Forgot your password?

ReactOS Code Audit 217

Posted by ScuttleMonkey
from the defining-reverse-engineer dept.
reub2000 writes to tell us that in response to talk of "tainted" code within ReactOS Steven Edwards, ReactOS and Wine developer, has called for a complete audit of the entire source tree in addition to procedure and policy changes. From the article: "One final note, this audit of the code is going to take a long time. It could take years, but it will happen, this project will come out better than it was before. I don't believe anything anyone has done while working on this project was really wrong. Every decision has three possibilities, being moral, ethical and or legal. Sometimes the law in itself is unethical and immoral. If people made mistakes and there was a violation of the law, I question the justice of the law and or anyone that would try to prosecute any of the developers who just want the freedom to learn and create a more free system."
This discussion has been archived. No new comments can be posted.

ReactOS Code Audit

Comments Filter:
  • defensive (Score:2, Interesting)

    by milamber3 (173273)
    I'm all for giving the benefit of a doubt but he's stating that they are going to audit and it sounds like he's already working up a defense for what may be found. Sounds fishy at best.
    • Re:defensive (Score:5, Interesting)

      by PFI_Optix (936301) on Wednesday February 01, 2006 @05:58PM (#14620428) Journal
      Sounds to me like they're concerned that there *might* be MS code in there, and are simply being transparent about the process of weeding it out. That way, if MS knocks on the door one day with a lawsuit for copyright infringement, they have public documentation that they initiated a voluntary audit of their code long before MS showed up.

      I'm not a developer, so I'm it precedented at all for them to involve MS in this audit? Would it make sense for MS to look at the source code and advise them of any transgressions so they can fix it quickly? IIRC, ReactOS is/was open-source, so it's not like Microsoft couldn't have already downloaded the code independently to look for problems. By inviting them into the audit you at least have your ass somewhat covered, especially if they decline and then turn around and sue later.
    • I'm sure that some MS troll would be delighted to say there is MS code in ReactOS. So, what would the devs do? Just ignore the problem and face a lawsuit later? Or address the issue ASAP?

  • by MustardMan (52102) on Wednesday February 01, 2006 @05:51PM (#14620334)
    The summary seems to be implying that leaked windows source is the issue which brought on the audit, when in fact it's a technicality about the law regarding reverse engineering. In a nutshell, in the US you gotta have one person reverse engineer and write documentation, and another write the code. In other countries the same person can do both jobs. The summary makes it sound a lot worse than this.
    • Or those with Zaphod Beeblebrox' problem []? Are they one or two engineers, under US law?
    • The question is whether it would be easier to fix broken law than to reaudit the code. Reactos has to be present on both fronts.
    • in the US you gotta have one person reverse engineer and write documentation, and another write the code.

      IANAL, but I have read the law, and I think this is a myth. Using two engineers gives you a way to easily *prove* that no copying was done, but it's not actually necessary. If the owner of the code you're reverse engineering sued you for copyright infringement, it would be their responsibility to prove that you did copy, and that you didn't independently create identical code. Since it would be a c

      • by eclectro (227083) on Thursday February 02, 2006 @02:34AM (#14623739)
        The only caveat to the point that you make is that I believe that since the DMCA copyright is a criminal offense instead of a civil one (in the vast majority of cases).

        The "clean room' procedure is what enable clone pc's to exist in the first place when compaq cloned the bios with the two engineer method to make their reversing watertight, which it was.

        It's nice to try and do that way, but not necessary. I think the big issue for single developers is not so much legally reverse engineering (which is still legal to the chagrin of many ignorant and selfish people) is not so much being right, as having the money to defend themselves in court.

        So if you and a buddy "clean room something" that's only half the job. The other half is having money in the bank to cover future possible legal expenses.

        I think the lesson we have seen often on slashdot is big corporations "bullying" some little guy who for all intense and purposes is legally right with what they are doing, but the corporation (or their hired suits who need to justify their salary) are the ones who are actually wrong.

        Also, I would consider both the DMCA and CTEA immoral laws for a variety of reasons.
        • The only caveat to the point that you make is that I believe that since the DMCA copyright is a criminal offense instead of a civil one (in the vast majority of cases).

          Perhaps. Criminal penalties apply in three cases:

          1. Where the infringement was done for financial gain.
          2. Where the retail value of the infringing copies exceeded $1000.
          3. Where copy protection mechanisms were circumvented

          Those do cover a lot of ground, but in a criminal case the burden of proof increases: The prosecutor has to prove the

    • in a nutshell, in the US you gotta have one person reverse engineer and write documentation, and another write the code.

      There is no such law.

      The advamtage of clean room engineering is that there can be no allegations of it being a derived work because code was duplicated.

      Even without clean room engineering, the plaintiff must prove infringement.

      Clean room engineering makes infringement impossible, so it reduces the risk of it even getting to trial or past the summary judgement stage (the defense will get gr
  • by Shimdaddy (898354) on Wednesday February 01, 2006 @05:51PM (#14620335) Homepage
    Just what happened with ReactOS, and why is some of their code "tainted"?
    • by scsirob (246572) on Wednesday February 01, 2006 @06:12PM (#14620583)
      ReactOS is an attempt to build a full Windows clone including kernel and everything. Not just the Win32 API but a full-fledged OS that does not require an underlying OS like Wine on Linux.

      It looked very promising to the point where several Windows applications and I was about to start playing with it. Then someone in the core developers group found some suspicious additions of code fragments that did not make sense at all at first but started to work later. These code fragments compile into machine code that is identical to fragments of leaked Windows source code. The developer smelled a rat, jumped the project and now the main guy is calling a halt.
      • by SirTalon42 (751509) on Wednesday February 01, 2006 @07:16PM (#14621308)
        "These code fragments compile into machine code that is identical to fragments of leaked Windows source code."

        This isn't about the leaked Windows source code, its about possible invalid reverse engineering (i.e. decompiled windows code)
      • I don't understand, what's the problem?

        So, they found code that looks suspiciously like it was decompiled and used that way? Don't they use source control? It's trivial to trace it back to the developers that added it and ban them from further participation.

        I would say it sounds like an organization problem though. Why exactly is code that makes no sense getting added? This is easily solved by say, using a post-commit hook in SVN that mails diffs. Post that to the mailing list so that everybody can see and
    • Article (Score:5, Informative)

      by Anonymous Coward on Wednesday February 01, 2006 @06:13PM (#14620595)
    • Basicly, what happened is that someone found code (assembler code) in the kernel that looked suspiciously like what you get if you disassemble the same piece of microsoft code (with similar "magic numbers" for stack adjustments and stuff) and cried foul. So now, they are going to audit the code to look for possible suspect code. And they are going to tighten their rules to prevent anything bad from happening in the future.

      Acording to what I saw on the mailing list, most of the potentially suspect code is in
  • by fak3r (917687) on Wednesday February 01, 2006 @05:52PM (#14620342) Homepage
    I installed ReactOS from a dev build just before all of this hit and I was amazed. It's a great piece of software, and would offer some the ability to keep running Windows apps even if they didn't want to fall for the upgrade cycle that MS perpetuates. I want to try to install the new IE 7 Beta 2 and see if the new DoS attack against it works []! Hehe
    • I hated it, although I've only tried it on MS Virtual Machine. First, it srashed right at boot. Then, after reinstalling, it actually booted, but the graphics were messed up, and it BSOD'd a whole lot.
      • I hated it, although I've only tried it on MS Virtual Machine. First, it srashed right at boot. Then, after reinstalling, it actually booted, but the graphics were messed up, and it BSOD'd a whole lot.

        So what you're saying is that it's working quite a lot like Windows already?
      • Then, after reinstalling, it actually booted, but the graphics were messed up, and it BSOD'd a whole lot.
        It's amazing, the level to which they've already reproduced the original. I call copyright infrigement - no way they'd get so close so fast on their own.
  • Erm... can someone give me an example of a decision that would be moral but not ethical, or vice versa? The distinction between the two seems a little blurry to me.
    • by Per Wigren (5315) on Wednesday February 01, 2006 @06:19PM (#14620643) Homepage
      Moral but not ethical: "You may not work on this project if you like anal sex."

      (yes, this is a joke but unfortunatly most people seem to mix up "moral" with "christian/puritanian fucked up double standard bigot moral". The best thing with moral is that you can have your own. There is no Real Moral(tm).)
      • "The best thing with moral is that you can have your own. There is no Real Moral(tm)"

        That's a tough argument to win. Can I kill you and take your stuff, so long as I decide it's allowed by "my own" moral system?

        It's much easier to defend the idea that morality is absolute, starting with axiomatic principles like human self-ownership. It's all about how we respect the essential rights of our fellow humans. In fact, you can't even defend the idea of subjective morality effectively without this axiom.
        • That's a tough argument to win. Can I kill you and take your stuff, so long as I decide it's allowed by "my own" moral system?

          What you can and can't do isn't decided by what you consider moral. It is decided by what everyone else considers moral. If I were gay and thought it was morally acceptable for me to get married... well... that doesn't mean I can.
      • Moral == Ethical


        This is the first thing you are told in philosophy of ethics. They are interchangeable terms.

        Now, you might personally think these words have a different sense, but what things feel like to you isn't evidence. If something is ethical it is moral, and if it is immoral it is unethical.

        There are differing systems of morals and differing systems of ethics. By calling one system a 'moral' system and another an 'ethical' system you can produce seeming contridictions. But
    • If you lie to protect innocents from harm, you are probably being moral but unethical.

      If you tell the truth (because you always tell the truth) and a bunch of innocent people are killed or tortured, then you are probably being ethical but immoral.

      Defense Lawyers seem like a pretty good example. They ethically must defend people they may believe are guilty. If they defend poorly on purpose, they are being unethical. I believe (IANAL) that the prosecution must reveal all evidence to the defense but the def
    • Morality varies from individual to individual, ethics are codified.

      For example, when the PS2 launched people were selling "Playstation 2 box"es on Ebay and they knew that some buyers would assume that the PS2 actually came in the box. So a few peope paid $500+ dollars for empty playstation 2 boxes. They listed them accurately so according to Ebay's rules what they did was ethical, but I still say it was amoral.

    • Ethics is a field of study in philosophy. "Ethical" describes something that is related to a particular philosophy of ethics. Asking "is this ethical" is only asking whether or not there is some defined standard or view of ethics by which the idea or action might be judged.

      Morality is a specific instance of an ethics. Something is moral if it is acceptable in or follows from the view of ethics in question, and immoral if it is unacceptable or violates that code in some way.

      In short, "ethical" says that some
    • Decisions in programming can be Ethical, Moral, or Legal. Choose any two.
    • If you are an employee of an education establlishment then sleeping with a fully consenting adult member of the student body whom you yourself have little or no professional contact with might be considered moral but unethical.
  • my take (Score:2, Funny)

    by loserhead (941655)
    from my perspective, this can only be good for reactOS. if they use the US method for reverse-engineering, they can still understand the concepts and apply them in original code.

    step 1. audit code
    step 2. redo any code that is in dispute
    step 3. package and sell your product
    step 4. PROFIT!!
  • by RLiegh (247921) * on Wednesday February 01, 2006 @06:09PM (#14620544) Homepage Journal
    This audit will take YEARS, according to their statement. I think that's optimistic, myself; by the time that they clean-room implement the code they have to audit out, no one will be interested in working on it AND it will be unusable due to MS's Software Patents.

    It's a shame; ReactOS came so far, and got so close (networking was almost ready) and now it's DOA.

    It will be missed.
    • A plant (Score:2, Interesting)

      by nurb432 (527695)
      Who knows, someone might have been paid off to derail the project.

      If it was getting too close for comfort, i dont doubt for a second that a company like Microsoft would do something like this. ( and then set things up for one hell of a lawsuit.. )

      Makes you wonder if the 'leaked code' was infact a stunt to facilitate things like this for the forseeable future.. "everyone is tainted, the sky is falling, give us more money'
    • If the project is all open source, what is to keep someone from forking the project, and making a variant with a new and possibly better group of developers. I've watched ReactOS grow from being able to run a few command line apps, to being able to do what it is doing now. I am very impressed. I remember when reading Bill Gates "The Road Ahead" he said the problem with windows is that a third party os could not run windows programs, and that someone needs to build an os that can. Someone needs to take React
    • Depends on how they do it. IANAL, but these are the obvious first steps that occur to me:

      Step #1 should be to get a copy of the source tree from before the Windows code was leaked. Code that has stayed the same since then isn't a problem, at least not for the reasons that are worrying them now.

      Step #2 assign a name to each change. Some developers will be able to assert they have never seen Windows code. Those changes are also OK.

      Step #3 for developers who cannot assert they have never seen the Windows co
  • by erikdalen (99500) <> on Wednesday February 01, 2006 @06:16PM (#14620618) Homepage
    Why not just release it from a country with saner ip laws that allow reverse-enigineering made by a single person? /Erik
    • There are no other countries which have "saner ip" laws, any country which has a functional internet/computing infrastructure also either has the same IP laws, or has contractual obligations to the US to follow the US trade/IP laws.

      In short, there's no where to hide.
      • by erikdalen (99500) <> on Wednesday February 01, 2006 @06:39PM (#14620879) Homepage
        did you read the article?

        For us in the US when you speak of clean-room reverse engineering it means that one person tears apart the implementation of a device, writes documentation and another reads that documentation and implements. Other countries do not require this invisible great wall of development and allow the same person that disassembles the interface to also write the replacement implementation.

        If it's legal to do so in those countries, then it's legal to release it in them as well.


    • Why not just release it from a country with saner ip laws that allow reverse-enigineering made by a single person?

      Because then people from other countries can't use it. In fact, it makes sense to have the work done according to the most "strict" reverse-engineering rules.
    • Why not just release it from a country with saner ip laws that allow reverse-enigineering made by a single person?

      I should have also mentioned in my previous reply that there is some reasonable logic for the US rules about reverse-engineering. In the US, the reverse-engineer has to examine whatever is being reverse-engineered and then write documentation on how they think it works. Then, a "clean" engineer has to try to implement a system based on the documentation. The reason for this is that if the sam
  • wine (Score:2, Insightful)

    by jlebrech (810586)
    More wine developers for us.

    If they all shift to wine coding in the mean time, im sure their will be great benefits.

  • by dduardo (592868) on Wednesday February 01, 2006 @06:24PM (#14620702)
    Are they going to get a copy of the Windows source code and compare it to ReactOS? How does someone actually go about auditing code that was submitted by many people around the world?
  • by Anonymous Coward
    Theoritically, wouldn't this be a good option to get "Windows" running on OS x86 ? Not really Windows, but I imagine it would be easier for OSS programmers to add support for EFI to this software, and give MacIntel people a Windows compatible option. At least until someone figures out how to boot the "real" Windows on the new Macs.
    • IMHO WinE will be a much better option to get windows programs running on MacOSX for Intel. Check out darwine [].

      Codeweavers are putting big amounts of work into this. CrossOffice will support MacOSX [] in one of the next versions. Codeweavers were rather enthusiastic when Apple announced their switch. No surprise, the desktop market share of MacOSX is bigger than Linux's.

      I really expect great things to come!

      Bye egghat.
  • by ZuperDee (161571) < minus poet> on Wednesday February 01, 2006 @06:49PM (#14621008) Homepage Journal
    1) If it is going to take them YEARS to do this audit, surely it will take MS just as long to audit it to find the infringing bits. But even supposing MS found infringing bits tomorrow, what good would it do MS to sue anyone? I doubt MS would do that right now, because ReactOS is obviously not anywhere NEAR the point yet where it is widely used, let alone useful for daily tasks like surfing the web or writing a document. Surely MS would have little (if anything) to gain from a business perspective by suing people just yet. If ReactOS suddenly became useful like Windows though, I'm sure that may change.

    2) Since a lot of the development effort on ReactOS is shared with WINE and vice-versa, I wonder if this could affect WINE, too. MS already has acknowledged WINE's existence by checking specifically for WINE registry settings in things like their Genuine Advantage program, but they obviously haven't sued anyone over that yet, either.
  • It seems like all they would have to do is programmatically (there are existing programs) that do a statistical analysis of the source of the leaked code vs. internal code... A couple hours later the comparison would be done. It would find even what seems like minor copying, and could be set with thresholds. Then they could audit those hits for credibility... They could be done in with this 'reboot' in weeks. It would be a lot faster and probably just as effective. Also it would prevent much reading of "le
    • Well, that would mean they'd have to 'officially' possess the leaked code, which would mean Microsoft's lawyers would be all over them at the drop of a hat.
  • by kwandar (733439)
    I'm wondering if ReactOS couldn't send a letter to Microsoft and simply say:

    "There is the possibility that our code in the following areas *list areas* contains fragments of MS code. We would kindly request that MS advise us as to any issues with respect to this code. If we haven't heard otherwise within 6 months, we will presume that there is no MS code that has been used."

    IANAL, but perhaps the law of estoppel would then apply?
    • Yeah, they could presume all they want but they could still be sued for infringement. You can't force anyone to audit your code for you...
    • That's backwards. If MS checks the code, and they find some of their's in it - guess what that means? LAWSUIT.

      And if MS doesn't check it, or don't finish within six months.. that does not in any way give any rights to use MS's code in ReactOS.
    • I'm not a lawyer yet, but I can take a stab. In order for MS to give up its cause of action, it would have to agree to a contract that said so. Silence is (practically) never taken as agreement to a contract; estoppel would only apply if MS made an affirmative promise that was otherwise unenforceable, knowing that ReactOS would act in reliance on the promise.
  • by Anonymous Coward on Wednesday February 01, 2006 @08:41PM (#14621931)
    Hi, I am pretty close to some of the ReactOS goings-on, and I am posting anon, even though nothing I say here should really be too controversial. I just want to cut this PR fiasco in the bud.

    This is more about some technicalities, and friction between developers.

    You've also got to understand that a *few* of the devs are still relatively young, and while they have made great technical contributions, may not have all the working-in-a-team skills they need yet.

    If you know about programming, and binary interfaces, you will know that for ReactOS to work like windows, some small bits of the compiled code MUST be EXACTLY the same. The question is how that knowledge came to be in certain people's heads, when they wrote the affected parts of ReactOS. It is extremely unlikely that infringing code will be found in ReactOS. None of the people I know there are stupid enough to use actual leaked code in the project.

    However, there is a deeper aspect to the problem. There are roughly 2 factions. The first I'll call the windows-enamored folk (WE). The second I'll call the external-interface (EI) folk. The EI folk only care that the user-visable parts of reactos are compatible with windows. This will allow the Reactos code to be even better that windows code in some areas, if it can be re-achitected. The WE fold want ReactOS to work EXACTLY like windows, on every level. This may be what Hartmut was referring to in his cryptic email.

    On a practical note, ReactOS is not going to be any kind of threat to or replacement for win2k for at least another 2 years. MS will not waste the effort.

    ReactOS is not in danger of dying. Maybe 3 years ago some FUD could kill it, but at this point, it has come so far, and there are enough stakeholders that it's going to continue.

    Coders from all over the world work on this system. People from Europe, Canada, and the Caribbean, and that's just the ones that speak english.

    To ReactOS people reading this: I do think we should look at staging releases from a country with different reverse-engineering laws, though. Certain precedents have been set in US law that do not apply elsewhere.

    Anon-Reactos-guy (who hates melodrama)
  • by kimvette (919543)
    Rather than worrying about that, why would anyone bother looking at the leaked source when decompilers have come a long way in the last few years? Just decompile, say, the NTFS driver and read the decompiled source. DMCA, EULA or other contrived roadblock, not there's nothing prevent such reverse engineering for the purpose of interoperability.
  • by zogger (617870) on Wednesday February 01, 2006 @09:27PM (#14622185) Homepage Journal
    What government agency/set of cops is auditing closed source to make sure it doesn't contain open source code in violation of copyright? Are closed source shops lawyers making them maintain a legal position that their coders can never glance at open source code lest they become tainted and it slop over into the code?

    All I see is giant megaprofit closed source corporations get to run on the "wesayso" law, "we say we only have pure code of our own writing", but everyone else in the other camp has to be scared of lawsuits because they glanced at some closed source someplace and are under draconian NDAs or whatnot.

    Kinda like diebold and vote counts. The vote is what we say it is, if you don't believe it, tough noogies.
    • (I would know... I did this already)

      When I worked with sales software (inventory, etc), we would occasionally decompile someone else's program to see if we could find grounds to sue, especially if the interface was very similar to our program. We catched one guy with a plagiarized copy of our program (down to programming errors) and we nailed him, driving him out of business. Actually, we didn't have to sue... we just threatened to press criminal charges and he yielded. He paid some $$$ to our firm, gave us
  • by Wizzmer (862755) on Wednesday February 01, 2006 @09:38PM (#14622265)
    This is another good reason why the EU shouldn't accept Microsoft's offer to share their server protocols source code with third party devs. If you look at the *specifications* and build something you are way better off than having looked at the source itself. If you look at the source you are "tainted" for life.
  • by Artemis3 (85734) on Thursday February 02, 2006 @01:32AM (#14623517)
    This is a lost case, and the remedy seems even worse. You can't just accept USA laws being imposed to all the developers, its not their fault. Instead of taking "years" to "audit" code, just to have microsoft in the end make fun of them in their deep pocketed "legal" system; i would say move outside to a sane country and continue there the development. Else, fork without the USA developers and continue.

    The way it looks this project will stagnate into oblivion, unless something like a coup of foreign developers (a fork) occurs.

    Too bad this happened just before v3.

You don't have to know how the computer works, just how to work the computer.