox is freely and anonymously downloadable. SourceForge allows anonymous downloads but requires users to register before participating in other aspects of the site. The registration gives them knowledge of a user’s identity and location. That could very well be the problem that SourceForge has addressed with their new access policy.

Update: In response to a passionate response from their user community, SourceForge has decided to change their export policy to allow project leaders to set access controls on a project-by-project basis.   In reading the first few comments, it looks like users are more comfortable with this approach. The Apache Foundation takes a similar approach in terms of asking developers to understand and comply with the regulations.  If you need help understanding your obligations under US export administration regulations, Black Duck has some good introductory white papers on the subject.  There is also some good training material on the BIS website.

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
In a recent Back Duck survey, we found that companies doing software development are using significant amounts of open source software; about 22% of code was identified as originating from an OSS project.

The cost savings from strategic use of open source can free up precious software development resources and compress project schedules. To calculate how much, see the Black Duck ROI calculator.

Many developers and managers have anonymously used this calculator to help with the decision of whether to reuse existing software or write a software component from scratch. The calculator allows one to enter assumptions for different factors that affect this decision. For example, the average value input for the cost of a software developer was $79,000. This value varies by company and region. When companies compute the cost of a developer, they start with salary but add in other costs as well: benefits, overhead such as utilities and administration, and expenses such as dev tools and hardware. These costs typically add a significant uplift on top of salary. When the Linux Foundation published an estimation of the cost of developing Linux, they called this uplift the “wrap rate” and fixed it at 2.4 times salary. This figure originated from a well-known study by David Wheeler. With that in mind, the figure of $79,000 either represents salary only or reflects a lower cost region of the world not the major business centers in Europe and North America.

Additionally, people input 16,000 as the average number of finished lines of code produced by a developer in a year. This number happens to be much different than we would have expected. When you include architecture, design, debugging, QA, compliance and administration, the number of fully, tested, vetted code tends to be much less. The Software Engineering Institute at Carnegie Mellon, estimated this value at about 20 lines of code per day (~4440 per year). Developers may not have been considering these other costs when using the calculator so the 16,000 figure probably reflects just the creation of new code.

With these caveats in mind we can start to look at the compelling economics of using open source. The average size application input was 363K lines of code. At the average level of salary and developer productivity noted above, it requires 22 developer years or $1.8M USD to create a 363 thousand line application from scratch.

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
How does Black Duck identify the top 10 open source Rookies of the Year projects, when there are over 19,000 new projects to evaluate? It’s challenging, time-consuming and fun. Time consuming because in 2009 developers created an average of 52 new projects per day, running the gamut in functionality from mobile to games to tools to desktop applications to frameworks. Challenging, because we need to use a fair process. And fun, because we get to spot trends early on.

You can read our list of the top 10, (Link to top 10 list), but I want to talk about the honorable mentions here. Leading the list is the Android mobile operating system. Created in October 2008, it was not established enough a year ago to make our 2008 Rookies list, but it has made a major impact on the industry. The Android team has put out seven releases, the software is in the market in top mobile phones, and the buzz is everywhere. Also important is that Android has spawned children – there are 295 open source projects with the name Android in the project name or description.

Also notable are BabBot, a bot created for the popular World of Warcraft game; Cahoots!, a community-building platform for technically-oriented communities written in PHP; Foswiki, a Wiki and collaboration platform that provides users with the ability to structure data and build applications (a fork from twiki.org) and.
Termtter, a Terminal-based Twitter client. Clearly, gaming, collaboration and communications are top-of-mind in open source.

Congratulations to our 2009 Rookies and their developers, and to the Honorable Mentions, stars in their own right.

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com
There are many consulting firms that earn a living on the fear, uncertainty and doubt associated with the failure of IT projects. It’s not hard to find statistics warning of the many risks inherent in new software product or application development. Here are three of many examples:

• A market survey cited by CIO.com reports that 62 percent of IT projects fail to meet their schedules.
• IAG writes that “68% of companies are more likely to have a marginal project or outright failure than a success.”
• Standish Group’s well known Chaos Report describes over 80% of IT projects as being “challenged” or “cancelled.”

According to these oft-cited studies, it may be more of a surprise when a development project actually goes right.

I was pleased to see a recent 451 Group survey showing that 87.2% of 1,711 IT professionals, rated open source software as “meeting or exceeding financial-benefit” expectations. This comes as little surprise to those of us that work with and around open source. The increase in OSS adoption has been slowly and steadily on the rise – supported by the tough economy which has significantly pressured IT and engineering budgets. 451 Group further writes that 46.5% of those surveyed are more likely to adopt open source as a result of the current economic climate. This market transformation has driven robust demand for solutions like the Black Duck Suite which just finished another record year.  If properly managed from a risk and compliance perspective, the productivity and cost benefits of open source can be significant. My take on the 451 Group report is that strategic use of open source is being widely used to lower costs. In an environment where a majority of IT projects are delivered late and over budget, it’s nice to have a high probability success in the mix.

On the twelfth day of Koders my search engine gave to me . . .
These past weeks, we have been tweeting and blogging daily about the search terms and projects that are the most useful to our Koders.com user community – see below.  We said we would deliver a surprise and we have!

First, we have added about 100 million LOC (lines of code) and Koders.com has officially broken the 2.5 billion barrier. We have billions more in the Black Duck KnowledgeBase that we have collected from over 4,500 Internet sites. Our goal is to make our KB, the most comprehensive store of open source project information and code and we have a team dedicated to both manual and automatic collection of code. Our goal is to make the code in the KnowledgeBase available as a free resource for the global development community.

Second, we are going to productize the code search in Koders so that developers can apply search to their own code – inside the firewall. We believe that code search is the most significant productivity boost for software developers to come along in quite a while. We’re calling it Black Duck Code Sight™ and you’ll be able to download and use it free of charge on 5 million or less lines of code, plus it will be upgradeable to an Enterprise Edition. If you like Koders.com, just wait until you experience Code Sight.

Developers interested in being notified about the availability of the free or enterprise version of Black Duck Code Sight can register at: www.blackducksoftware.com/code-sight