Palamida paves the way for greater open-source adoption

Palamida is doing a great deal to make open source easier to adopt and develop.

Matt Asay Contributing Writer
Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.
Matt Asay
4 min read

Palamida has received a fair amount of press related to its tracking of the rise of GPLv3, most of it positive, but this doesn't do the company justice. Palamida's innovative inclusion of security with code/legal analysis - helping customers discover potential vulnerabilities in their code before they ship - is a welcome addition to the open-source world.

It (and I) has also taken some hits for "over-counting" GPLv3 deployments, but most such concerns stem from ignorance of what GPLv2 and v3 mean, rather than from an error on Palamida's part.

For instance, those who think that "GPLv2 or later" language does not qualify as an instance of GPLv3 miss the more critical point: those who adopt software under such a license may be exposing themselves to restrictions they aren't expecting:

Palamida's opinion is that developers want, and in many cases, need to know if the open source they are currently embedding, or considering using, is going to migrate to the newer license. An "intent to migrate" can spell serious issues for anyone in the embedded market currently reliant on GPl v2. If their particular project of choice decides to convert with the next release, they have serious legal and business issues on their hands. Thus, keeping track of the ongoing conversations is a critical part of proactive open source code management. [From an article not yet published. I'll link when available.]

This relates to electronics OEMs, an area that Palamida has been leading the way. Most Taiwan and China-based manufacturers are exceptionally talented in hardware design and production, but not as much in software. (At least, this was the case back when I was selling into such companies while at Lineo.) So imagine the following: Sony, Archos, or some other electronics company orders 1 million units from its supplier (say, Compal), only to find out after the product hits the shelves that the software included has components licensed under the GPL.

This is fine if it was intended, but it's a bit of a shock if not intended. Just ask LInksys/Cisco. Or, more recently, British Telecom:

British Telecom (BT) raised the ire of the open source community after it used code released under GPL v2 in one of its commercial products, but failed to immediately release the code to the public. The incident caused BT to admit that its Home Hub product (a wireless router for the home market) contains GPL-licensed software. Home Hub went on sale in 2006, but BT did not post the code for download until January 22, 2007.

In today's litigious climate, the Software Freedom Law Center would have filed suit against BT for improper violation of the GPL v2 -- a pattern of enterprise accountability that is gaining in momentum in the United States (see Monsoon vs. the SFLC).

Add vulnerability risks to the concerns of not knowing whether your organization is beholden to applicable open source obligations and the importance of proper open source use management emerges.

Which is when you call in the cavalry: Palamida. One thing that I really like about Palamida is its focus on developers. Palamida's founding team comes from the developer crowd and it shows in how it approaches the market. Whlie Black Duck's tools tend to focus on the legal department, Palamida emphasizes nipping IP issues in the bud, i.e., the developer.

For electronics manufacturers (and, of course, others), imagine the benefit of having security vulnerabilities pointed out early in the development process:

Open source is not less secure than commercial software, it is as secure, however you wish to interpret that. According to our research, it gets patched much faster, but it does not come with auto-update mechanisms or email alerts for its users. Unless you're searching for patches, you aren't fixing the holes. If you are wondering if there really are holes, or if possibly this is another FUD conspiracy, you can visit the National Vulnerability Database and scan through the hundreds of CVEs. Palamida's technology automatically identifies vulnerable code and tells organizations where, down to the exact paragraph, that code resides and what the precise vulnerability is. From there, it can be remediated.

The world is going to use open source. That's a given. Using it intelligently, however, is not a given, and can be greatly helped by using Palamida's tools. I used to worry that Palamida's business depended on fear mongering about open source, but I no longer feel that way. The company provides value that simply enables intelligent adoption of open source. There's nothing to fear from the transparency and insight Palamida's technology provides.