Handling Licenses to Avoid

 
 
By Larry Seltzer  |  Posted 2006-01-25
 
 
 

Spreading the Secret Source Code Sauce


Microsoft has, for many years, licensed the source code for Windows to a variety of partners, large customers, educational institutions and others.

But until now, the company would rather have incurred large fines, legal bills and distractions than make the code available to competitors.

Microsoft execs must have thought that making the code available would be against the companys interests for some reason.

Whatever those reasons were, Microsoft appears to have gotten over them with its announcement Wednesday that it will make the source code for communication protocol code available in an effort to meet demands of the European Unions Court of First Instance.

Microsoft already complied with the European courts absurd first requirement, that it provide a copy of Windows without Windows Media Player in it. Since it wasnt required to discount it, anyone with a brain could see that it would be a market failure, and so it was, but that part of the case is behind the company.

The other part had to do with other vendors who want to interoperate with Windows communications not having adequate documentation. There may be other important vendors, but from what I understand its all really about Samba.

Click here to read a review of Samba 3.0.

For years Microsoft has been providing documentation and has been told that it was inadequate. If the company really is talking about licensing the necessary parts of the source code, then I dont see how anything more can be asked.

I suppose its possible, depending on the specifics, that someone could claim there are necessary parts of the source code that werent included, but its probably not worth it to Microsoft to do this license unless that puts its legal troubles behind it.

There are still many other important factual issues that arent clear. No. 1, and this is the controlling issue: What are the licensing terms?

This means not only what may I, as a competitor, do with the source code, but what will it cost? In fact, since this is the heart of the matter, I wont even bother with No. 2.

I dont know the exact terms under which Microsoft has licensed its source code to others, but it must be an incredibly restrictive license. Theres been only one publicly disclosed instance of source code leakage. The code that was leaked was quite old and theres no evidence that it led to the flood of vulnerability disclosures that was predicted at the time.

Of course, Microsoft critics often want to have it both ways with this argument: They claim that open-source code is more secure for being open, and they were willing to claim that Microsofts code would be more exploitable because the source was disclosed. Ironically, Microsofts arguments played along with the part about exploits for a long time.

Obviously Microsoft has many different licenses that it has used over the years; some are just for examination, while some (Citrixs for example) have allowed it to build new products based on Windows.

Next Page: Handling licenses to avoid litigation.

Handling Licenses to Avoid


Litigation">

The reasonable license for a competitor for the communication protocols, that is, CIFS (Common Internet File System) and authentication, allows the competitor to examine the code and adapt its own to conform to the licenses specifications.

Copying the programs in the source themselves would not be a reasonable use of the license, but copying a data structure or two would be. Its only reasonable that two programs communicating with each other will use identical data structures.

There also has to be perhaps a more liberal allowance for a licensee to implement some algorithms that have a limited variety of implementation possibilities.

But this does present a problem with respect to potential future litigation. Lets assume Microsoft believes that a licensee has violated its copyrights and the license agreement by copying the licensed parts of Windows.

Its common, perhaps even standard, for a vendor implementing a clone of someone elses product to do it in a "clean room" environment with developers who have had no exposure to the product being cloned.

Microsoft asks the United States to intervene in its patent struggle with the EU. Click here to read more.

And yet the idea of Microsoft licensing the Windows source code is all about the developers having access to the actual source. Which brings me back to a variant of question No. 1 above: What are the licensing terms with respect to potential litigation?

Perhaps there is a compromise: Licensees can have two teams, one to examine the source and build protocol documentation that they are happy with and that they can pass on to their own developers.

Its also reasonable for Microsoft to charge fees for its source code license, especially since others expect to make money off of the products built based on information derived from the source code.

The Samba people themselves are not in this category and perhaps its not reasonable for them to have to pay for a license, but there are plenty of for-profit companies that sell products that include Samba. It will be hard for them to claim that Windows source code should be free (as in beer, to use the open-source terminology).

I can easily see IBM, for example, licensing the source, making the appropriate changes to Samba and granting them back to the Samba project. IBM, or a group of commercial vendors, could also just underwrite a license for the Samba team, assuming the other licensing terms were acceptable to the team.

IBM could also be the aforementioned documentation group that provides to Samba and to the world documentation of the protocols that it believes is acceptable, as compared to what Microsoft has been providing.

All this still leaves me wondering why, if its OK for Microsoft to license the communication source code today, the company didnt do it years ago.

Perhaps the company really believed what it said about secrecy in the source code being essential to protecting both its own intellectual property and customer security.

Any water this argument held has largely leaked out over the last few years; both open- and closed-source programs have security problems, and even in the open-source ones, security issues can persist for years before being found.

Protecting trade secrets and intellectual property is a more difficult issue, but its hard to see any large-scale losses for Microsoft based on properly licensed excerpts of source code. The companys never going to make the entire product available.

Its important to recognize this as a relatively conservative move; its licensing just the parts of the source code that it needs to license in order to avoid further legal troubles. But its part of a general trend in Microsofts behavior of abandoning its more ridiculous practices and being willing to do the right thing if its obviously right. Dont assume this means that the Vista source will be open any time soon, but dont put anything past Microsoft either.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Rocket Fuel