suppose many users of Windows, some of them working for foreign governments, decide that Windows really rocks compared to alternatives but they don’t trust the updates since, conceivably, Microsoft could distribute patches containing a backdoor. I.e. even if they are confident that “right now” there are no backdoors, maybe they would be added later.
So, suppose these users would clamor for Microsoft to publish the source code for patches so that they would examine and compile it by themselves. I can see that in this way a lot of proprietary code would get published, but then it would be just a drop in the bucket compared to the size of the entire codebase. So while it would be useful for verifying the absence of backdoor, to me this does not sound like it would be useful for anything else.
What is wrong with my reasoning? What would be negative consequences of Windows patches being published as source code?
AFAIK, it’s more a question about archiving. Say that this or that country’s goverment always used Word for whatever records we’re talking about, and wanted to check some files from 1992, and finds out that it can’t actually read it’s contents, because the software - later iterations of Word - isn’t compatible with those files, the goverment would have to ask this American company: “Erm… could you help us read our files…?” Now, imagine this is during a conflict with USA and the situation becomes quite bizarre. It doesn’t get any better with SharePoint, which transfers the files into a Microsoft SQL Server database.
Microsoft aren’t yet providing delta patches, so if a single line of code changes in a file then the whole compiled executable is deployed during patching, rather than just patching the bytes that have changed.
So after a few rounds of patches, often containing major chunks of the kernel, everybody would have a 70%+ accurate copy of the OS source code. It doesn’t make any sense for them to give this away for technical and legal reasons. It’s not impossible to get a source license from MS, but I wouldn’t fancy trying it
At the same time I don’t think this is a major impediment to the adoption of MS products. They’re in use pretty much everywhere, although often pirated, and a nation state has many options available to check the security of what they’re using, including reverse engineering, isolated networks, network monitoring and so on.
In short, I don’t think it’s a problem that MS think needs fixing.
My guess is that enough varied components are touched in any given wad of updates that if you published the source of the components that changed, it wouldn’t be long before you’d published all the Windows source anyway.
And having worked in the Windows build system before, I can pretty safely say that supporting its use by random users outside of Microsoft is a huge task that Microsoft is not going to undertake without a correspondingly huge incentive.
ETA: agreed with previous post that this isn’t really a problem that needs fixing. It doesn’t make much sense to mistrust Microsoft-signed updates but to trust a Microsoft-signed OS in the first place.
