This is the home page for the TripleCheck software, a set of tools and knowledge-base to support the analysis of software licensing. Basically, our software helps listing the external code libraries and automate tasks whenever possible. The gathered knowledge is stored using SPDX documents.
Look around. Open source is everywhere around the computer world. Yet, the matter of the licensing is too often neglected or misunderstood. We want to see free and open source software used in a correct and transparent manner.
Open Source compliance brings fairness to the open source developers and fairness to end-users/customers that are entitled to know what is being used underneath the hood of each software application.
It is not the first time that we develop this kind of tools. In the previous works we adopted different proprietary formats because they were the quickest solution. In the end, the lesson learned is that creating a knowledge base using proprietary structures basically rendered all our previous work completely useless for other contexts.
There is not so much difference between the kind of data that we’d like to store and the data that SPDX requires to be collected. Therefore, it is possible to create documents that contain a high-quality compliance analysis and at the same time permit being used by other tools. In fact, what we like the most about SPDX is that anyone can use a simple text editor to read and change the settings.
Where are we headed?
This software is part of the tooling used for conducting licensing compliance analysis. It is a tool that TripleCheck is developing internally. We decided to help our fans, engineers, customers and open source enthusiasts to easily handle SPDX documents.
The good things
- No databases are necessary to setup. Plain SPDX text documents are used for storing all information
- Java based, means that you can run the tools on any desktop (possibly server) computer such as Windows, Mac OSX or Linux.
- Plugin extensions. The software is built with serious scripting capabilities where BeanShell provides a scripting language based on Java language. Anyone with C or Java programming skills can write plugins.
- Plugin development inside IDEs such as NetBeans or Eclipse. We’ve made it possible to develop plugins using all the features expected from modern age code editors, while at the same time allowing anyone to make changes without need to compile the software
- Small footprint. No need for hundreds of megabytes. The software itself is less than 1Mb at the moment, when all features are implemented it is expected to stay below the mark of 30Mb
- No installs, settings or configuration are required. Just run straight away
- “Eat your own dog food” spirit. We use this software for our own activity, we keep it small and straight to the point
- Basic support to recognize license terms inside source code files. We include a plugin system that you can use for teaching the software to recognize license signatures
- Code metrics. A very simple LOC (Lines Of Code) is included to give a quick idea of the project size
- Different hashes. Sometimes it helps to look around the web using different hashes. SPDX only prescribes SHA1, we compute MD5, SHA256 and SSDEEP in addition
- SSDEEP, do you know it? This is a similarity hashing, allows to find other files that have a similar text
- High quality human analysis. Each SPDX document available on the library is typically reviewed and composed manually by one of our engineers. We try to automate a lot, but give our own touch to ensure that each SPDX is meaningful and accurate
Not so good things (hey, we’re honest)
- Limited support. We will gladly help within the availability of our resources. Please keep in mind that we have to balance carefully where our pro-bono time is invested and this might not be necessarily involve our full attention supporting the tool to cater new features, most often we are just getting things done within our available resources and sharing things as quickly as we implement them (volunteers are very welcome to join our dev team)
- Probably not user friendly. The target audience for this software are engineers and open source developers. If you are not a technical savvy person then this tool might not be easy to use. We make the forum available for asking questions, don’t be afraid to write what you feel that should be improved. We are engineers, not designers. From us you can expect things that work, but also count on a lot of ugly looking web pages. (web designers are very welcome to join..)
- Long term plans? We might not be around for a long time. TripleCheck is a new company, we have brave optimism, strong energy and high technical skills to succeed. But this world is also a cold place. We can’t promise that our work will be supported for the next decade but at least we do leave it under an open source license that allows others to pick where we stopped (fingers crossed)
- It is not a giant database. We are not aiming to create software capable of detecting the origin of source code using databases with hundreds of gigabytes, there are good tools in the market. Our software is for those who want to get their own work more compliant from a licensing perspective for activities such as packaging and reporting licenses
- A lot to do by yourself. We are working to produce a high-quality knowledge base with our limited resources. You will likely need to index yourself the components not available yet on our knowledge base. From our own personal perspective, this is a good thing. There are solutions in the market where you just click on a button and then it says “everything ok”. It’s not. There is a lot underneath the hood that needs to be considered. We make our tools open so that you see how our own work makes evaluations and then you should adapt it to your scenario. Extra points if you share your thoughts back with the community so that we can continue to help others (thanks!).
This software is licensed under EUPL 1.1 without the Appendix.
For more details, please visit http://opensourceprojects.eu/p/triplecheck/wiki/License/