This would be cool!

I still have a Win7 in my development chain (no longer net facing).

Been with MS on Win since version 1x and 7x was the best of the bunch for general work flow (98 was a step up from 3x but the SE version was a disaster!).

Showing my age a bit ... still have a DOS machine with a particular legacy program some 50k lines long on a 486, still humming along, that I desperately need to find time to port to a newer version!

What a great idea, however, there's too much code investment, and probably patents in there.

What are the chances?

Pretty slim, methinks.

There is also a risk to see the rise of a Free Windows OS, which, one day can compete with the official Windows branch.

More companies and individuals are switching to Linux based OS, imagine if tomorrow, there is a free Windows based OS, the switch will be again easier and convenient.

That being said, I think that, it could be great idea to have Windows 7 going open source.

I can't see that happening because too many of its resources, some from much earlier versions, are still being used in Windows 10.

Bad idea, it would be too helpful for those who create viruses and would not benefit regular Microsoft users much.

Won't happen, it's like begging for code, "go write your own" is the short version of Microsoft's response, albeit more polite of course.

I suppose you can always beg though

It would be nice to have a look inside Windows 7 source but Microsoft will not release it. Probably in few years from now.

Bad idea, it would be too helpful for those who create viruses.

Quite the opposite. A lot of people would be looking at the code, and will spot vulnerabilities before the hackers. Many eyes and all that.

There is also a risk to see the rise of a Free Windows OS

I think this is the key. The code could also be used by things like Wine, making running Windows software on Linux a lot better (meaning more software will run and more smoothly).

Quite the opposite.

I disagree. You cannot prevent exploit when you give them a roadmap to use, which is why open source is always most vulnerable. Whereas obscurity is a huge plus.

A lot of people would be looking at the code, and will spot vulnerabilities before the hackers. Many eyes and all that.

No, I have been involved in a number of open-source projects and almost no-one looks at the code details. They all take for granted that the code works. Especially in a project like Windows 7 which contains millions of lines of code, you shouldn't assume that anyone except for the hacker looking for vulnerabilities will spot any problematic parts in the code.

Remember that Windows 7 has been available for many years going through many iterations of updates and bug-fixes. All low-hanging fruit is gone by now. What is left are vulnerabilities deeply hidden inside the code which you will only find if you know what you are looking for.

anyone except for the hacker looking for vulnerabilities will spot any problematic parts in the code.

Security researchers for a start.

which is why open source is always most vulnerable.

So why does closed source software not have a better security track record than open source?

On top of that, Windows source has been leaked before, open source code has been used in Windows and bundled with Windows, etc. Did any of that make Windows less secure? Its been given to 45 governments including China.

So why does closed source software not have a better security track record than open source?

Who says that it does? And which open-source applications are used in mission critical security scenarios?

And which open-source applications are used in mission-critical security scenarios?

OpenSSL is the best known I think. But it has a very bad history of vulnerabilities as you can see in the OpenSSL CVE list [cvedetails.com]

An interesting point to note is that sites/services like CVEdetails advertise vulnerabilities to the public, but they do not contact the vendor and let them know.

I did a search on our own software and found 2 issues only. One was listed in 2010 and we were never contacted by anyone and recieved no complaints. The other in 2017 we did know about because it was reported by WordPress. That exploit was in one of our WordPress plugins that until then was using commonly used WP functions. So really it was a WordPress exploit but it is listed against us, and probably a few hundred other WP plugin developers.

I suppose that any wanna-be hacker only needs to check a site like CVEdetails to get started.

And which open-source applications are used in mission critical security scenarios?

Linux for a start. Apache and Nginx (not all websites are just brochure sites). Postgres. Open Stack. Lots and lots more.

The majority of big web businesses (Google, FB, Cloudflare, Disqus, ....) depend on open source. Banks and other financial institutions often depend on open source.

OpenSSL is the best known I think. But it has a very bad history of vulnerabilities as you can see in the OpenSSL CVE list

So do the proprietary SSL libraries. Furthermore one of the worst OpenSSL vulnerabilities was found by an external audit of the code (by Red Hat). Its difficult to compare because because vulnerabilities in closed source may be fixed (or not fixed!) without any announcement.

An interesting point to note is that sites/services like CVEdetails advertise vulnerabilities to the public, but they do not contact the vendor and let them know.

All the major vulnerabilities I have read up on (i.e. ones that concerned me enough for me to do that - like the worst of the OpenSSL ones.) were publicly released after the vendor (and major distributors) were warned and given time fix and distribute fixes.

I think it is good practice and generally accepted as such - you should have been informed first. Do you have a published request for people to tell you first, and how they should contact you about vulnerabilities? It might help if there are any in the future.

That exploit was in one of our WordPress plugins that until then was using commonly used WP functions. So really it was a WordPress exploit but it is listed against us, and probably a few hundred other WP plugin developers.

Its useful info if you are checking whether (or how badly) you need to fix your install. It may be that Word Press developers were informed before the CVE was published.

Banks and other financial institutions often depend on open source.

Sorry but you are making this up. I have been integrating merchant accounts into websites for 20 years and have yet to find a bank that uses off the shelf free software for anything. You can love open-source because its free. You can hate Microsoft all you like. But don't tell me lies.

ING Bank uses Apache Cassandra for their database. Furthermore, they have their own open-source repository at Github [github.com].

Sorry but you are making this up. I have been integrating merchant accounts into websites for 20 years and have yet to find a bank that uses off the shelf free software for anything. You can love open-source because its free. You can hate Microsoft all you like. But don't tell me lies.

Is it acceptable behaviour on this forum to call people liars? I find it very hard to believe anyone could have worked for multiple banks and come across no open source.

A list of financial institutions using open source:

1. The London Stock Exchange. Their trading system (i.e. their core service) runs on Linux. They switched from a system that ran on Windows (developed partly by MS themselves) because it was too slow. Source: I used to work for the company that developed their trading system.
2. Multiple smaller stock exchanges that use the same system also use Linux. Source: I was working there when they decided to switch the recommended OS for the system from Solaris to Linux.
3. Barclays bank uses Open Stack. Source: a sysadmin I know at Barclays.
4. Man Group: they have an open source repo: [github.com...]
5. Jane Street Capital: also have an open source repo: [opensource.janestreet.com...]

Those are just ones I can think of off the top of my head. I could find a lot more if I wanted to research something I already know. A bit of Googling will show you how wrong you are.

So you are saying that it is perfectly acceptable to take an off the shelf open-source application and plug it into a money interface, not just doorway pages, info services or a CMS for the website, but for an interface that is MISSION CRITICAL, ie: hands on the money?

An application that has not been reworked and improved in any way?

Good luck with that!

So you are saying that it is perfectly acceptable to take an off the shelf open-source application and plug it into a money interface

Nobody here has even inferred that that I can see. They have provided you with plenty of examples of open source software used by financial institutions. To argue that no open source is used by any such institutions would be a losing proposition. Perhaps your experience differs, but that doesn't make your assertion universally true.

Talk about TOPIC DRIFT!

FSF tries to get MS to open-source Windows 7

Still think that would be a nice thing to happen (not that it will).
.

@tangor its relevant to whether people would use an FOSS fork of Windows.

So you are saying that it is perfectly acceptable to take an off the shelf open-source application and plug it into a money interface, not just doorway pages, info services or a CMS for the website, but for an interface that is MISSION CRITICAL, ie: hands on the money?

I am not sure what you mean.. Are you suggesting that banks and financial institutions should (or actually do) maintain their own forks of things like the Linux kernel or Open SSH or Apache or Open Stack?

What I would expect them to do is use more secure and reliable configurations (some thing we all do to some extent - I would expect them to put more resources into it and be a lot more careful), and put money into services (everything from live patching to pen testing) and monitoring.

Yeah ... it's the apples and oranges thing that is amusing. :)