Bugtraq mailing list archives
Re: Microsoft opening its source to selected parties
From: "Matthew S. Hamrick" <mhamrick () CRYPTONOMICON NET>
Date: Tue, 13 Mar 2001 11:38:25 +0900
-----BEGIN PGP SIGNED MESSAGE----- Dan, While I agree with you, it will be interesting to see if this increases or decreases the number of security-related bug reports on windows tools / applications / operating systems, I'm not sure I really agree with the ... who was it... Meta Group? report that kicked this whole thing off Wednesday. 1. Microsoft has been providing source code to third-parties for a long time now. I got the source to v5.11 Microsoft C back in '89-'90 to see how to use borland tools to write libraries for it (there were several very subtle bugs in how that version saved DI and SI if you had a function declared in a macro or somethign like that...) As recently as a year ago a friend with whom I have daily contact was a MS 2000 / NT 4 / NT 5 / NT Family source licensee. He worked for a company that made video boards, and they knew that there was ABSOLUTELY no way they could write the video drivers without the source. So for point (1) I don't think this is a change in MS policy. I think its someone publishing a story about MS doing something it's been doing for at least 10 years. 2. Without access to derivative works, most people (okay, most people I know...) aren't all that interested in spending a lot of time to report bugs in the product. If I have product X that runs on WinNT, I'm not going to spend all that much time fixing the WinNT bugs I find. Instead, I'm going to find a way to code my application around the buggy WinNT code. If I fixed the NT code, I still have no control over if and when MS will accept and integrate my changes. If I'm fixing a bug, I can almost guarantee you it's because I'll lose revenue if I don't. I'm going to spend my time fixing the bugs in my code that my user base has reported. If I fix the bug in the WinNT code, I still have to fix the bug in my code because I can't tell my customers, I fixed the bug in the WinNT codebase, so call MS and tell them you want my bugfix included in the next SP, then tell your admins to install the next SP when it comes out in 4 to 16 weeks. That just wouldn't do (except maybe at Borland...) 3. Open source is not a panacea for all software ills. It's simply exchanging one set of software ills for another. Granted, I like the kind of ills you get when you open source, but I'm afraid that MS is giving source code to all the wrong people. Certainly giving it to people who you are "close to" is a good idea. However, there are few people whose business models are such that they are motivated to play along and report bugs in MS's "open source" strategy. A lot of the people who get money from Linux / *BSD are guys that build web or mission critical apps for medium sized enterprises. When these guys find bugs in the OS, it's a bug that is causing the application they sold to puke. If the OS, Application Server, Web Server, Data Base, and Compiler are all open sourced, the fix will be made in the most appropraite place for that developer. The application provider then recompiles the application and deploys the fix. They are motivated to report the problem / fix because if they don't they'll have a non-standard version of the app / OS combo which means that fewer and fewer people will be testing for them. Borland / Inprise learned this painful lesson when they opened the Interbase source. Oh heck.. now I'm just ranting.. Let me just say that I don't think it will change the number of bugs reported ... MS has never been all that concerned with security, and I don't think that's going to change. What may change is that from time to time you might just happen to find someone with access to the source who has the time to investigate things further, and find the cause of a bug. Perhaps one in twenty times the mean time to solution for a particular bug will decrease. Perhaps one time in twenty the quality of the fix will increase. Hmm... maybe this should be moved over to slashdot. Thanks for indulging me, I think I started to drift off-topic... For the sake of the list bandwidth, I'll move this over to http://www.cryptonomicon.net/article.php?sid=15&mode=&order=0 . - - - ----- Original Message ----- From: "Dan Harkless" <dan-bugtraq () DILVISH SPEED NET> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Friday, March 09, 2001 6:37 AM Subject: Microsoft opening its source to selected parties
From <http://news.cnet.com/news/0-1003-201-5067896-0.html?tag=nbs>:In a major extension of corporate policy, Microsoft has quietly started a program to provide selected large enterprise customers with copies of the source code for Windows 2000 (Professional, Server, Advanced Server and Data Center), Windows XP (released betas) and all related service packs. Will be interesting to see how this affects the number of holes reported in Microsoft software. Considering how many are found now, even without access to the source, we may see a very significant rise. On the other hand, if there are more white hats than black hats looking at the code (which is certainly what Microsoft's shooting for with its "selected large enterprise customers" policy), perhaps there'll be a net reduction in unpatched holes, since there'll be more eyeballs on the code. -------------------------------------------------------------------- -- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq () dilvish speed net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts.
Thank you. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQEVAwUBOq2IG+krkgM9eER9AQF46Af+MGvxcvPfgHP4Em43jczefJz9bidCnuvV ceFgBAH3EVC9FAdl6a9lh+Y1k4G2/gaFEW8H6Jv7prYVFybk1yiXFMOx36h2lS1w rDw4EQOnFLsPoetH5fzTJzl8iCx7eWAi6KzkoWcvF5ONioFvMl7IbhrVaSb4PDFx ZkjKBQR8fBn1K0zsXNoUM7t8MyuPGqh9gacEmPefw/AL+XJmRmybjDKEaKaaRcYS UH8kUBgFvNJDj8IeQvBctpHYBLaViMug9I7cQwXrvSexq/WPrkkEcLSde2p7VGAF nAunFTCYm4lY6BSyCJfr1qg3AQj/1cKwfIRVnkGWWnnYQ6hsY4UBow== =tfIq -----END PGP SIGNATURE-----
Current thread:
- Microsoft opening its source to selected parties Dan Harkless (Mar 09)
- Re: Microsoft opening its source to selected parties Tobias Haustein (Mar 09)
- Re: Microsoft opening its source to selected parties Crispin Cowan (Mar 11)
- Re: Microsoft opening its source to selected parties Matthew Keller (Mar 12)
- Re: Microsoft opening its source to selected parties Dirk Bhagat (Mar 11)
- Re: Microsoft opening its source to selected parties Dan Harkless (Mar 12)
- Re: Microsoft opening its source to selected parties Crispin Cowan (Mar 11)
- <Possible follow-ups>
- Re: Microsoft opening its source to selected parties Matthew S. Hamrick (Mar 13)
- Re: Microsoft opening its source to selected parties Tobias Haustein (Mar 09)