It would be great if we could combine ReactOS with Good old Games to build a retro Windows games distribution. I could hand that out at LAN parties as USB boot stick.
The better the specs of a commercial product, the easier it would be to produce an open source version it, with coding and testing automation perhaps even a one-to-one offering.
WannaCry was able to successfully run on ReactOS in 2025. Most other virsuses do tend to crash, because the memory layout is just a tiny bit different, but yeah, compatibility means compatibility. Lots of malware comes along for the ride.
However, there is a permissions layer that is more nix than Windows, which means the first foothold is still better than XP - you have to choose to execute the file. Self-running things don't tend to infect systems.
Its not a panacea, and there is a risk factor. And there aren't a lot of antivirus systems that can run correctly under ReactOS, because they freak out and think the OS is the malware, because they're scanning hashes for Windows, not another system.
But for a hobby OS, keeping hardware and software accessible after the rest of the world broke access, it still works.
Of course. Maybe not successfully but a "virus" is just software. If it runs software, it runs software, full stop. Maybe the same APIs are not available or behave differently, so it may be buggy or non-functional, but that's true of Half-Life here too.
Somewhere in the docs they state that they must also recreate whatever bugs the API has, otherwise applications written with those bugs as an (implicit) assumption could misbehave.
its worse than that, Windows activates/deactivates "bugs" based on the compatibility profile of the app.
so you can set an app to use a Windows XP compatibility profile, and this will simulate Windows bugs which were fixed in more recent versions of the OS
Maybe worry about Linux malware which is a major problem right now everyone is in huge denial about, instead of throwing shade at a hobby OS emulating a 25 year old version of Windows.
ReactOS isn't the one that just had one of its package repos owned (again).
I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.
Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.
I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.
Isn't it funny how such incidents on Linux are rare enough that they make headlines, but on Windows that's been the baseline expected state of things for so long that nobody bats an eye anymore.
Btw if you're running an OS that's never had a malware incident, please, tell us!
ClickFix which used Windows Update, and LNK that used Microsoft's signing keys, would disagree. There are still large and ongoing attacks that exploit Windows, and they are a serious problem - its just the attackers are less pointed at the everyday person, and more at corps and govs.
...is essentially impossible to pull off against commercial operating systems, because their core components are all written in-house by staff with photo ID badges, details with HR, tax returns filed with the government, and a cubicle that makes sure that they're locals and not some faceless anonymous hacker identifiable by nothing other than a throwaway faked email address!
I get that there was a lot of "stigma" about open source, the world largely forgot about it, but... actually, in this sense of allowing anonymous contributions it remains a very real risk.
"Jia Tan" was almost certainly a paid professional hacker working for a nation-state actor. Their "helpful contributions" to XZ utils was nowhere near a full-time effort. They certainly had "other irons on the fire", most probably in the Linux kernel or immediately adjacent to it.
He's probably not the only one doing this kind of "work".
For all you know, Linux has more remote exploits purposefully baked into it than Windows has security bugs inadvertently left in it... and don't forget Linux has bugs leading to security vulnerabilities too!
A rough count of "named" CVE 10.0 score (or close to it) vulns in the last 5 years:
7 for Microsoft: ProxyLogon, ProxyShell, ProxyNotShell, LDAPNightmare, PrintNightmare, noPac, Follina
While this is sort of laughable out of context (I mean, Steam on Linux for the last few years has run basically everything with full acceleration)...
I think what is being claimed, but not explicitly in the article, is that this is running the NVIDIA driver stack (for an ancient GeForce 8 card) directly, as opposed to emulating DirectX at the API level on top of a Vulkan driver.
> While this is sort of laughable out of context (I mean, Steam on Linux for the last few years has run basically everything with full acceleration)...
Eh. It's sort of like saying FreeDOS is laughable because DOSBox exists. I think that's missing the point.
reactos has been in development for 28 years and it can run half-life on real hardware. that is approximately how long half-life 1 itself has existed in the first place!
It would be great if we could combine ReactOS with Good old Games to build a retro Windows games distribution. I could hand that out at LAN parties as USB boot stick.
Given enough time, open-source will win. Just think about how more and more people are programming and how that will draw them to open-source.
more people and AI
Specifications are important.
The better the specs of a commercial product, the easier it would be to produce an open source version it, with coding and testing automation perhaps even a one-to-one offering.
What is the benefit compared to a compatibility layer? Is it easier for future maintenance?
It's definitely a huge improvement towards "FOSS Windows."
something I wondered for a while
do windows viruses get ported by such efforts as well?
WannaCry was able to successfully run on ReactOS in 2025. Most other virsuses do tend to crash, because the memory layout is just a tiny bit different, but yeah, compatibility means compatibility. Lots of malware comes along for the ride.
However, there is a permissions layer that is more nix than Windows, which means the first foothold is still better than XP - you have to choose to execute the file. Self-running things don't tend to infect systems.
Its not a panacea, and there is a risk factor. And there aren't a lot of antivirus systems that can run correctly under ReactOS, because they freak out and think the OS is the malware, because they're scanning hashes for Windows, not another system.
But for a hobby OS, keeping hardware and software accessible after the rest of the world broke access, it still works.
Of course. Maybe not successfully but a "virus" is just software. If it runs software, it runs software, full stop. Maybe the same APIs are not available or behave differently, so it may be buggy or non-functional, but that's true of Half-Life here too.
Some, but not all, most don't. Ideally they would all work, ReactOS doesn't make a priority on being a "safer" option, just an open source option
Somewhere in the docs they state that they must also recreate whatever bugs the API has, otherwise applications written with those bugs as an (implicit) assumption could misbehave.
its worse than that, Windows activates/deactivates "bugs" based on the compatibility profile of the app.
so you can set an app to use a Windows XP compatibility profile, and this will simulate Windows bugs which were fixed in more recent versions of the OS
The payload yes, the exploit hopefully not.
Yes
Maybe worry about Linux malware which is a major problem right now everyone is in huge denial about, instead of throwing shade at a hobby OS emulating a 25 year old version of Windows.
ReactOS isn't the one that just had one of its package repos owned (again).
What's the major Linux malware problem that everyone is ignoring
AUR got hit recently [0], by what looks like more work of TeamPCP and friends.
EDIT: Worth noting, Arch ain't hosted on AUR. That's the community side only.
[0] https://archlinux.org/news/active-aur-malicious-packages-inc...
I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.
Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.
I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.
[0] https://www.cisa.gov/sites/default/files/2024-03/CSRB%20Revi...
Isn't it funny how such incidents on Linux are rare enough that they make headlines, but on Windows that's been the baseline expected state of things for so long that nobody bats an eye anymore.
Btw if you're running an OS that's never had a malware incident, please, tell us!
Windows stopped having serious malware problems at least 10 years ago
the ransomware campaigns would have happened on any OS enterprises use, because they were not security flaws in the OS
ClickFix which used Windows Update, and LNK that used Microsoft's signing keys, would disagree. There are still large and ongoing attacks that exploit Windows, and they are a serious problem - its just the attackers are less pointed at the everyday person, and more at corps and govs.
Conversely, this kind of attack: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
...is essentially impossible to pull off against commercial operating systems, because their core components are all written in-house by staff with photo ID badges, details with HR, tax returns filed with the government, and a cubicle that makes sure that they're locals and not some faceless anonymous hacker identifiable by nothing other than a throwaway faked email address!
I get that there was a lot of "stigma" about open source, the world largely forgot about it, but... actually, in this sense of allowing anonymous contributions it remains a very real risk.
"Jia Tan" was almost certainly a paid professional hacker working for a nation-state actor. Their "helpful contributions" to XZ utils was nowhere near a full-time effort. They certainly had "other irons on the fire", most probably in the Linux kernel or immediately adjacent to it.
He's probably not the only one doing this kind of "work".
For all you know, Linux has more remote exploits purposefully baked into it than Windows has security bugs inadvertently left in it... and don't forget Linux has bugs leading to security vulnerabilities too!
A rough count of "named" CVE 10.0 score (or close to it) vulns in the last 5 years:
7 for Microsoft: ProxyLogon, ProxyShell, ProxyNotShell, LDAPNightmare, PrintNightmare, noPac, Follina
10 for Linux: XZ Utils, regreSSHion, Leaky Vessels, Copy Fail, PwnKit, Dirty Pipe, Looney Tunables, GameOver(lay), Baron Samedit, Sequoia
While this is sort of laughable out of context (I mean, Steam on Linux for the last few years has run basically everything with full acceleration)...
I think what is being claimed, but not explicitly in the article, is that this is running the NVIDIA driver stack (for an ancient GeForce 8 card) directly, as opposed to emulating DirectX at the API level on top of a Vulkan driver.
Indeed. ReactOS is to the full Windows stack what Wine is to the userland Windows API.
> While this is sort of laughable out of context (I mean, Steam on Linux for the last few years has run basically everything with full acceleration)...
Eh. It's sort of like saying FreeDOS is laughable because DOSBox exists. I think that's missing the point.
I mean they reimplemented directx without vulkan, that's indeed in a league of their own. wine/proton relies on opengl/vulkan to do anything.
Wine has had many different DirectX backends over the decades, including one before Vulkan existed obviously.
All of them relied on translation (ex: opengl). Proton specifically is focused on dx->vulkan.
I wouldn't call it laughable. ReactOS was not created only to run half-life. It's just one of their many impressive achievements.
reactos has been in development for 28 years and it can run half-life on real hardware. that is approximately how long half-life 1 itself has existed in the first place!