The source code for Oracle's Solaris 11 operating system is now out in the open for anyone to peruse and compile, thanks to a furtive posting of a compressed archive that has been mirrored across scores of bitstreams and filesharing sites. But so far, Oracle hasn't moved to do anything about it, and the question remains whether the code was leaked by a disgruntled Oracle employee, or if this is the strangest open-source code-drop in history.

"The question I have is, what is it?" said Bryan Cantrill, former Sun Microsystems engineer and developer of the DTrace diagnostics tool, and now vice president of engineering at Joyent, in an interview with Ars. "Is it a deliberate act or not?"

First flagged on December 19 by an anonymous poster to the forums of the Linux tech site Phoronix, the 108MB tarball appears to contain most or all of the source for the kernel of Solaris 11, based on our review of the code. While the majority of the code in the archive is marked with the licensing header for the Common Development and Distribution License, there is also a significant amount of code and makefiles covered by Oracle and other companies' copyrights that did not carry the CDDL, as well as older code bearing Sun Microsystem's copyright in a directory of the archive named "closed."

That proprietary code includes the source for Solaris' kernel-level cryptographic framework daemon, logical link control driver, and code for mounting NFS filesystems. A significant portion of the code in "closed," however, also carried the CDDL header; it's not clear if Oracle intended to make this previously open code closed or not.

The code drop is being given a wide berth by developers associated with two of the open development projects that have forked from OpenSolaris, the open-source kernel effort that contributed much of the new technology in Solaris 11. Oracle essentially killed the OpenSolaris project after its acquisition of Sun. Developers on the OpenIndiana discussion group were concerned about whether it was safe to even look at code marked with the CDDL license because of the nature of the release; some believed it was potentially harmful to the open-source community because it presented the possibility of future legal claims by Oracle over intellectual property against open-source versions of the kernel that resembled the copyrighted code.

The CDDL license, a file-level "copyleft" that allows open source code to reside alongside proprietary code, was devised by Sun in order to allow community development of the Solaris kernel without having to negotiate the minefield of acquiring rights to open-source code the company had licensed from others, including IBM and NCR. In theory, any file with the CDDL header in it is fair game for developers to build from. But because Oracle has not issued an official code drop of changes it made to the CDDL code subsequent to the euthanization of OpenSolaris, and the code leak doesn't contain any historical data about the changes, the contents of the code leak could create muddy legal waters for developers who use it, or even just examine it.

However, Cantrill says that Oracle would have a hard time arguing for intellectual rights over the code marked as CDDL in the leak, since at this point Oracle has done little to clarify what's going on. "If the company is doing nothing to say that it isn't under the [CDDL], what is the difference between this and open source?" he asked. "If [the code] is a trade secret, it should be treated as such."

Cantrill says that the history of the Solaris kernel code—"the first thing that went open source and then tried to go closed again"—creates all sorts of legal "quagmires" for Oracle if they eventually decide to assert intellectual rights over any of the code that was previously open-source. At the same time, "without clarification from Oracle, [the code] is useless to the [open source] community," he said.

Rather than it being a stealth code drop by Oracle or an attempt to trap open source developers, many in the community believe the leak is just that—a leak by a disgruntled Oracle employee. And Cantrill said there are no doubt plenty of those, as Oracle has disenfranchised many engineers and the company's culture has driven away a large portion of Sun's engineering talent—including Cantrill himself, who left Oracle in July of 2010.

The termination of OpenSolaris and reversing course on the promise to continue to open source the Solaris kernel was "a terrible business decision, a terrible decision ethically, and executed in a cowardly manner," Cantrill said. "We at Sun had all sorts of of pathologies in management," he said. But he said few were prepared for Oracle's "level of mendacity" in its efforts to crush the former Sun's open-source tendencies. "Oracle didn't give a damn that by closing (Solaris), they were going to do damage to themselves. They don't even have the capacity to care. The company can't feel empathy by its design."

Cantrill called the leaks "an act of civil disobedience within Oracle,"and said it was unlikely Oracle would be able to identify the source, "assuming they're even upset about it—Oracle may not care at all."

So far, Oracle has not commented on the leak, and failed to respond to our requests for comment.