Submitted by “Last October I blogged about our plan to release the source code to the .NET Framework libraries, and enable debugging support of them with Visual Studio 2008. Today I’m happy to announce that this is now available for everyone to use. Specifically, you can now browse and debug the source code for the following .NET Framework libraries.”
Does mono implement their own libraries or do they use the actual binaries from .NET?
The .NET Framework source is being released under a read-only reference license
Non-GPL, and pretty much useless :/
I agree that is useless.
You must never have encountered a bug in the system libraries before…. Lucky bastard
The license sucks, but if you’re stuck with .NET this is invaluable. No more hackish reverse engineering with Reflector.
You must never have encountered a bug in the system libraries before…. Lucky bastard
Actually, no, I haven’t
Atleast not that I know of 
And well, I was just saying it is useless in regards to Mono. I am sure this is useful some .NET programmers though. It’s just sad that you can’t actually develop those sources further or integrate them to Mono or anything like that. Then again, I don’t do C# anyways :3
Not quite useless. As it is now open-source (!free: this is as free as GPL’d software is), we can look forward to a new round of system attacks thanks to the visible security holes.
I don’t know why they’d go through with that rumor. I guess Microsoft thought they hadn’t shot themselves in the foot enough lately.
“Open Source” does not mean that the code is available somewhere around the net but reproducing or even looking at it is illegal. .NET’s distribution license isn’t even near an open source one.
Edited 2008-01-17 21:24 UTC
I believe if the source is open to reading then it might be open source…not Open Source, definitely not Free Software, but it is still open source…
This kind of subtle capital/lower case distinction is dangerous, please avoid. Say that it is source-visible, or source-available. To say it is open source, even if you don’t say Open Source, is to imply that it meets the Open Source Definition. Though we should all be used to case sensitivity by now the relaxed nature of online written communication is such that it is far more likely to be assumed that you are being slightly careless with your shift key then it is to be assumed that you mean source that is merely visible.
A bold statement indeed. Let’s see now…
The Microsoft Reference License allows you to:
* read the source code
The GNU General Public License allows you to:
* read the source code
* modify the source code
* include portions of the source code in other software
* redistribute the original source code
* distribute modified copies of the source code
The GPL may impose some restrictions, but comparing it to the MS-RL is just ridiculous.
I think you misunderstand the post to which you replied. He said ” As it is now open-source (!free: this is as free as GPL’d software is)”, which I think was meant to be read as “As it is now open source, though not free in the GPL’d software definition of free.”
GPL would be also useless, as mono Class Libraries are licensed under MIT X11.
GPL would be also useless, as mono Class Libraries are licensed under MIT X11.
Thanks for mentioning, I didn’t know that. I am totally not interested in Mono so I don’t know much about it, I just thought it’d be GPL or something similar. But well, anyways, the fact still stays that this release of the code is useless to Mono
Mono uses their own code libraries which is based upon the public published specification.
Even if it was GPL’ed, most of it would be useless to Mono developers. For example, they couldn’t port MS’s implementation of System.Windows.Forms because it’s a huge wrapper around Windows native API (unless they would use part of Wine to achieve this).
Not to mention that MS would then expect a patent tax from everyone who based off of that code….
Speaking of which, it seems that Microsoft explicitly voids even the “read-only” part of the license if you’re not developing for Windows.
“The .NET Framework source is being released under a read-only reference license. When we announced that we were releasing the source back in October, some people had concerns about the potential impact of their viewing the source. To help clarify and address these concerns, we made a small change to the license to specifically call out that the license does not apply to users developing software for a non-Windows platform that has ‘the same or substantially the same features or functionality’ as the .NET Framework. If the software you are developing is for Windows platforms, you can look at the code, even if that software has “the same or substantially the same features or functionality” as the .NET Framework.”
So if you’re writing something for a platform other than Windows, you’re not allowed to look at the source. I guess this rules out people who write for two platforms simultaneously, as well.
This license is just oh so very useful.
Edited 2008-01-17 18:30 UTC
So if you’re writing something for a platform other than Windows, you’re not allowed to look at the source. I guess this rules out people who write for two platforms simultaneously, as well.
Uh… I suspect you’re reading that from a “conspiracy theorists” position.
I believe they’re basically saying: If you’re writing software that runs on Windows, you can view the source. But if you’re writing software that doesn’t run on Windows at all – go F yourself, you can’t read our source. They don’t care whether it’s developed for Mono or whatever – as long as it runs on Windows.
If you think about it from that perspective – they just want to make sure that an end user of the software can choose to use Windows to run the software.
You’re both reading it wrong. If you were writing software that mimics the .Net framework for an OS other than Windows, you cannot view the source. i.e. Mono developers working on a .Net compiler for Linux are not allowed to look at the source. Those same developers can look all they want if they are writing a .Net compiler for Windows. And if you’re not writing any of the code yourself, you can view all you want regardless of what platform you’re working with.
You’re both reading it wrong.
Ok, after re-reading it – you’re probably correct – that it only applies to people re-creating software that “mimics” .NET framework functionality.
However, it does explicitly state that if they’re writing software that runs on Windows and mimics the .NET framework functionality, they can read the source. Thus I still interpret that as: If you’re a developer working on Mono – you can read the source as long as Mono continues to run on Windows.
Ultimately, IANAL, so I’ll defer the official interpretation to those who are qualified. I just don’t see this as being nearly so nefarious as the Microsoft-haters out there. Didn’t Microsoft cooperate with the Mono folks recently to help write Moonlight?
What all this does not prevent, though, is someone using a cleanroom process whereby someone reads the source code according to the license, and then documents how things are supposed to work by translating the code into suitable flowcharts/algorithms, and sending that documentation off to someone to reproduce the functionality (which by necessity requires the same headers/API) which can then be fully compatible, all without the other platform coder ever looking at the code itself. Keep in mind, this method requires careful documentation and a process to ensure that there’s no way things could be accidentally polluted by the developer seeing the code, and there’s a good paper trail.
This is how Compaq was able to start out in the field of PC compatibles: reading the source code (or even machine code) of the PC BIOS by itself and then reproducing the functionality wouldn’t have been allowed, but they followed this method, and now there’s all sorts of PC compatibles, and IBM is mostly/entirely out of the PC/PC-compatible business, because IBM simply couldn’t provide enough people enough of what they wanted at a price people would pay.
I predict that the source code to .NET that’s been exposed in this manner will be used in the same way.
Nice idea of Microsoft to outsource .NET debugging to reduce development costs.
It would be if they accepted patches.
Microsoft is finally catching up to what we’ve been doing in Java for years. Even though their libraries are not open source, to say this is utterly useless is rather ignorant. Being able to step through library code in a debugger is very helpful for complex situations.
I don’t think I’ll every use .NET for a real project but it’s still nice to see Microsoft getting nudged in the right direction.
Unfortunately so, too. Although I’d call it “being pulled down,” not “catching up.”
Here at work, we used .NET over Java, largely because Java was open source and .NET was closed/secure. I don’t know what we’re going to do now; I guess we’re going to have to have a meeting now to discuss whether we can rewrite the entire project or whether we need to cut our losses (my job being among them).
A little over the top, there, aren’t you? Has anyone ever proven that java was less secure than .NET, just because it was open source? Or is that just your personal completely unsupported opinion?
I would think that a high level language that manages its own memory would be pretty safe whether it’s open source or not.
Close source don’t mean secure at least.
Hacker use automated tools to find vulnerabilities ins this kind of stack. reading the source code to find vulnerabilities is a painfull job. Using automated tools is realy more efficiant. So being close-source don’t help security much.
Instead, I think (IMHO) that being open-source, help security as anyone can find why the vulnerability is there and submit a patch.
my 2c
Why would source visibility have any impact on your project? .Net source has been viewable by anyone w/ reflector since .Net’s inception, the only thing that changes is that you can now step through the code w/ full symbol support. And according to ScottGu, you’ll be able to pull down the entire repository at some point in the future as well. Sounds like you might want a new job anyways if that’s your company’s view on things.
LOL, you, and your job, are the worst bunch of morons to ever face this earth, seriously, saying that opensource by definition makes for insecure software..
its even more stupid than saying the earth is flat.. i suggest you sail over the edge… now shoo
Well, that’s what happen when you make stupid business decisions like that.
Perhaps you should try to break the trend of bad decision making by not rewriting or cutting your losses but instead just go with the .Net changes.
Edited 2008-01-18 03:46 UTC
1. “Security through obscurity” doesn’t work, it is a fundamentally flawed concept.
http://en.wikipedia.org/wiki/Security_through_obscurity
2. You are entirely right, however, about the pointlessness of Microsoft releasing anything via one of its “read only” shared source licenses. Microsoft will not accept any improvements to the code back again (even security enhancements) … so there is no “security by design” enhancement to be had via this move.
3. It seems that perhaps the only real purpose served here is Microsoft’s hope that some open source projects would be tempted to copy this now-visible Microsoft code, giving Microsoft an opportunity to close them down. Even when no open-source projects actually use Microsoft’s code, this ruse may still prove useful to Microsoft in that they can perhaps make a FUD accusation about it anyway … in a similar vein to recent unsupported Microsoft-FUD about alleged patent violations in Linux.
I think you have some misconceptions about source visibility and security…
The most dangerous problems in code are not to be seen at the source level. Well, not anymore at least, since Microsoft and many others use static analysis tools in addition to code reviews and general testing.
There is a lot greater risk from larger design issues in the software. If you design it securely, having external people look at the code isn’t a big deal. Especially when they could see the code anyway through .NET Reflector.
I don’t quite agree.
In complex situations, we’d have more pressing issues than worrying and wondering what the library is doing.
Even if we’ve found a bug in the library, we can’t fix it or do anything about the bug.
We will end up with writing a workaround anyway (after spending a couple of hours for nothing). A couple of hours that would have been better spent by ignoring the source code and start writing the workaround immediately.
(Fix Typo)
Edited 2008-01-17 18:10 UTC
Anyone stating that this is “not useful” is clearly an idiot.
First, as a C# dev, I can certainly attest to the importance of being able to debug into the underlying system libraries and framework classes as desired. This will allow me to fully understand the implementation if I must, even locating any possible bugs that may exist and either planning around them, implementing my own solution, or reporting them to Microsoft in hopes that they’ll be fixed in the next framework service pack.
For a mono developer, I would expect this is an open invitation to analyzing the Microsoft implementation, documenting it, and then writing a replacement for it. Clean-room style of course to avoid any copyright issues. (Disclaimer: I haven’t reviewed the license to see what additional restrictions have been placed on it).
For end users, it’s an opportunity for full-disclosure of any vulnerabilities that can be found in the code and documented publicly such that software built on the .NET framework libraries can be made more secure and robust.
Keep in mind that clean-room style analysis requires that the developer doing the analysis can’t actually do any of the development. Anyone developing code to be run on other .NET platforms (like Mono) would have to disable any access to these source repositories to be sure that none of the code propagates to the other platforms.
Moreover, if a developer ever sees this source code they may be prohibited from ever contributing code to any cross-platform project for legal reasons – just ask the ReactOS project.
This source code release is of limited use to developers of Windows-only closed source programs, but can only be used by the rest of us under very strict conditions.
Moreover, if a developer ever sees this source code they may be prohibited from ever contributing code to any cross-platform project for legal reasons – just ask the ReactOS project.
You’ll have to excuse my ignorance on this topic. I did follow all the ReactOS auditing news – but IIRC, that was due to the potential that some developers of ReactOS had illegally viewed leaked source and/or illegally reverse-engineered (decompiled?) Microsoft binaries.
Doesn’t that make it a whole different story here?
Also, I did understand what a true clean-room method was – you make it sound like it’s impossible to find someone who will review the code and document how it works.
There is no legal difference between reading leaked source and reading source outside of its licensing limitations. Developers who use Reflector on MS binaries would be similarly prohibited from contributing code to .NET alternatives.
That’s not a problem, except that it is work that is not as cool as contributing code, so will not be as likely to get done on a volunteer basis. The problem was that you said a Mono developer – clean-room development requires at least two people, and the analysis person won’t be available for other uses, particularly not for contributing code. This makes the analysis task more likely to need to be a paid position.
IANAL … but I would challenge that assumption.
It is illegal to reveal a trade secret. That means the act of leaking of trade secret source code is illegal, and can be punished.
However, AFAIK, once a secret is leaked, it is no longer a secret and it is then legal for other parties (other than those who did the leak in the first place) to then use that secret. This is the reason why trade secrets are so jealously guarded … keeping the secret is the only protection that they have.
Copyright law is different, but copyright law pertains only to the making of illegal copies for sale of some work that is published … that is, some work that is made publicly available by its author.
Source code that is not published cannot (by definition) have copyright protection. It can, at best, be a trade secret.
Therefore, AFAIK (remember IANAL), reading of leaked source code (that you did not leak yourself) is not at all the same as reading of published source code and then using it outside of its copyright permissions.
Edited 2008-01-18 04:32 UTC
That is not true. Revealing a trade secret is not punishable under criminal law; but, rather, only within the civil court process.
Furthermore, if you want to prevent your employees from disclosing trade secrets, the primary way to do that is to have them sign a non-compete, non-disclosure agreement. Again, that does not make them liable under criminal law, but it does provide the ability to fire and sue them, if they violate the terms of the agreement.
Edited 2008-01-20 02:53 UTC
One nit: If you analyze source code first, you can’t then do a “clean room” implementation. “Clean room” means you haven’t been tainted by knowledge of the IP you’re trying to duplicate/reverse-engineer.
Now MS got a chance to sue Mono as if they steal some portions of the opensourced code.
1. The code wasn’t open sourced – it’s under the reference license, which doesn’t even pretend to be open source.
2. MS is unlikely to sue the Mono people, especially when they provide so much assistance to them, have interoperability labs with Novell, etc.
3. Mono doesn’t need this, they are doing fine.
Miguel has explicitly said that mono developers will not look at this code. If he and his team aren’t concerned about it, why should you be?
As a .NET developer, this is a most welcome addition. Maybe now I can understand all of the annoying bugs with MS’s TreeView control (maybe these are features?).
Anyway, I don’t understand that conspiracy theory with Mono some people keep suggesting.
Can’t it possibly be that Microsoft is doing something to benefit their users?
I doubt MS currently fears Mono in any way.
I don’t think anyone is suggesting that Microsoft is “fearing” mono. They just made it clear that if you were a developer of an alternate implementation of these libraries – i.e., Mono – you best move along and not look at these sources. I glad they put that warning in. It could save some trouble down the rode. As a .NET developer who is an enthusiastic Linux user, I will try to stear clear of seeing these sources. Who’s to say what kind of project I might work on in the future. I wouldn’t want to limit my future options (however small the likelihood). Nonetheless, I do not see that as a Microsoft problem. They are free to make proprietary code, and only allow it to be seen under their terms. I am free not to look at it (at least so far).
Is there a law that forbids reverse engineering by one person? I was under the impression that it is rather easier to prove that no original code was being re-used when two people make a clean-room implementation. And also, humans being humans, they simply tend to remember the code that they have seen, and it might be difficult to implement it the same way as if one would not have seen the original code.
But in general, legal reverse engineering by one person should be feasible, shouldn’t it?
I’d appreciate any clarification.
IANAL … AFAIK (etc), copyright law pertains only to making it illegal to copy the published work of someone else and make money yourself from selling the copies.
“Closed-source” software source code isn’t a published work. Copyright protection for any software released as binary only therefore is limited to anyone making copies of the binaries. The source code in this case is protected only by the fact that it is a trade secret.
Trade secret law in turn makes it legal for other parties to try to discover the secret. It is illegal as an insider to give away or to sell the secret, but it is not illegal at all for an outsider to try discover the secret.
Therefore, reverse engineering of binary-only software code is legal provided you do not make direct copies of the copyrighted binaries for the purpose of selling them to other parties. Provided you restrict yourself to “finding out the secret” of how it works, then reverse engineering is OK. You can then legally make a work-alike version of the software (that is NOT a copy of the original binary) using the understanding you have gained.
This is the reason why Samba is legal. Microsoft cannot have legitimate patents on it because the SMB protocol is actually IBM’s invention. Samba is not a copy of Windows binary code, nor is the Samba source code a copy of the Windows source code. Samba is just a work-alike of a Windows trade secret.
Somewhat ironically, Microsoft releasing (or publishing, if you will) of source code under “read only” permission of their shared source program actually enables copyright law protection of Microsoft’s source code.
Edited 2008-01-18 04:17 UTC
Uhm, it’s not there for anyone to use actually.. It’s there, but not for use.. ;/
As a .Net dev this is the best news I have had in a long time.
Why?
1. The behaviour of the library is not always well documented. MSDN is notoriously bad in some areas. Being able to read the source code enables the dev to understand *exactly* what the libraries are doing, how to use them, why they are there and when to use them.
2. It enables devs to *verify* the existence of suspected bugs lin the framework, and to work with MS to resolve them (or at least to document them and their work-arounds).
3. It gives us the oportunity to learn from the people who developed the framework by looking at the techniques they have used.
4. It can provide insight into the reasons *why* the routines in the framework behave in particular ways.
5. It *could* enable clean-room development for the Mono devs. (INAL)
6. It will spawn a whole lot articles on all aspects of the framework, many of which will be instructive and become essential reading.
7. It will lead to more secure code. Security vulnerabilities in the framework will become known, understood, worked-around and patch.
8. Some of us are just interested because we like that sort of thing.
Couldn’t we already get these benefits with Reflector? Of course we’ve been able to see decompile the source for a long time using Reflector (it is a wonderful tool), but that is no substitute for reading the original code with MS comments in, and being able to step through code in the debugger.
I don’t always like Microsoft (I think many of their products are actuall quite poor, and really hate many of the policies that they have persued over the years) but .Net is actually rather good, and this is the best thing MS has ever done to enhance it.
Well done, Microsoft.
5. It *could* enable clean-room development for the Mono devs. (INAL)
IANAL either, but it couldn’t. The license specifically forbids reading the source for the purpose of creating similar software on another platform.
Edited 2008-01-18 14:21 UTC
Fair enough: you’re probably right.
However, everthing depends on legal interpretation.
I can think of several scenarios that would be worth investigating.
1) Someone used the source code in a way permitted by the licence. They document their findings. What stops the Mono devs using these documents?
2) Someone in a nation where the licence has no legal standing to document what the code does. Can these documents be used by the Mono devs?
Naturally, until proven otherwise, I must agree with you. Nevertheless, the possibilities are intriguing.
Probably nothing, but I doubt it would be useful. The spec is already published so the main advantage would be in documenting MS-specific bugs/oddities. Even if bug-for-bug compatibility were desired that would only have minimal usefulness.
I’m pretty sure that’s a “No.”
I’m sorry but I’ve never seen such a waste of hard disk space in all my life. Microsoft is trying to pawn off a ‘read only’ licence as a change in direction? sorry, colour be completely unimpressed. If Microsoft *really* want to impress me and others, how about opensource the whole damn framework under something like CDDL or BSDL?
This is nothing more than an attempt for Microsoft to muddy the waters of what one considers ‘opensource’ and worse, put projects like Mono under even more legal scrutiny – just imagine the field day when the legal experts (aka, oxygen thieves within Microsoft) get wiff of something looks a bit like what appears in their source code – OMG! it uses printf()! its a direct copy! *rolls eyes*
This is very useful for .NET developers. Debugging and reading the original source code is a lot better than using Reflector to examine the “source code”. We now get the original variable names, the original comments (VERY useful), the original file organization, …
And people can learn a lot from “just reading” someone else’s code.
I expect this sort of bull from lemur, but not someone who is more intelligent like you. This code has been released to assist those developing code that runs on the .NET framework libs by allowing for the browsing of and debugging of the .NET framework library code. That’s it. If you’re not writing code that runs on the .NET framework libs, then ignore this source code. You aren’t the target. This isn’t open source code nor is it meant to be nor is it pretending to be. Just think of it in the same terms as the Microsoft’s C-runtime, C++ STL, and MFC code that Microsoft has been releasing for years. That code is released in order to assist developers making code to run on Microsoft’s stuff, not for laying the groundwork for lawsuits by tricking or even tempting devs into using said code outside the bounds of the license. The release of this .NET framework code is similar in purpose.
The reaction here is so childish. Microsoft releases code to help those writing code that runs on Microsoft’s stuff, and those that have zero interest in writing such code come here to bash and try to convince those that are writing such code that this is useless (and even “evil”, since it’s only purpose is for suing people later on (paraphrasing the lunatics)). Pathetic in the extreme.
Edited 2008-01-18 17:55 UTC
How is it childish? lets assume I work on Mono, whilst developing mono, I want to ensure that my implementation is compatible with Microsoft’s implementation – and not have to write a whole heap of tests that may or may not test the function as Microsoft intended – I decide to look at the code.
Due to the ‘read only’ nature of the licence, sure, I might get my the issue resolved in my implementation, but it leaves a massive hole there for someone to exploit by way of legal action. Given Microsoft’s threats against open source projects and their ‘infringing’ on patents of which they’re too lazy to disclose, I would be very cautious.
It has NOTHING to do with hating Microsoft – so stop trying to bring up BS which has nothing to do with the topic; I own a Mac, and I’m quite happy to use Microsoft products, I’ve got Office 2008, MSN messenger, I like using their online services – so no, I’m not some rabid anti-Microsoft person with a chip on his shoulder, just a concerned person who having heard the threats by Microsoft, I don’t want to see open source projects drown a sea of frivolous litigation.
Edited 2008-01-19 02:27 UTC
It’s childish because you guys are looking for bogey men where they ain’t, and are in essence saying that it would be better if Microsoft had not released this code at all. You do that because you speak from the perspective of someone not making .NET code, of someone to whom this release isn’t targetted. You claim concern about how this release will affect non-.NET coders without considering the concerns about .NET coders to whom this release is targetted.
Here’s a quote about this I read on slashdot that sums things up quite nicely:
“This release is not intended to benefit the Slashdot crowd [or those not making code that runs on .NET]. Of course it isn’t “open source”, and Microsoft never said it was. This is Microsoft assisting developers working with .NET on the Windows platform. There are a huge number of developers who fit that description. Sorry if you don’t, but not everything is about you.”
I never mentioned “hating Microsoft”. That you brought that up unprompted may reveal your own feelings on the matter. So rather than responding to me by raising issues I didn’t raise, why don’t you address something I did raise, which is that Microsoft has released source code for many years (C runtime, C++ STL, MFC), and all that time nobody accused them of doing it for the purpose of suing anyone.
As for Mono, Miguel has instituted a policy that nobody that has seen the .NET code will be allowed to work on Mono in any way, shape, or form. So your scenario of being a Mono developer that decides to look at Microsoft’s code to enusre that your implementation is compatible would in fact violate Miguel’s own policy. Now, if someone decides to violate Miguel’s policy and potentially put Mono at risk, that’s on that dev, not Microsoft. Microsoft released this code to help .NET devs, how it affects Mono is not their concern. It’s Miguel’s concern, and Miguel has taken the action he sees fit (banning those that have seen MS’s code from working on Mono). And he did this without trashing the releasing of the code for .NET devs.
Edited 2008-01-19 19:16 UTC
How is it childish? lets assume I work on Mono, whilst developing mono, I want to ensure that my implementation is compatible with Microsoft’s implementation – and not have to write a whole heap of tests that may or may not test the function as Microsoft intended – I decide to look at the code.
If you’re working on Mono then it is not for you, Microsoft (Scott Guthrie) clearly said it. So stop being stubborn.
How is it childish? lets assume I work on Mono, whilst developing mono, I want to ensure that my implementation is compatible with Microsoft’s implementation – and not have to write a whole heap of tests that may or may not test the function as Microsoft intended – I decide to look at the code.
Why do you suppose people write unit/regression tests when testing code (even when source code is available)? For their own amusement? No, of course not. It’s to validate behavior. If you want to compare functionality, the only reliable way is to write a test which validates same. Looking at the source code only gets you so far.