Black Duck Hub Makes Open Source Software Attribution Even Easier

Black Duck Hub Makes Open Source Software Attribution Even Easier

Good cannot exist without evil. Giving cannot exist without ownership. Copyright cannot exist without attribution. Ok, maybe that last one is a stretch, but it makes a point. If copyright is saying “this is mine," and a license is saying “how you can use it,” then attribution is saying “Yeah, I am using it.” If attribution is done right, it is akin to saying “thank you,” except for the fact that you are usually required to say it by the licenses. But, just as saying “thank you” is a basic requirement for good manners, attribution is often the minimum requirement needed to be a polite and courteous citizen in the open source world.

Saying Thanks

So, saying “Thanks” is easy… right? Well, sure, if it's a habit. It is not difficult to give thanks ifyou are aware when situations require it. However, if you have ever watched someone make an award acceptance speech in which they are supposed to acknowledge all the other folks who helped them be successful, then you can see how easy it is for them to screw it up. Which individuals or groups do they thank? Do they remember all those individuals who made contributions, especially those that were a while back? Who will really be hurt (and cause them to potentially damage a relationship) if they do not thank? And, even if they do remember when writing their speech and have the best intentions, will they actually do it when delivering it, or just blow it and look like a jerk?

Acknowledging Copyright

This analogy can apply to the open source attribution process. Some applications, when released, can contain hundreds of open source components. These components may require many copyright holders to be acknowledged. If you are trying to assemble all this at the end, it's easy to have incomplete information. Someone will be forgotten. And, rather than simply being impolite, you will be infringing upon a license and not respecting someone’s intellectual property rights. And, if that copyright holder is hurt enough, they can even raise a claim against you. In fact, some of the recent copyright troll activity in Europe has focused on improper attribution along with other items.

Systematic Attribution Compliance

The best way to handle open source attribution, along will all the other obligations of open source licenses, is to make compliance systemic in your processes. At Black Duck, we say “built in compliance.” In the Hub v3.4, we have enhanced our product to make it easier for development managers (or whoever is responsible for ensuring open source software compliance) to make proper attribution documentation based upon the open source in their code base. So engineering groups can do it as they go along. When they introduce new open source, they easily can review it, examine the Black Duck provided information required for attribution (primarily license text) and edit this information if desired. At release time, customers can use this information to create attribution reports in multiple formats to create their notices, readme or web page lists of open source acknowledgements that they can include with their products. Here's what the dialog box to create a report looks like and a sample report.

Create your notices file with Hub v3.4

For existing Hub customers who want to know more, we have created a training course on open source software attribution on our Black Duck Academy training site. Please check it out. If you are not a Hub customers and want to learn more about how the Hub can help with open source attribution, please contact us.

As always, we are considering additional features to help customers manage the open source attribution process, and will be rolling those out in future releases. We welcome your feedback, so you have additional things that you would like to see, please let me know. And stay tuned for future developments.

Watch a 3 Minute Demo of the Black Duck Hub

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Black Duck Hub – Dockerized App Hits it out of the Park

| Apr 28, 2017

If you are reading this blog, I hope you like sports analogies (especially baseball). In 2007, Dustin Pedroia, the infielder for the Boston Red Sox, joined the team and (along with winning a championship) was name the American League Rookie of the Year.   In 2008, Pedroia’s excellence continued

| MORE >

Black Duck Augments Hub Scanning Capabilities with Version 3.4

| Dec 13, 2016

With the release of version 3.4, the Black Duck Hub (our newest product) has augmented its scanning capabilities to identify open source components via package management declarations by adding RubyGems and Node.js packages to the list. So, why is this type of scanning important and how does it

| MORE >