Jason Matusow, who heads Microsoft Corp.s Shared Source Program, discussed with eWEEK Senior Editor Peter Galli the recent source code leak, what it means for security and whether Microsoft plans any changes to the program.
How do licensees actually get access to Microsofts source code under your Shared Source and Government Security programs?
We provide source through a mechanism called Code Center Premium, which is a smart-card-driven, secured Web site, which has gone through numerous third-party security audits. What we do is host the builds on our servers, and, from a security perspective, we believe the source is thus more safe. But it also offers a high degree of value to the developer. They are given access to more than 100 million lines of Windows source code for Windows 2000, Windows XP and Windows Server 2003, across all versions, all service packs and all betas.
Its very hard for an individual developer to know the source tree, where things live. So we try to balance security concerns against the effectiveness of the tool, and so we have indexed the entire search base to allow them to search on function definitions, class definitions, file names and text searches.
Has the leak resulted in any new initiatives at Microsoft to change the access to code, security around that code or the programs themselves?
No, and the reason for that is that we feel we have been very focused on security throughout the process of defining source code and how were providing source code. Does this raise the level of awareness to make sure we continue to focus on this? Sure. But no, there has been no immediate effect in terms of us making radical changes to the source code.
Some Microsoft customers and many in the open-source community are saying the leak should be the catalyst for Microsoft to open up its code more widely and under less stringent requirements. This would allow peer review, better security and ultimately result in better code. Your thoughts on this?
There has always been an underlying argument that we should open up our source code more broadly. The fact is that we are learning from open source and we are opening our code more broadly through Shared Source. The Windows CE code base has been opened up very broadly, with 250,000 people downloading that source. With regards to the Windows source, we are working with far fewer, yet trusted, entities through Shared Source. There are no pure-play open-source companies today that are allowing complete and total free access to source code and still maintaining a very strong business model. Even Red Hat [Inc.], which comes the closest to this model, now in their support agreement say that if customers modify the source code, they invalidate the support agreement. That doesnt mean you cant see the code and use it as a reference model, but they have also yet to prove that they will have the same successful business model as, say, Sun [Microsystems Inc.], Novell [Inc.] or Microsoft.
What exactly is the Microsoft business model you are referring to?
Providing software for direct commercialization, like with Windows, where there is a large research and development effort to generate profits around the sale of that software. Hopefully, you are generating enough value in that for the customer so the cost of the software gives them high value-added software, and the business model is to sustain through direct licensing of the binaries. Our source code is also an enormous source of intellectual property that belongs to us. We will retain the rights to that IP and allow access to that source under our own terms. But that is no less than the Free Software Foundation [Inc.] would do. If you really look at open source, [it] is proprietary. Now the word proprietary has turned into a pejorative word, but copyright and the idea of ownership of that code is no less important to the creation of open source than traditional commercial software. The idea is that the owner determines the right and terms and restrictions of use of that software. Public domain is far more open than the GPL or FreeBSD licenses or any Microsoft Shared Source license.
[Open-source advocate] Eric Raymond says the real difference between proprietary and open source deals with who has control: the customer or the vendor.
The reality is that copyright still applies, and its still technology thats owned. Now, does the vendor control something more if he doesnt share the source code? Sure, but theres still a relationship between the creation and ownership of that software. What you then choose to do with it becomes a statement of what model you apply. Is there value to providing source code? The answer is unequivocally yes. Does that mean that you eviscerate your business model in order to provide that source code? There are 60,000 software companies and probably just 12 to 15 that you could name that are doing aggressive things with source code, no matter what they choose to do and whether they call it open or shared. Microsoft is one of those companies. The concept that the software industry would somehow rapidly improve if we all just started giving it away is probably a fairly specious argument.
Be sure to add our eWEEK.com Windows news feed to your RSS newsreader or My Yahoo page: