This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Open Source

ReactOS suspends development for source code review

By Stephen Feller on February 01, 2006 (8:00:00 AM)

Share    Print    Comments   

The ReactOS team has suspended development to do a code review amid concerns that stolen code from the world's most used OS found its way into the project.

ReactOS, the 10-year-old project to create a functional, free, and open source version of Windows NT, suspended development on January 27 after a meeting to discuss whether leaked code had been added to the project's code base. The OS also will not be available for download while developers perform a full review of the 3 million or so lines in the ReactOS code base.

A letter posted to the ReactOS Web site included three specific tasks developers will take on as a result of the concerns: Clarify the ReactOS Intellectual Property Policy Statement requirements for clean room reverse engineering to conform to those required by US law; audit the ReactOS code base and rewrite any code that was not implemented along the clarified guidelines; and require developers contributing major code to the project to sign a document that says they agree to the project's policies.

According to Steven Edwards, the recently elected project coordinator for ReactOS, developers on the project have raised the possibility that a developer had reverse-engineered a part of the Windows code in violation of US copyright and trade secrecy laws and practices.

Leaks of parts of the source code for Windows 2000 and NT have been circulating on the Internet for a few years, but "there is nothing in the code base that we believe is a copy and paste from a leaked bad source," Edwards said. "We just want to standardize our practices in the clean room method to make sure we can't get sued down the line. So, just to be sure of that, we're going to audit the code base."

The audit is expected to set the project back by about a year, he said, but making the move would be better for the project in the long term because solidifying and enforcing standards could prevent a lawsuit being filed against it in the future. While developers comb through the code base, members of the project will also define what is acceptable for contributors' interaction with Windows and its code base.

The goal of the ReactOS project, which Edwards said has never made it out of alpha development or been regarded as a stable product, is to provide a free implementation of the Windows OS. The operating system implements a Windows-like environment that interacts with users' hardware and employs code from the Wine project to run Windows applications. Wine allows Windows-based applications to run on x86-based operating systems such as Linux and FreeBSD by re-implementing Microsoft's Win32 application program interface (API).

Jeremy White, founder and chief executive officer of CodeWeavers, which develops a commercial product based on Wine, said a number of developers from ReactOS have contributed to Wine, but several have been banned from contributing to the project because of concerns about code they offered. This was not necessarily because the code included something stolen or illegal, but because Alexandre Julliard, chief technology officer for Codeweavers, reviews the contributed code and was concerned about what the banned individuals had claimed as their own.

White said he was doubtful that a developer could be influenced just by briefly reviewing or accidentally coming across Windows code, and that it wouldn't be easy to obtain in any case. "You've got to go looking for the crown jewels of England," White said. "You don't just stumble across that stuff. [And] you're talking weeks and months of study to do anything with it. So, it's not accidental."

While those behind Wine reject any code or developer they are unsure of, the project has been doing a code review of its own in the past year with the help of the Software Freedom Law Center (SFLC). Edwards said that ReactOS planned to work with the SFLC as well.

Citing lawyer-client confidentiality, SFLC Chairman Eben Moglen said he could not discuss whether his organization had spoken with anyone from either project, let alone about the nature of his work with them.

Speaking in general terms, however, Moglen said developers could emulate an existing proprietary product in several ways. For example, by simply watching how the software works, or even setting up another application to track the way it works, developers could reverse-engineer the software and implement what they figure out; or, portions of code from the proprietary software could simply be adopted and replaced with original code over time.

"You can't infer from the behavior of the emulator anything about its production," Moglen said.

In the case of Microsoft, Moglen said it is clear that any use of Windows code is improper, and it would be highly unlikely that a programmer could claim negligence of its being a trade secret. "The area that gets gray is where the code itself hasn't been reused, but information gained by the code -- know-how -- has been used.... A prudent project would typically establish clean room restrictions," he said.

ReactOS plans to take stronger efforts to keep Windows code from being integrated into the project. Edwards said that concerns were raised because developers from around the world contribute to the project, and all adhere to the laws of the countries they live in.

Developers known to have seen or studied the leaked Windows code are not expected to be barred from contributing to ReactOS, but Edwards said they at least will not be permitted to work on parts of the project with functions similar to anything they've seen in Windows source code.

No comment from Microsoft

Edwards said ReactOS has had no official contact with Microsoft about the concerns, adding that the company has not responded to previous efforts by members of the project to contact the company about potential legal matters.

A spokesperson for Microsoft declined to comment to NewsForge on any leaked Windows code, the current ReactOS situation, or the project itself.

Though Microsoft refused to comment, White said he is aware of several senior executives at Microsoft that subscribe to the Wine mailing list, and that he is sure they pay attention to other projects similar to these two.

White said he saw little chance that Microsoft would come after either Wine or ReactOS so long as developers are trying to keep Windows code out of their applications.

"This is dangerous turf for [Microsoft]," White said. "They're a convicted monopolist.... It is the perceived fear that works for them. I find it hard to believe they would ever trigger a lawsuit."

Regardless, Moglen said concerns like the ones ReactOS developers currently have are common for software development teams -- which is why he recommends regular code audits even without a specific concern triggering the audit, just to be safe.

"Stuff happens," Moglen said. "That's why it gets found out. None of this is unique to free and open source software. It appears in all industries, and in all software companies."

Share    Print    Comments   

Comments

on ReactOS suspends development for source code review

Note: Comments are owned by the poster. We are not responsible for their content.

Dead link / wrong thread

Posted by: Anonymous Coward on February 02, 2006 03:32 AM
The link to the mailing list does not go to the relavant thread. BTW what is the worlds most widely used OS?



It's got to be one of the embedded ones. Tron? QNX? BSD? Linux?

#

That's an interesting question

Posted by: Anonymous Coward on February 02, 2006 05:09 AM
BTW what is the worlds most widely used OS?

The author of the article presumably meant some flavor of Windows. Embedded OSs clearly come into the running, though.


"The most widely used" may be whatever Nokia runs in its mobile phones.

#

Mis-leading Executive Summary

Posted by: Anonymous Coward on February 02, 2006 07:04 AM
"there is nothing in the code base that we believe is a copy and paste from a leaked bad source,"

From this quote from deep in the article, it is hard to see where the executive summary (first line) comes from? Stephen Feller please explain.

"amid concerns that stolen code from the world's most used OS found its way into the project."

#

Re:Mis-leading Executive Summary

Posted by: Anonymous Coward on February 02, 2006 12:08 PM
it is hard to see where the executive summary (first line) comes from



Not really. It's probably from one of Bill's minions. We haven't heard from Enderle or Didiot for a while, and this is their style of yapping.

#

Ah, MS' "leak" bears fruit...

Posted by: Anonymous Coward on February 02, 2006 10:24 AM
WINE had *better* be watching its P's and Q's, because anyone who gets too good at implementing Win32 APIs can expect a lawsuit now that Microsoft's antiIntellectual Property has been in the wild.

Clever move on their part...

#

Re:Ah, MS' "leak" bears fruit...

Posted by: Anonymous Coward on February 02, 2006 07:52 PM
I don't think that Microsoft engineered the source code leak, but all that source code in the wild has provided them with a very big stick to beat projects like Wine and ReactOS.

#

Ah, but with Vista slipping yet again...

Posted by: Anonymous Coward on February 02, 2006 11:09 PM
could Microsoft have asked Santa (or should that be Satan?) for a better gift? With two years more development, ReactOS might (yes, I realize that this is a *very* big conditional) have been able to provide an OS that was robust enough to give yet another reason to not dump old hardware and migrate to Vista.

Win32 needs to be on life support so that Microsoft can just pull the plug and *force* everyone to go to Vista... unless Vista is like the second coming of Unix, or something...

#

Re:Ah, but with Vista slipping yet again...

Posted by: Anonymous Coward on February 02, 2006 11:26 PM
Unfortunately, Vista appears to be not much more than Win32 with some extra "security" and a few other nice features bolted on. It's going to have the same problems that XP has- and most of the nifty features are not things people will really need and they've already shown that the security angle's just about worthless as they've had horrific design flaws and bugs plague XP throughout it's lifecycle.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya