Black Duck Software

I sat in on a webinar from Black Duck Software today on managing compliance when using open source software. As someone who has gone through the process of trying to resolve a GPL violation, this is something pretty near and dear to my heart.

For those who don’t know, Black Duck provides an application that helps companies identify if there is open source software in their product. My understanding is that they maintain a huge database of projects, code and the respective licenses and their software will then search for that code and produce a report. We received the output of the Black Duck software program from Cittio and, in my mind, it showed a number of violations. However, our attorney, Eben Moglen, wasn’t happy with it. The comment I remember from him was that this report was supposed to make people like him go away, and it didn’t make him want to go away.

But the report is pretty darn detailed, and while it may not solve all issues with open source used within a commercial software organization, it is a great place to start.

The main reason I attended this webinar was that Addie Welch, a legal advisor for Zenoss, was one of the presenters.

I’ve always been confused at how Zenoss is able to have a GPL’d version of their software (Zenoss Core) and a commercial version (Zenoss Enterprise) where the “core” version uses GPL’d code that is not owned by Zenoss. If one owns the copyright to the code, they can publish it anyway they want, but when that code includes third party GPL’d code, the derivative work must also abide by the license.

According the Zenoss website, they use a number of GPL’d programs, and I was curious to learn how they can separate “core” from “enterprise” such that the enterprise version does not constitute a derivative work. I was hoping to get an answer from Ms. Welch.

One reason I am curious about this (outside of the fact that I really dislike the fauxpen source business model that Zenoss uses and like to point out flaws whenever I can) is that if you look at the Zenoss Subscriber Agreement (pdf), there is a very odd clause required of all users who buy the enterprise version that forbids forking.

We used Google to search on “zenoss support agreement” and found a PDF copy of their subscription agreement. Section 12.2 states:

12.2 Forking of the Zenoss Core Software

“Forking” and “to Fork” means create derivative works of the object or source code for a product, or to distribute a product or a derivative work of a product under a new or different brand, regardless of any right to do so under any license.

During the term of this Agreement and the twelve (12) month period after expiration or termination thereof, and notwithstanding any rights under the terms and conditions of any license, you agree that you shall abide by the following rules of conduct:

(a) Neither you nor any entity controlling, controlled by, or under common control with you (an Affiliate”) shall offer, promote, distribute or otherwise make available any Forked version of any software product released by Zenoss, including without limitation the Zenoss monitoring platform, the Zenoss client libraries and any component thereof.

(b) You understand that Zenoss may make some or all of its software—which may include, without limitation, the Software—available in versions that are distributed without charge under the terms of the Free Software Foundation’s General Public License (“GPL”) (such versions the “Zenoss Core Software”). Zenoss Core Software may, at Zenoss’ sole discretion, be identical to one or more of the Software. This Agreement does not prevent You from distributing Zenoss Core Software pursuant to the terms and conditions of the GPL, provided that You comply with the Forking prohibition in subsection (a), above.

Although I am not a lawyer, this seems to be a violation of the GPL, specifically Section 6 which states:

You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.

Since a fork could be considered as any modification without the express permission of the copyright holder, this “no forking” requirement seems to be a “further restriction.”

I asked this question on the webinar, but they ran out of time (sigh).

But the webinar did underscore the need for some sort of compliance procedure for commercial software that uses open source, but it failed to address the need that buyers should beware that the contracts they are asked to sign when purchasing commercial software may request that they give up some of their rights.

The right to fork is a fundamental part of open source software, and I can’t understand how a company can claim to be “open source” while striving to remove it.

More Net-SNMP Tricks

One of our clients in Australia was asking me about the best way to monitor applications on his Linux servers. He wanted to be alerted when they died (or if a particular number of them were not running, etc.)

OpenNMS has a monitor based on the host resources MIB which can do this, but the downside is that there is no corresponding capsd plugin to do the discovery portion of it, so it can be a real pain to set up. I thought that Net-SNMP should be able to do this quite simply, but I found out that it isn’t nearly as easy as I thought it would be.

There is a directive within the Net-SNMP configuration file (snmpd.conf) called “proc”. For example:

proc testing 3 1

Configuring this line will cause the agent to look through the running processes for the string “testing”. If there are at least 1 and no more than 3 matches, the test is considered to pass.

This is reflected in the process table:

$ snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: testing
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.1 = INTEGER: 3
UCD-SNMP-MIB::prCount.1 = INTEGER: 1
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: 0
UCD-SNMP-MIB::prErrMessage.1 = STRING:
UCD-SNMP-MIB::prErrFix.1 = INTEGER: 0
UCD-SNMP-MIB::prErrFixCmd.1 = STRING:

As you can see, the prErrorFlag is set to “0” which means there is no error. This makes sense since the prCount is 1 and that is within the min/max range.

[Note: Leaving off both max and min results in a max value of infinity and a min value of 1. Just listing a max value results in a min value of 0]

If the “testing” process is stopped, this table changes:

$ snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.2.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: testing
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.1 = INTEGER: 3
UCD-SNMP-MIB::prCount.1 = INTEGER: 0
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: 1
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too few testing running (# = 0)
UCD-SNMP-MIB::prErrFix.1 = INTEGER: 0
UCD-SNMP-MIB::prErrFixCmd.1 = STRING:

This is all well and good, but the problem is how do we get the state change to generate a trap?

That was the hard part.

On reading the documentation, something like this should work. First, set the trap destination by adding a “trapsink” entry:

trapsink 172.20.1.11 public

and then add a “monitor” line:

monitor -r 15 "procTable" prErrorFlag 0 1

This should monitor the value of “prErrorFlag” and generate an error if it is “1” or greater. You can also use expressions, so something like

monitor -r 15 "procTable" prErrorFlag > 1

should do the same thing. The “-r 15” says to check for errors every 15 seconds.

Unfortunately, I was unable to get this to work. It took a lot of digging, but I found out that Net-SNMP requires a valid SNMPv3 username and password in order to access the tables so that “monitor” can check these values. Adding:

createUser snmpdInternalUser
rouser snmpdInternalUser noauth .1
iquerySecName snmpdInternalUser

enabled me to start getting traps.

This was a good start, but it still wasn’t perfect. Net-SNMP uses the Distributed Management events MIB to send the traps, so I was getting something like this:

It was a little generic and didn’t really tell me what I needed to know (namely, what was the process and what was the error). Also, I found the DISMAN events were hidden in the Cisco2.events.xml file, so I broke them out into their own file (which will be included in the releases in December).

A little more research uncovered that I could add other varbinds to the generic trap with just a few options to the “monitor” directive in the configuration file:

monitor -r 15 -o prNames -o prErrMessage "procTable" prErrorFlag 0 1

This would add the name and the error message to the trap. Finally, I noticed that while I got the rising or “down” traps, I wasn’t getting the falling or “up” traps. It turns out that I needed the “-t” option:

monitor -t -r 15 -o prNames -o prErrMessage "procTable" prErrorFlag 0 1

With a little added configuration to the new DISMAN.events.xml file, I was getting the proper rising events:

and the proper falling events:

So, with a little configuration it becomes quite easy to set up Net-SNMP to send traps into OpenNMS.

Here’s a summary:

Add the following lines to your Net-SNMP configuration file (usually /etc/snmp/snmpd.conf or /etc/snmpd.conf):

# Set up a V3 security name for internal queries
createUser snmpdInternalUser
rouser snmpdInternalUser noauth .1
iquerySecName snmpdInternalUser
agentSecName snmpdInternalUser

trapsink 172.20.1.11 public

proc testing 3 1
monitor -t -r 15 -o prNames -o prErrMessage "procTable" prErrorFlag 0 1

You can have multiple “proc” entries while you only need one “monitor” entry.

Next, you’ll need to get the latest DISMAN.events.xml file from Sourceforge. Place it in your OpenNMS “etc/events” directory and be sure to add it to the list of include files at the bottom of the eventconf.xml file (add it before the Cisco2.events.xml file).

Satisfaction Survey

I get a lot of surveys. The last one was from Apple after registering my iPhone. I always hate this question:

I almost never give the highest score on any “review” type question unless they really exceeded my expectations. But look at my choices. I can either be “very” satisfied or just “somewhat” satisfied. What happened to plain old “satisfied”? Apple isn’t the only company to do this, so I’m not just picking on them, but they are the latest.

Webster gives the following options for the word “satisfy”:

1 a : to carry out the terms of (as a contract) : discharge
   b : to meet a financial obligation to
2 : to make reparation to (an injured party) : indemnify
3 a : to make happy : please
   b : to gratify to the full : appease
4 a : convince
   b : to put an end to (doubt or uncertainty) : dispel
5 a : to conform to (as specifications) : be adequate to (an end in view)
   b : to make true by fulfilling a condition

I’m assuming that they mean option 3 “to make happy”, since the others are more binary (you either carry out the terms of a contract or you don’t) but I hate the way they force you to choose between “very happy” and “somewhat happy”. I think the goal is to force you to say “very happy” since the term “somewhat” is slightly negative. Sorry guys.

I once worked for a very poorly managed company, but I learned an interesting piece of advice from the CEO. We were doing employee reviews and he had three levels one could get: met expectations, exceeded expectations or failed expectations. I asked for five levels (one above and below “met”) and he refused. He has a point. You either did your job, did your job extremely well, or you didn’t do you job.

Adding more levels is sort of a cop out. Let’s assume there is a level between “met” and “exceeded”. The temptation would be to give most employees who did their job this level as a reward: Thank you for putting in the hours and doing your job, but you didn’t quite knock my socks off, but at least you aren’t at “met”.

The real solution would be to emphasize that “met” is a good thing – that an employee is expected to meet their expectations, and that if they get “exceeded” it is a true reflection on their dedication and it actually means something.

After all, what is wrong with being satisfied? I don’t expect every purchase and every service I experience to blow me away. Sometimes its just nice to get exactly what one expects.

And the Winner Is …

Okay, for many, many months now I have been agonizing over getting a new phone. My trusty LG Fusic on Sprint (now for sale on eBay) has been with me for over 3 years, and with the advent of all the new smartphone options available I wanted something a little more versatile.

I live out in the woods of North Carolina, and wireless phone coverage is iffy at best. Sprint seems to have the best service (which is why I’ve used them since 1998) but it is only best because the other major players have closer to no coverage.

However, over the last year everyone but AT&T introduced a femtocell product. This is a small device that plugs into your broadband internet connection and instead of making calls over a cell tower, it acts like a bridge between your phone and the network. It’s like having a cell tower in your house. This has opened up some options for me.

Unlike many people, I was pretty happy with Sprint. They have a good network and as long as you don’t ever, ever, have to talk with customer service you’ll probably be happy with them. The downside is that they rarely have cool phones.

Verizon has the best network overall, while AT&T is oversubscribed and T-mobile is a newcomer to the North Carolina market, but the latter run on GSM networks which means your phone will work practically anywhere. I travel enough overseas that this is a consideration.

In my hunt for a new phone I narrowed it down to the following choices:

  • Sprint and the Palm Pre: The Pre was the first exciting phone to hit the Sprint network in years. I seriously considered it until I realized that it was pretty much dead on arrival. The issues they experienced when trying to create a developer community didn’t help much either.
  • Sprint and the HTC Hero: This is the best phone Sprint has right now. It’s designed well, exciting and powered by Android. The main issue holding me back from this phone was the lack of synchronization between the desktop and the phone for things like contacts. Sure, you can sync through Google, but as much as I like Google I don’t want to host that kind of information on a third-party server. There may be an app to address my sync issues, but the Android Market website is so weak that you can’t browse all of the apps. It says “For a comprehensive, up-to-date list of the thousands of titles that are available, you will need to view Android Market on a handset.” This isn’t possible if I don’t have a handset, and I won’t get a handset unless I know that basic synchronization is available. (sigh) Kris Buytaert seems to like his, though.
  • Verizon and the Blackberry Storm: A friend of mine has one of these and loves it. The first generation came without Wi-Fi, but that has been corrected. It also supports both CDMA and GSM, so you can use it overseas. The downside is that it is a proprietary platform. Not a show stopper, but a negative.
  • AT&T and the Apple iPhone: I use a Mac as my desktop and I have an iPod Touch, so the iPhone is definitely a contender. Although it is a closed platform, we do develop some apps on it in house, so I am a little bit familiar with the hoops you have to jump through. It is GSM, so I could use it anywhere and almost everyone else at the office has one and likes it. The problem is almost no service where I live.
  • Verizon and the Droid: This is the Android phone I’d been waiting for. A full featured Android phone on a great network. But the more I read about it, the more disappointed I became. I was told that the version offered in the US would not support GSM. When I got into examining Verizon’s pricing structure, it seems like they nickel and dime you for everything. Plus the fact that their “unlimited” plan is limited to 5GB a month, with additional traffic costing $50 per GB, made me hesitate. I mean, I think 5GB is a lot, but I really don’t know, and I’d hate to get hit with that fee.

So, the day before the Droid launch I was a little disappointed. While no GSM is not a deal-breaker, the fact that I wasn’t sure I could sync my contacts, coupled with the exceedingly high prices Verizon charges, had me thinking about waiting a few months more.

But then I found out that AT&T’s femtocell offering (the 3G Microcell) had just become available in my area. So I am now the owner of a 32GB iPhone 3GS, replacing my iPod Touch and Fusic.

The Microcell meant that I could get AT&T service at my house. At $150, it was a full $100 off of the price of the Verizon solution, and with the plan I got it included another $100 rebate, making it even cheaper than Sprint’s $100 Airave (which requires an additional $5 per month as well as using minutes). With AT&T I got the lowest minute plan at 700 minutes per month, but for $20/month extra I get unlimited calls on the Microcell. With rollover minutes I don’t think I’ll ever run out, since I make a lot of calls from home.

The Microcell installed pretty easily. It requires a GPS signal so that they know you aren’t using it overseas (where the roaming revenue lives) and thus you have to have it near a window, but since I have skylights in my living room (as well as an Ethernet switch) it was simple to install. It took it about 20 minutes to become active.

The Microcell is Cisco-branded, and I thought it was interesting that it included a disk full of copies of the GPL and other licenses (but no source code) for a number of common GNU/Linux software. I wonder how hackable the Microcell will be? A nmap scan shows that it only responds to ping, so I’m not sure there is a way to get into it over the network.

There are a few downsides. One was that my Sony Ericsson K610i phone (a gift from Alex Hoogerhuis), while 3G, wouldn’t connect to the Microcell (although it connected to AT&T’s network just fine). I don’t know if it was because the phone is unlocked or just because AT&T’s 3G isn’t necessarily the rest of the world’s 3G. So I ended up getting my wife a Sony Ericsson W518a instead, and it connected just fine.

The second was that Embarq had their quarterly DSL outage just after I got everything set up. Without broadband the Microcell is useless, so I was back to one bar (if that). Everything was back up in about 2 hours so I shouldn’t have to worry about it again for another few months.

As for the iPhone – I like it. I knew pretty much what I was getting into since I had a Touch. Since it now supports the bluetooth A2DP protocol I can stream music over FM using the MotoRokr T505 in my car. The voice control is pretty cool (just say “Play Songs by Spoon” and voilà) but it had a lot of trouble with voice dialing. I think it had something to do with the 1300+ contacts I had in my address book. An hour or so spent pruning it down to 300 (I had several dead people listed, for example, plus a number of ex-employers personnel lists) seems to have helped. The camera is crappier than I thought it would be, but the reviews of the Droid camera aren’t much better.

I expect my next phone to be powered by Android, but that is at least 2 years away. A friend of mine just bought a Droid and he’s also an iPhone user, so I look forward to his review.

Anyway, being on the ‘net almost everywhere I go is a little addicting, and I’m on the lookout for must-have iPhone apps. Please send along any suggestions.

Catching Up After Returning from Yurrip

Sorry for the radio silence blog-wise for the last week or so. Things have been crazy around here.

I really enjoyed the conference in Nürmberg, but much more for the company and the food than the content, since it was primarily a Nagios gathering. Not that Nagios is bad, but OpenNMS is different and there wasn’t much I could use in the Nagios-specific talks (although the people who use Nagios remind me a lot of the same people who use our stuff).

After the conference was over, Ronny Trommer and I met up with Klaus Thielking-Riechert. As I mentioned before, Ronny and Klaus, along with Alex, are writing a German language OpenNMS book. They have over 100 pages written already, and I’m eager to see it in print. It’s based on 1.8, so we’ll need to get that out before they can get it printed, but we hope that will be done soon.

That night we went out to eat at an Italian restaurant, of all things.


Klaus, his wife Sabine, me and Ronny

The food was good but the restaurant was chosen because they serve beer from Steinbach Bräu – which was incredibly fresh and good. It’s not pasteurized so it has a very limited distributation and shelf life.

The next day I went back to Rome for the flight home, but not before getting a nice döner kebab on the way to the airport.

The flight back home was uneventful, although long. However, it wasn’t as long as Ben’s recent flight from China. Due to a snowstorm in Beijing he waiting on the ground for 12 hours before the 13 hour flight home. A total of 25 hours in the same airport. That’s insane.

David Byrne and the "Internet Antichrist"

I don’t usually do this, but today I came across a long post by David Byrne that I thought was amazing. He analyzes the changes that the advent of the Internet has wrought. It’s worth a read.

To me this means that, yes, information already flows both, or rather all, ways. Privacy and security, as much as we might strive for them, are phantoms that we chase but can never truly catch. As much as we love getting information, data, media and connections, so we ourselves become available as data. Social websites like MySpace, Facebook and Twitter seem to use these conflicting urges — the urge to reveal oneself to the world, in all one’s intimate details, and yet simultaneously maintain some kind of privacy. Good luck with that.