Open Source Code Lifted For Windows 7 Download Tool

Microsoft took responsibility for a developer lifting code from a CodePlex-hosted open-source project to build its free Windows 7 USB/DVD Download Tool, an incident that caused Microsoft to yank the program from its online Microsoft Store earlier in November.

Microsoft had originally introduced the WUDT in October as a way of porting Windows 7 onto netbooks, many of which do not contain DVD drives. The tool allegedly copied code from the GPLv2 (General Public License Version 2)-licensed ImageMaster project, described on the CodePlex site as “a .NET C# application for reading and writing disc images,” without following ImageMaster’s terms of use.

Under ImageMaster’s terms of use for open-source code, Microsoft should have provided source code for modifications to ImageMaster. Microsoft also grafted its own licensing terms onto the WUDT tool, a further violation of the terms of use.

In a 6 Nov. post on his Within Windows blog, Rafael Rivera described how he had been poking around the WUDT’s internals and had a “weird feeling” that “there was just wayyyyy too much code in there for such a simple tool.”

After additional digging, Rivera found that a “simple search of some method names and properties … revealed the source code was obviously lifted from the CodePlex-hosted (yikes) GPLv2-licensed ImageMaster project. The author of the code was not contacted by Microsoft.”

On the late afternoon of 13 Nov, as everyone headed out for the weekend, Microsoft confirmed that Rivera’s findings were sound.

“After looking at the code in question, we are now able to confirm this was indeed the case, although it was not intentional on our part,” Peter Galli, open-source community manager for Microsoft’s Platform Strategy Group, said in a statement published on Port25, a site that bills itself as, “Communication from the open-source community at Microsoft.”

The issue, according to Galli, was limited to the WUDT.

“While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process,” Galli said. “We had furthermore conducted a review of other code provided through the Microsoft Store and this was the only incident of this sort we could find.”

Galli’s statement concluded with an olive branch of sorts for the open-source community: “When it comes to our attention that a Microsoft component contains third-party code, our aim is to be respectful of the terms under which that code is being shared. As a result, we will be making the source code as well as the binaries for this tool available next week under the terms of the General Public License v2 … and are also taking measures to apply what we have learned from this experience for future code reviews we perform.”

A Microsoft spokesperson indicated to eWEEK that this would be the only statement at this time concerning the matter.