Wednesday, June 14, 2017

Notes on open-sourcing abandoned code

Some people want a law that compels companies to release their source code for "abandoned software", in the name of cybersecurity, so that customers who bought it can continue to patch bugs long after the seller has stopped supporting the product. This is a bad policy, for a number of reasons.


Code is Speech

First of all, code is speech. That was the argument why Phil Zimmerman could print the source code to PGP in a book, ship it overseas, and then have somebody scan the code back into a computer. Compelled speech is a violation of free speech. That was one of the arguments in the Apple vs. FBI case, where the FBI demanded that Apple write code for them, compelling speech.

Compelling the opening of previously closed source is compelled speech.

There might still be legal arguments that get away with it. After all state already compels some speech, such as warning labels, where is services a narrow, legitimate government interest. So the courts may allow it. Also, like many free-speech issues (e.g. the legality of hate-speech), people may legitimately disagree with the courts about what "is" legal and what "should" be legal.

But here's the thing. What rights "should" be protected changes depending on what side you are on. Whether something deserves the protection of "free speech" depends upon whether the speaker is "us" or the speaker is "them". If it's "them", then you'll find all sorts of reasons why their speech is a special case, and what it doesn't deserve protection.

That's what's happening here. The legitimate government purpose of "product safety" looms large, the "code is speech" doesn't, because they hate closed-source code, and hate Microsoft in particular. The open-source community has been strong on "code is speech" when it applies to them, but weak when it applies to closed-source.

Define abandoned

What, precisely, does 'abandoned' mean? Consider Windows 3.1. Microsoft hasn't sold it for decades. Yet, it's not precisely abandoned either, because they still sell modern versions of Windows. Being forced to show even 30 year old source code would give competitors a significant advantage in creating Windows-compatible code like WINE.

When code is truly abandoned, such as when the vendor has gone out of business, chances are good they don't have the original source code anyway. Thus, in order for this policy to have any effect, you'd have to force vendors to give a third-party escrow service a copy of their code whenever they release a new version of their product.

All the source code

And that is surprisingly hard and costly. Most companies do not precisely know what source code their products are based upon. Yes, technically, all the code is in that ZIP file they gave to the escrow service, but it doesn't build. Essential build steps are missing, so that source code won't compile. It's like the dependency hell that many open-source products experience, such as downloading and installing two different versions of Python at different times during the build. Except, it's a hundred times worse.

Often times building closed-source requires itself an obscure version of a closed-source tool that itself has been abandoned by its original vendor. You often times can't even define which is the source code. For example, engine control units (ECUs) are Matlab code that compiles down to C, which is then integrated with other C code, all of which is (using a special compiler) is translated to C. Unless you have all these closed source products, some of which are no longer sold, the source-code to the ECU will not help you in patch bugs.

For small startups running fast, such as off Kickstarter, forcing them to escrow code that actually builds would force upon them an undue burden, harming innovation.

Binary patch and reversing

Then there is the issue of why you need the source code in the first place. Here's the deal with binary exploits like buffer-overflows: if you know enough to exploit it, you know enough to patch it. Just add some binary code onto the end of the function the program that verifies the input, then replace where the vulnerability happens to a jump instruction to the new code.

I know this is possible and fairly trivial because I've done it myself. Indeed, one of the reason Microsoft has signed kernel components is specifically because they got tired of me patching the live kernel this way (and, almost sued me for reverse engineering their code in violation of their EULA).

Given the aforementioned difficulties in building software, this would be the easier option for third parties trying to fix bugs. The only reason closed-source companies don't do this already is because they need to fix their products permanently anyway, which involves checking in the change into their source control systems and rebuilding.

Conclusion

So what we see here is that there is no compelling benefit to forcing vendors to release code for "abandoned" products, while at the same time, there are significant costs involved, not the least of which is a violation of the principle that "code is speech".

It doesn't exist as a serious proposal. It only exists as a way to support open-source advocacy and security advocacy. Both would gladly stomp on your rights and drive up costs in order to achieve their higher moral goal.





Bonus: so let's say you decide that "Window XP" has been abandoned, which is exactly the intent of proponents. You think what would happen is that we (the open-source community) would then be able to continue to support WinXP and patch bugs.

But what we'd see instead is a lot more copies of WinXP floating around, with vulnerabilities, as people decided to use it instead of paying hundreds of dollars for a new Windows 10 license.

Indeed, part of the reason for Micrsoft abandoning WinXP is because it's riddled with flaws that can't practically be fixed, whereas the new features of Win10 fundamentally fixes them. Getting rid of SMBv1 is just one of many examples.

7 comments:

pjb said...

Granted it would not be good to have a law to force vendors to publish their sources. Nonetheless, it is a good thing to compel them to do so, voluntarily.

VirtueAndVice said...

Compelling the opening of previously closed source is compelled speech.

But really you're only compelling them to rephrase something that they earlier spoke voluntarily. This would only apply to binaries that were publicly-distributed, not all code ever written.

When code is truly abandoned, such as when the vendor has gone out of business, chances are good they don't have the original source code anyway. Thus, in order for this policy to have any effect, you'd have to force vendors to give a third-party escrow service a copy of their code whenever they release a new version of their product.

No. Abandoned means no longer sold. If the vendor is around to release the source, they must. If they are not, so be it. Compelling source code escrow for every binary ever released is silly.

Yes, technically, all the code is in that ZIP file they gave to the escrow service, but it doesn't build.
Again, so be it. Reasonable people just ask for the one thing companies are sure to have, the source code. Not some kind of perpetual support service to ensure that the source code can be built on future hardware and operating systems.

I don't see it as some moral right to keep the source code of software secret when you've published the binary for profit, and have then subsequently abandoned doing so. I see where you are coming from with the concept of a "Patched Windows XP" becoming a perpetual viable competitor for newer versions of Windows, but this has to be something approaching a unique case--the vast majority of abandonware is just that.

Jiří Zídek said...

Abandoned means no longer sold.
Imagine it in automotive: Does it mean that new BMW model with old engine should make last model "abandoned" ? But they share engine...
Code is speech
Imagine all painters should be forced to publish along with their paintings the process and tricks how they painted the picture. Just because you think "image is speech".

Bryan Christiansen said...

Yes, technically, all the code is in that ZIP file they gave to the escrow service, but it doesn't build. Essential build steps are missing, so that source code won't compile.

For the last 15 years I have worked at EscrowTech which is a code escrow service provider. Over the years I have seen hundreds of releases of source code and been a part of hundreds of technical verifications which involves looking at the code in escrow and verifying that it will work if released.

From those experiences, I can tell you that the majority of escrows do compile. That being said every now and then we do come across code that will not compile and we have to get input from the software developer to get going.

I also have personally talked to at least 20 customers who after receiving code from their escrow told me how valuable the escrow was and how grateful it was in place. It literally saved their bacon and hearing their gratitude is part of the reason I continue to work for EscrowTech.

That being said I don't think every binary should have a code escrow, however, certain software packages should. If the software deals with public safety or another critical and sensitive part of society then having a code escrow in place probably should happen.

VirtueAndVice said...

Does it mean that new BMW model with old engine should make last model "abandoned" ? But they share engine...

There would certainly need to be some decisions made on the topic of software versioning. MS Office 2010 is no longer sold...does that mean it's abandonware, or is it just released in a newer version now?
Is the product "MS Office 2010" (which could be considered abandoned) or "MS Office" (which is clearly not abandoned, and for sale today)? The same question applies to "Windows XP" vs. "Windows": Is XP abandonware, or just an outdated release of the Windows product sold today as release 10?

The concept of open-sourcing abandonware looks very different depending on how this question is answered.

Ivo Blaauw said...

In 2002 Apple bought a company called Emagic, wich produced MIDI devices (Unitor-8 and AMT-8) wich were used to control drum computers and synths. These devices where very popular with both Windows and Apple musicians. Less then half a year after acquisition, the Windows drivers (that went as far as WinNT) were discontinued by Apple. Despite numerous requests from the user base, no source code was ever released. Apparently that was Apple's way of saying "F.U., buy a mac". Personally I'd rather buy another $300 MIDI device than a $2,000 Mac.

Unknown said...

The concept of open-sourcing abandonware looks very different depending on how this question is answered.

thank you !


goldenslot casino
บาคาร่าออนไลน์
gclub casino