Business
Microsoft: We'll open up more source code
Q&A: Microsoft's shared source chief Jason Matusow on how the programme will spread beyond platforms and could even see Office source code released. The question is, does anybody want it?
As programme manager of the Shared Source Initiative at Microsoft, Jason Matusow is responsible for coordinating Microsoft' global source licensing strategy. ZDNet UK caught up with him.
Q: Just over a year ago, Microsoft senior vice president Craig Mundie made his infamous comments about open source. Since then, Microsoft has been rolling out its Shared Source Initiative. How do you rationalise your Shared Source Initiative with Microsoft's views on open source?
A: One unfortunate thing we did was coming out against open source -- we knew it would be controversial. There is a longstanding industry debate around source code and what role it plays. IT professionals have one point of view, developers have another, business decision makers have yet another and then hobbyists come at it from an entirely different direction again. For a long time we were held up as being anti-open source. But the idea of Shared Source came about because of customers telling us: "I am able to do some things in open source because I have access to the source code, and I would like to be able to do the same thing with your code." The fact is that Linux is now competing with Windows. That is good because it is spurring us on and making us compete better, but equally, it is difficult for us to say Windows has better management tools than Linux because all of a sudden people say we are attacking open source. We now share Windows, some of Windows CE and parts of .Net -- our implementations of the C# CLI (Common Language Infrastructure) specification. When you say Shared Source, what do you mean exactly?
Different groups within Microsoft have very different businesses; Windows is a very different product to Golf, for instance. The Windows programme is a reference-only licence. So in the Windows team today we let you view the code and debug against it, but you can't change the code. So if you're building your own application that sits on Windows you can debug the applications and Windows code in the relevant APIs (application programming interfaces). This also means you can trace back issues and have them fixed. It helps in deployment engineering where someone is rolling out applications that sit on Windows, which in turn is sitting on hardware. And it helps with security audits -- nobody will be doing an end to end audit of Windows but you can audit components that interface with your security application. But we are committed to the integrity of the platform: we will not allow derivatives of the source code. Who has access to the source code?
About 2,300 organisations in 32 countries are eligible to receive the source code today. Enterprises must have more than 1500 Windows seats under the Enterprise Agreement licence to be eligible, the top 150 systems integrators worldwide are eligible, as are all governments, many universities and the big OEMs. But only about 150 organisations have taken us up on the offer. We have approached many hundreds more, but most have turned us down. Most say "we are manufacturers, we don't do source code -- that's your job" and others say they expect their systems integrators to deal with any source code issues. Who in the UK has signed up?
So far seven universities in the UK have source code for research purposes, and five enterprises. No systems integrators here yet have access to it. How much does it cost?
While organisations can sign up to the shared source programme at no cost, there is a tremendous amount of engineering on their part that they have to undertake, and this can be expensive. The Shared Source Initiative covers Windows 2000, Windows XP and all .Net servers and service packs, and all betas. There is a tremendous amount of technology there, and it costs a lot of money just to get people up to speed. Many organisations say the software development kits are more than enough. How do people physically access the Windows source code?
The MSDN Code Centre Premium resource is the mechanism by which people access the Windows source code. It is a reference tool accessed through a secure Web site. When organisations sign up, they get a smart card and a smart card reader. All the servers for this are currently located in Redmond, but we will start mirroring them around the world. Can people access all the Windows source code?
No. About 95 percent of Windows is in the programme. Another 3 percent of Windows we don't own so we can't share it. And some parts -- such as product activation code -- are too valuable to us to share, and then some of the cryptographic elements are restricted by the US government and we can't share them beyond the EU and eight other countries, so we deal with those on a case by case basis. So that covers Windows. How do the other programmes differ?
The Windows CE division has taken a different approach. About 45 percent of Windows CE source code has been opened up to anybody -- any organisation or an individual -- in any country. The licence says you can view, modify and redistribute the code for non-commercial purposes. This means software and hardware vendors can modify applications and hardware based on their knowledge of the source code. Some companies can see the whole of the WindowsCE source code, but they pay a licence fee because the 55 percent of the code not open to everyone has IP (intellectual property) issues. There are about 300,000 developers in the embedded community, and we have had 128,000 downloads of the source code. About half of those say they use it on a weekly basis and about 75 percent say they plan to develop for Windows CE as a result of having access to the source code. What other Shared Source programmes exist today?
There is the C# CLI (Common Language Infrastructure) licence, which is similar to the CE licence in that it is a non-commercial derivative licence, but in this case almost all the activity is focused on the academic community. We have had about 35,000 licensee downloads -- not including 18,000 individuals who entered a coding competition in Japan. So where next?
In the coming months we will expand the Shared Source programmes into other parts of Microsoft. All our platforms are in the Shared Source programme right now, and next we will be seeking to expand it to SQL, Exchange and possibly even Office. We have not yet decided on Office. It may be that we decide not to do it. There will be a lot of work involved in scrubbing the IP. We'd like to push this programme into tools and everything from games to applications. But we have a lot of issues to deal with, such as who needs to get to source code and how badly they need access. It is of marginal use even to most developers, and or no use at all to most users -- especially when it comes to the operating system. That's why Linux only has a small number of kernel developers -- this is very complex stuff. It is a question of weighing up the risk against the benefit. Most modern industry was built on the notion of trade secrets. The important part is that as you share more, those trade secrets are open to more eyes, and so they can become weakened. How does this concept of Shared Source sit with the mantra of 'security through obscurity,' which is so closely associated with Microsoft?
Microsoft does not subscribe to security through obscurity. But equally, the many eyes theory is untested and fairly unsupportable because most of what those eyes look at is the wrong stuff. People like to look at the sexy, interesting code, and the older, harder code that is more tedious to look at often gets overlooked. It is a lot more complicated than saying: if lots of people can see the source code then they'll find the bugs. Take the Kerberos example, where a big flaw was discovered after ten years. This is an open-source security product that has had many eyes looking over it. OpenSSH is another example -- this open-source product was recently found to have a Trojan horse in it. The problem with open source is that you don't know who is controlling the code. Microsoft always signs all of its binaries. You know who is responsible for it. For us the interest in shared source is to do with platform integrity. Palladium cryptographic code will be Shared Source so people will be able to scrutinise it, just like they could with the RSA cryptographic code. I don't know how we can more clearly state that we don't believe in security through obscurity.
A: One unfortunate thing we did was coming out against open source -- we knew it would be controversial. There is a longstanding industry debate around source code and what role it plays. IT professionals have one point of view, developers have another, business decision makers have yet another and then hobbyists come at it from an entirely different direction again. For a long time we were held up as being anti-open source. But the idea of Shared Source came about because of customers telling us: "I am able to do some things in open source because I have access to the source code, and I would like to be able to do the same thing with your code." The fact is that Linux is now competing with Windows. That is good because it is spurring us on and making us compete better, but equally, it is difficult for us to say Windows has better management tools than Linux because all of a sudden people say we are attacking open source. We now share Windows, some of Windows CE and parts of .Net -- our implementations of the C# CLI (Common Language Infrastructure) specification. When you say Shared Source, what do you mean exactly?
Different groups within Microsoft have very different businesses; Windows is a very different product to Golf, for instance. The Windows programme is a reference-only licence. So in the Windows team today we let you view the code and debug against it, but you can't change the code. So if you're building your own application that sits on Windows you can debug the applications and Windows code in the relevant APIs (application programming interfaces). This also means you can trace back issues and have them fixed. It helps in deployment engineering where someone is rolling out applications that sit on Windows, which in turn is sitting on hardware. And it helps with security audits -- nobody will be doing an end to end audit of Windows but you can audit components that interface with your security application. But we are committed to the integrity of the platform: we will not allow derivatives of the source code. Who has access to the source code?
About 2,300 organisations in 32 countries are eligible to receive the source code today. Enterprises must have more than 1500 Windows seats under the Enterprise Agreement licence to be eligible, the top 150 systems integrators worldwide are eligible, as are all governments, many universities and the big OEMs. But only about 150 organisations have taken us up on the offer. We have approached many hundreds more, but most have turned us down. Most say "we are manufacturers, we don't do source code -- that's your job" and others say they expect their systems integrators to deal with any source code issues. Who in the UK has signed up?
So far seven universities in the UK have source code for research purposes, and five enterprises. No systems integrators here yet have access to it. How much does it cost?
While organisations can sign up to the shared source programme at no cost, there is a tremendous amount of engineering on their part that they have to undertake, and this can be expensive. The Shared Source Initiative covers Windows 2000, Windows XP and all .Net servers and service packs, and all betas. There is a tremendous amount of technology there, and it costs a lot of money just to get people up to speed. Many organisations say the software development kits are more than enough. How do people physically access the Windows source code?
The MSDN Code Centre Premium resource is the mechanism by which people access the Windows source code. It is a reference tool accessed through a secure Web site. When organisations sign up, they get a smart card and a smart card reader. All the servers for this are currently located in Redmond, but we will start mirroring them around the world. Can people access all the Windows source code?
No. About 95 percent of Windows is in the programme. Another 3 percent of Windows we don't own so we can't share it. And some parts -- such as product activation code -- are too valuable to us to share, and then some of the cryptographic elements are restricted by the US government and we can't share them beyond the EU and eight other countries, so we deal with those on a case by case basis. So that covers Windows. How do the other programmes differ?
The Windows CE division has taken a different approach. About 45 percent of Windows CE source code has been opened up to anybody -- any organisation or an individual -- in any country. The licence says you can view, modify and redistribute the code for non-commercial purposes. This means software and hardware vendors can modify applications and hardware based on their knowledge of the source code. Some companies can see the whole of the WindowsCE source code, but they pay a licence fee because the 55 percent of the code not open to everyone has IP (intellectual property) issues. There are about 300,000 developers in the embedded community, and we have had 128,000 downloads of the source code. About half of those say they use it on a weekly basis and about 75 percent say they plan to develop for Windows CE as a result of having access to the source code. What other Shared Source programmes exist today?
There is the C# CLI (Common Language Infrastructure) licence, which is similar to the CE licence in that it is a non-commercial derivative licence, but in this case almost all the activity is focused on the academic community. We have had about 35,000 licensee downloads -- not including 18,000 individuals who entered a coding competition in Japan. So where next?
In the coming months we will expand the Shared Source programmes into other parts of Microsoft. All our platforms are in the Shared Source programme right now, and next we will be seeking to expand it to SQL, Exchange and possibly even Office. We have not yet decided on Office. It may be that we decide not to do it. There will be a lot of work involved in scrubbing the IP. We'd like to push this programme into tools and everything from games to applications. But we have a lot of issues to deal with, such as who needs to get to source code and how badly they need access. It is of marginal use even to most developers, and or no use at all to most users -- especially when it comes to the operating system. That's why Linux only has a small number of kernel developers -- this is very complex stuff. It is a question of weighing up the risk against the benefit. Most modern industry was built on the notion of trade secrets. The important part is that as you share more, those trade secrets are open to more eyes, and so they can become weakened. How does this concept of Shared Source sit with the mantra of 'security through obscurity,' which is so closely associated with Microsoft?
Microsoft does not subscribe to security through obscurity. But equally, the many eyes theory is untested and fairly unsupportable because most of what those eyes look at is the wrong stuff. People like to look at the sexy, interesting code, and the older, harder code that is more tedious to look at often gets overlooked. It is a lot more complicated than saying: if lots of people can see the source code then they'll find the bugs. Take the Kerberos example, where a big flaw was discovered after ten years. This is an open-source security product that has had many eyes looking over it. OpenSSH is another example -- this open-source product was recently found to have a Trojan horse in it. The problem with open source is that you don't know who is controlling the code. Microsoft always signs all of its binaries. You know who is responsible for it. For us the interest in shared source is to do with platform integrity. Palladium cryptographic code will be Shared Source so people will be able to scrutinise it, just like they could with the RSA cryptographic code. I don't know how we can more clearly state that we don't believe in security through obscurity.
See the Software News Section for the latest headlines on everything from peer to peer clients to Office software and beyond.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.