Microsoft Goof - One Small Snag in a Code-Licensing Quagmire
Microsoft will open source the code to a Windows 7 tool in order to rectify the erroneous inclusion of code licensed under the GPL. Redmond's response to the problem "does indicate a growing maturity with respect to free and open source licenses," said RedMonk analyst Stephen O'Grady.
Nov 17, 2009 4:00 AM PT
Microsoft will soon release the source code and binaries for a Windows 7 tool that was recently found to contain code licensed under the GNU General Public License.
The tool in question is the company's free Windows 7 USB/DVD Download Tool, which enables consumers to create bootable USB drives or DVD backup media from the electronic software edition of Windows 7 that comes in an ISO format.
"Within Windows" blogger Rafael Rivera Jr. uncovered the GPL-licensed code earlier this month.
'Wayyyyyyy Too Much Code'
"While poking through the UDF-related internals of the Windows 7 USB/DVD Download Tool, I had a weird feeling there was just wayyyyyyyyy too much code in there for such a simple tool," Rivera explained in a post on his site.
"A simple search of some method names and properties, gleaned from Reflector's output, revealed the source code was obviously lifted from the CodePlex-hosted (yikes) GPLv2-licensed ImageMaster project," Rivera added, noting that the author of the code had not been contacted by Microsoft.
Two problems result, Rivera said. First, "Microsoft did not offer or provide source code for their modifications to ImageMaster nor their tool."
Second, "Microsoft glued in some of their own licensing terms," he noted, "further restricting your rights to the software."
'It Was Not Intentional'
Microsoft pulled the tool from the Microsoft Store a few days later.
Then, last Friday, Peter Galli, the company's Open Source Community Manager, confirmed the discovery and announced that Microsoft would be releasing the source code and binaries for the tool under the terms of the General Public License v2.
"After looking at the code in question, we are now able to confirm this was indeed the case, although it was not intentional on our part," Galli wrote.
The mistake was made by a third-party contractor, he explained -- noting, however, that "we share responsibility, as we did not catch it as part of our code review process."
One GPL-Violating Company Per Day
Since the problem was uncovered, Microsoft has reviewed its other offerings in the Microsoft Store, but "this was the only incident of this sort we could find," Galli said.
The company is also "taking measures to apply what we have learned from this experience for future code reviews we perform," he added.
Coincidentally, Bradley Kuhn, FLOSS community liaison and technical director for the Software Freedom Law Center (SFLC), recently published a blog post in which he asserted that he has been finding one new GPL-violating company per day, on average, since August.
'It Will Spark Further Internal Regulation'
"Microsoft definitely takes third-party software licenses and usage and distribution rights very seriously, but it's inevitable that a situation like this can occur," Rob Sanfilippo, research vice president with Directions on Microsoft, told LinuxInsider. "Code reviews don't always catch something like this, but I'm sure it wasn't intentional."
Since this recent discovery "has received a lot of attention and required Microsoft to take down an important offering while the problem was corrected," Sanfilippo added, " I think it will spark further internal regulation and oversight to ensure this doesn't happen again."
'A Growing Maturity'
The company's response, meanwhile -- particularly the swiftness of its decision to open source the tool -- "does indicate a growing maturity with respect to free and open source licenses," RedMonk analyst Stephen O'Grady pointed out.
"It also simply reflects a certain pragmatism," he told LinuxInsider. "Given that the code in question was a) not Microsoft-authored and b) non-core, this was simply the most expedient mechanism for resolving the issue."
Indeed, the fact that Microsoft said, "'OK, we made a mistake and now we're going to license the code as open source under GPLv2 -- a license they said a couple of years ago they wouldn't go near" -- is evidence of a change for the better, commented 451 Group analyst Jay Lyman.
"It makes sense to quickly admit mistakes and fix the problem without years of court battle," he told LinuxInsider. "It's a good paradigm for the industry."
'Part and Parcel of IT'
The case also indicates just how pervasive open source software has become, Lyman added, going from something that was often viewed as foreign to the enterprise to something that is now "part and parcel of almost all enterprise IT," he said.
"If Microsoft and Windows 7 can't avoid the GPL, who can?" he asked.
In fact, it has become rare to find a piece of software that's licensed under just one license, Lyman noted. As a result, problems like this "happen more often than we know about."
'Under a Microscope'
Indeed, "respecting software licenses is a problem ... whether they're open source or commercial in nature," O'Grady pointed out.
"This is why a) commercial institutions tend to prefer permissive licenses, where their responsibilities are fewer; b) major software distributors invariably have rigorous approval and governance policies; and c) there are commercial tools to assist in determining asset provenance," he explained.
Of course, the fact that this problem was uncovered at Microsoft, of all places, is bound to raise more awareness than it would have had it taken place at a smaller company.
After all, whether it's the FOSS community or the industry at large doing the examining, Lyman concluded, "Microsoft will always be under a microscope."