ReactOS, the 10-year-old project to create a functional, free, and open source version of Windows NT, suspended development on January 27 after a meeting to discuss whether leaked code had been added to the project's code base. The OS also will not be available for download while developers perform a full review of the 3 million or so lines in the ReactOS code base.
A letter posted to the ReactOS Web site included three specific tasks developers will take on as a result of the concerns: Clarify the ReactOS Intellectual Property Policy Statement requirements for clean room reverse engineering to conform to those required by US law; audit the ReactOS code base and rewrite any code that was not implemented along the clarified guidelines; and require developers contributing major code to the project to sign a document that says they agree to the project's policies.
According to Steven Edwards, the recently elected project coordinator for ReactOS, developers on the project have raised the possibility that a developer had reverse-engineered a part of the Windows code in violation of US copyright and trade secrecy laws and practices.
Leaks of parts of the source code for Windows 2000 and NT have been circulating on the Internet for a few years, but "there is nothing in the code base that we believe is a copy and paste from a leaked bad source," Edwards said. "We just want to standardize our practices in the clean room method to make sure we can't get sued down the line. So, just to be sure of that, we're going to audit the code base."
The audit is expected to set the project back by about a year, he said, but making the move would be better for the project in the long term because solidifying and enforcing standards could prevent a lawsuit being filed against it in the future. While developers comb through the code base, members of the project will also define what is acceptable for contributors' interaction with Windows and its code base.
The goal of the ReactOS project, which Edwards said has never made it out of alpha development or been regarded as a stable product, is to provide a free implementation of the Windows OS. The operating system implements a Windows-like environment that interacts with users' hardware and employs code from the Wine project to run Windows applications. Wine allows Windows-based applications to run on x86-based operating systems such as Linux and FreeBSD by re-implementing Microsoft's Win32 application program interface (API).
Jeremy White, founder and chief executive officer of CodeWeavers, which develops a commercial product based on Wine, said a number of developers from ReactOS have contributed to Wine, but several have been banned from contributing to the project because of concerns about code they offered. This was not necessarily because the code included something stolen or illegal, but because Alexandre Julliard, chief technology officer for Codeweavers, reviews the contributed code and was concerned about what the banned individuals had claimed as their own.
White said he was doubtful that a developer could be influenced just by briefly reviewing or accidentally coming across Windows code, and that it wouldn't be easy to obtain in any case. "You've got to go looking for the crown jewels of England," White said. "You don't just stumble across that stuff. [And] you're talking weeks and months of study to do anything with it. So, it's not accidental."
While those behind Wine reject any code or developer they are unsure of, the project has been doing a code review of its own in the past year with the help of the Software Freedom Law Center (SFLC). Edwards said that ReactOS planned to work with the SFLC as well.
Citing lawyer-client confidentiality, SFLC Chairman Eben Moglen said he could not discuss whether his organization had spoken with anyone from either project, let alone about the nature of his work with them.
Speaking in general terms, however, Moglen said developers could emulate an existing proprietary product in several ways. For example, by simply watching how the software works, or even setting up another application to track the way it works, developers could reverse-engineer the software and implement what they figure out; or, portions of code from the proprietary software could simply be adopted and replaced with original code over time.
"You can't infer from the behavior of the emulator anything about its production," Moglen said.
In the case of Microsoft, Moglen said it is clear that any use of Windows code is improper, and it would be highly unlikely that a programmer could claim negligence of its being a trade secret. "The area that gets gray is where the code itself hasn't been reused, but information gained by the code -- know-how -- has been used.... A prudent project would typically establish clean room restrictions," he said.
ReactOS plans to take stronger efforts to keep Windows code from being integrated into the project. Edwards said that concerns were raised because developers from around the world contribute to the project, and all adhere to the laws of the countries they live in.
Developers known to have seen or studied the leaked Windows code are not expected to be barred from contributing to ReactOS, but Edwards said they at least will not be permitted to work on parts of the project with functions similar to anything they've seen in Windows source code.
No comment from Microsoft
Edwards said ReactOS has had no official contact with Microsoft about the concerns, adding that the company has not responded to previous efforts by members of the project to contact the company about potential legal matters.
A spokesperson for Microsoft declined to comment to NewsForge on any leaked Windows code, the current ReactOS situation, or the project itself.
Though Microsoft refused to comment, White said he is aware of several senior executives at Microsoft that subscribe to the Wine mailing list, and that he is sure they pay attention to other projects similar to these two.
White said he saw little chance that Microsoft would come after either Wine or ReactOS so long as developers are trying to keep Windows code out of their applications.
"This is dangerous turf for [Microsoft]," White said. "They're a convicted monopolist.... It is the perceived fear that works for them. I find it hard to believe they would ever trigger a lawsuit."
Regardless, Moglen said concerns like the ones ReactOS developers currently have are common for software development teams -- which is why he recommends regular code audits even without a specific concern triggering the audit, just to be safe.
"Stuff happens," Moglen said. "That's why it gets found out. None of this is unique to free and open source software. It appears in all industries, and in all software companies."