The Microsoft Web Protection Library, commonly referred to as AntiXss (the previous class name) has had a bit of a vulnerability. Now we all know that vulnerability and Microsoft usually go together like chicken and eggs, but you see what makes this different is that it’s an apparent earnest effort at an Open Source project. Unfortunately, the newest iteration of this project, 4.2 breaks everything. This isn’t unusual by itself either as that too is a Microsoft staple and indeed other projects have faced similar issues with “fixes”. What is unusual is that MS has reinterpreted the meaning of Open Source and removed all previous binaries to the library that actually worked, even with the vulnerability (thereby making it non-Open), and the sources for the 4.2 “fixes” are still unavailable.
Now I’ve read the FAQ for Open Source, but I couldn’t find single instance where this behavior would fit under the term. I scanned through the FAQ again, and found a behavior similar to what MS is actually doing and came across the following :
What if I do not want to distribute my program in source code form? Or what if I don’t want to distribute it in either source or binary form?
If you don’t distribute source code, then what you are distributing cannot meaningfully be called “Open Source”. And if you don’t distribute at all, then by definition you’re not distributing source code, so you’re not distributing anything Open Source.
What’s more, “Barry” the coordinator of the project on CodePlex has stated the following when another user wanted the sources listed :
The source branch for 4.0, release, is available – the dates don’t ever match due to the way we publish.
The source for 4.2 is not available – it takes a bit of cleaning before publication (we usually have a 1-2 week gap), and as we’re working on getting the sanitizer functional again for 4.3 taking the time to publish the 4.2 code would remove effort from tracking down what is going on.
That’s not quite what it means to be Open Source, Barry.
But earlier on the same thread he had said :
It’s company policy I’m afraid. The source will remain though, so if you desperately wanted you could download and compile your own versions of older releases.
Notice it wasn’t project policy or community policy. But it was company policy; meaning Microsoft has a different definition of the term Open Source.
So AntiXss is no longer an Open Source project.