Cabal
Premium
join:2007-01-21
Boston, MA
| Microsoft ships stolen GPL code in Windows 7
quote:
While poking through the UDF-related internals of the Windows 7 USB/DVD Download Tool, I had a weird feeling there was just wayyyyyyyyy too much code in there for such a simple tool. A simple search of some method names and properties, gleaned from Reflector’s output, revealed the source code was obviously lifted from the CodePlex-hosted (yikes) GPLv2-licensed ImageMaster project. (The author of the code was not contacted by Microsoft.)
I see two problems here. (I’m not a FSF professional, so there may be more.)
Microsoft lifts GPL code, uses in Microsoft Store tool
--
Obamanomics: Trickle-up poverty. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| I'm confused here as the site has a couple of updates:
quote:
Update 11/7: The example I provided yesterday (ReadBytes) was replaced with a new one. Note that it is only an example. I’m not here to prove my case in a huge exhaustive post for you. That’s left as an exercise for the reader.
Update 11/7 (2): The code in question is not a part of the IMAPIv2 Code Samples. If you visit Codeplex and actually download the source code, you’ll see this code is separate.
Update 11/7 (3): ImageMaster UDF parsing is a valid derivative work licensed under GPL. The original parsing code is from LGPL 7zip. Here’s a comparison. And another.
So is he now saying this isn't an issue?
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | Well I think he saying cause Ms do it, then its ok. lol
--
Best RegardsVampirefo |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Cabal
This is completely lame, so what does the routine in question do ('ReadLogicalDescriptor'), and given its reading a data structure, how many ways can you do it, and if the data structure has named components, why would you use anything other then those component names in your code?
Sorry but there just isn't enough here to get excited about and even as one person posted
quote:
As I understand, both ImageMaster and Microsoft used code from 7zip , which itself is licensed under LGPL. If this is indeed so, it would _seem_ (emphasis goes here, since I do not know much about LGPL) that Microsoft had use the code rightfully, while ImageMaster was in the wrong. Of course, ask a lawyer to be sure. I think someone might just do it.
so perhaps the guys from ImageMaster swiped the code. Ultimately if there is an issue as Bradley M. Kuhn pointed out its up to the guys from ImageMaster to pursue it and ultimately they would have to reveal if they wrote the code or 'borrowed' it from somewhere (ie 7zip). Ultimately trying to prove ownership of code in cases where your reading from a data structure is like having a software patent as really the code is obvious as would the naming be as there is only so many ways to read a data structure and have it work.
So unless someone posts something far more compelling, there is nothing here to make me think this is something evil underfoot.
Blake
PS based on a constant use, I'd rate the Microsoft code better as use of hard coded constants isn't the best practice while coding, so perhaps the ImageMaster guys will want to update their code with the Microsoft code.
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
chachazz
Premium
join:2003-12-14
| reply to Cabal
Microsoft yanks Windows 7 tool over open-source code swipe
quote:
Microsoft has yanked a tool it touted as a way for netbook owners to install Windows 7 without a DVD drive after a prominent blogger accused the company of using open-source code without acknowledging where it originated.
quote:
As to Microsoft's next step, the company was mum, although Rivera took a stab at its alternatives. "Ultimately, I believe one of two things will happen: The tool will either be rewritten or open-sourced," said Rivera. "I suppose the third option would be [to make it] no longer available."
quote:
This isn't the first time that Rivera has called Microsoft on the carpet. Last January, he and fellow blogger Long Zheng, who writes I Started Something, argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
Microsoft first denied that it was a bug, saying instead that it was by design, but then backpedaled and promised to fix the problem several days later.
»www.computerworld.com/s/article/···omyId=89
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
SUMware
Premium
join:2002-05-21
1 edit | said by Link Logger  :This is completely lame... So unless someone posts something far more compelling, there is nothing here to make me think this is something evil underfoot. It's almost like Hyper-V deja vu! 
Microsoft pulls Windows 7 USB/DVD download tool amid GPL allegations
quote:
The problem is that as well as not contacting the author of the code, Microsoft released the download tool under its own name, with Microsoft licenses all over it. What’s more, there was no attempt to allow users access to the source code. All of which goes against the GNU’s General Public License (GPL).
Microsoft Nixes Windows 7 Tool on GPL Concerns
quote:
"Microsoft did not offer or provide source code for their modifications to ImageMaster nor their tool [as required] according to GPLv2," Rivera's post continued. Additionally, Microsoft inserted some of its own proprietary licensing language into the migration tool's license -- also in violation of GPLv2, he said.
Microsoft opened Linux-driver code after 'violating' GPL
quote:
Microsoft was in violation of the GPL (General Public License) on the Hyper-V code it released to open source this week.
After Redmond covered itself in glory by opening up the code, it now looks like it may have acted simply to head off any potentially embarrassing legal dispute over violation of the GPL.
|
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| quote:
"We are currently looking into this issue and are taking down the Windows USB/DVD Tool (WUDT) from the Microsoft Store site until our review of this matter is complete. We apologize to our customers for any inconvenience, "a Microsoft spokesperson said in a statement e-mailed to InternetNews.com.
I would expect them to error on the safe side and pull the code until they complete their investigation and I suspect they will simply do a fresh rewrite of the code in question and re-release it regardless of the results of their investigation. Otherwise the most that is likely to happen is a subcontractor will get smacked for borrowing unauthorized code.
I use source code control and I keep backups of all my projects throughout development so if people can see the evolution of my code if needed to prove I authored the code. I do use third party components/libraries but of course I purchase or otherwise acquire the required licenses for those. Certainly Microsoft will be reviewing the source code control for this project (if there is one) to see how the code got there, but again we are dealing with a fixed and known data structure here so code can only vary by so much and certainly use of variable names like 'buffer', length, etc are pretty well universal, so really the claim is based on the use of 'UdfRecord', should be interesting.
Blake
CodePlex is funded by Microsoft
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
chachazz
Premium
join:2003-12-14
| Microsoft confirm GPL violation in Windows 7 tool
"Microsoft has confirmed that GPL licensed code was included in the WIndows 7 USB/DVD Download Tool (WUDT)....the source code for the tool will be made available next week under the GPLv2 along with the binaries which were withdrawn earlier this week."
»www.h-online.com/open/news/item/···774.html
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
SUMware
Premium
join:2002-05-21 |  Shocking. What a surprise! Not. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by SUMware : Shocking. What a surprise! Not. It's not that shocking; sh&t happens.
Microsoft contracted somebody to write some software, that third-party used GPL'd code without telling MSFT about it. MSFT didn't catch it, and the tool made it out into the world in binary form. Ooops.
Then, it's pointed out, Microsoft investigates, and now makes it right. Isn't this how it's supposed to work?
This doesn't appear to be a willful violation on Microsoft's part, though as the party releasing the code they are responsible for it. The third party should have known better, and it would not surprise me if this were the last time they get any work from Microsoft 
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
SUMware
Premium
join:2002-05-21
| said by Steve :It's not that shocking Nothing MS does shocks me anymore. For them it's SOP. I was being sarcastic.
said by Steve :This doesn't appear to be a willful violation on Microsoft's part It never does, to some people.
said by Steve :though as the party releasing the code they are responsible for it Agreed. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA | Ok, so will you come out and say that you think this was an intentional GPL violation? |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| reply to Cabal
I am pretty impressed personally with the speed at which Microsoft took care of this issue. It's honestly more than I could say about the handful of licensing issues I've tried to raise even within the FOSS community.
Yeah yeah, we can spend all day here pointing the finger, but I think in the end MS did the right thing and did so in a timely manner, and that's the important thing.
--
Ubuntu MOTU Developer and Forums Council |
|
siljaline
mind that delimiter
Premium
join:2002-10-12
Montreal, QC | reply to Cabal
Same-same at: The Reg
fwiw
Microsoft admits Win 7 tool violated GPL |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
1 edit | reply to Steve
Seems probably-accidental to me too. We have a "GPL review committee" at work; if I want to use anything GPL'd (which I don't), I'm supposed to ask for a ruling -- there's bits of code we don't want to have to give away. But it all hinges on me executing the review process as I'm supposed to. Fortunately, I don't screw up but I can see how someone else might.
As for doing it deliberately: where's the gain for Microsoft? They have programmers. This ain't rocket science. Programmers cost less per hour than lawyers do. Why even risk getting caught violating the GPL? No motive. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to chachazz
Well I suspected wrong and they are going to open source it. I wonder how long the third party developers will remain on the rack for and how many lashes they will get.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
SUMware
Premium
join:2002-05-21
| reply to Steve
said by Steve :Ok, so will you come out and say that you think this was an intentional GPL violation? »www.theregister.co.uk/2009/11/13···apology/
quote:
ImageMaster had violated the GPL because it contained modified code that had been distributed without the corresponding source-code and because Microsoft had bolted on its own, restricted licensing terms.
Microsoft called the violation a mistake, and while the code had been supplied by a third party, it took responsibility for not having caught the violation during its own code review process.
Ironically, licensing specialist Black Duck this week reported 22 per cent of the average software product or application - or 700MB of code - contains open-source code. Black Duck surveyed 175 customers. The chances of running into GPLv2 are also high: Black Duck earlier this year reported GPLv2 accounts for 50.06 per cent of open source projects.
Company chief executive and president Tim Yeaton said in a statement organizations are using to open source to gain what he called significant competitive advantage in a "multi-source" development process. "The 'not invented here' mentality is rapidly disappearing," he said.
It seems Microsoft was unaware of this changing reality and the implications on its relationship with those outside the company building code for is products.
One guy found this boo boo, as well as others. Either MS has a repeatedly shoddy code review process (let's fire the substandard code review team and hire that one guy instead) or MS was forced to take responsibility because they were caught. Again. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by SUMware : One guy found this boo boo, as well as others. Either MS has a repeatedly shoddy code review process (let's fire the substandard code review team and hire that one guy instead) or MS was forced to take responsibility because they were caught. Again. Wow, ok then. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
1 edit | reply to SUMware
Do journalist read this crap before they publish it?
»www.theregister.co.uk/2009/11/13···apology/
quote:
Ironically, licensing specialist Black Duck this week reported 22 per cent of the average software product or application - or 700MB of code - contains open-source code
What the heck does '700MB of code' mean here? Does this '22% of the average software product or applications' include open source where the code was lifted from another product like in this case? Just tossing out some numbers with nothing to define what the numbers are sounds like these guys are trying to promote their product with FUD just like the AV guys. Now Black Duck is an interesting company and might be worth looking over »www.blackducksoftware.com but I'll let you form your own opinions of them and their products as currently I'm undecided and still thinking about it.
quote:
Company chief executive and president Tim Yeaton said in a statement organizations are using to open source to gain what he called significant competitive advantage in a "multi-source" development process. "The 'not invented here' mentality is rapidly disappearing," he said.
As a long time software developer I have to ask is this guy living in a cave, as the concept of reusable code is nothing new and the creation of the internet has been a huge boom to developers looking for how to code things etc. Of course companies need to be mindful of where code comes from and need to honor and maintain licenses involved and that is difficult and does bring up some interesting questions as to license linage in code and copyrights.
What I also find interesting is why some consumers would care given they don't honour the licenses of software they use, but two wrongs don't make a right, so perhaps a topic for another thread.
Now no doubt this will cause a flurry of activity as everyone rushes to examine code for GPL infringements and no doubt will produce some interesting results and ultimately force some answers for unasked questions.
Blake
Edit - Reading more about BlackDuck it does appear they understand code reuse, but certainly the Register's article was true first class hack job and even taints Black Duck image. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to SUMware
said by SUMware :One guy found this boo boo, as well as others. Either MS has a repeatedly shoddy code review process (let's fire the substandard code review team and hire that one guy instead) Presumably a large number of other people, who were just as keen to find fault with anything Microsoft touches, failed to find this 'boo boo', as well as others.
It's true that in any code review you don't need most of the code reviewers, you only need the one guy who's going to find the critical issue. The trouble is, you can't tell a priori who that guy is. |
|
