Open source software

TLDR 💥

• Government leaders are still confused by, ambivalent to, or dismissive of open source.
• For IT modernization and digital transformation to thrive, they must know and embrace open source technologies and culture.

Why it matters 🚨

Open source software and hardware powers the world. This includes government websites, applications, databases, computers, servers and critical infrastructure.

Fully knowing open source means you’re dialed in deeper to how modern technology works.

Knowing how to buy, build, and maintain open source:

• Scales digital services.
• Keeps systems secure.
• Lessens vendor lock-in.
• Saves taxpayers money.
• Fosters open innovation.
• Opens government tech talent.

What they say 💬

The U.S. federal government publicly accepts, adopts and supports open source software.

U.S. Department of Defense:

• “Nearly every popular software product relies heavily on open source software.”
• “There are great benefits to be gained in reliability, performance, and security.”

Cybersecurity & Infrastructure Security Agency:

• “Open source software is widely used across the federal government and every critical infrastructure sector.”
• “We also actively contribute by open sourcing much of our code via our ‘open-by-default’ software development policy.”

General Services Administration:

• “We believe in being ‘open first’ with working to realize 100% open source code across the Agency.”
• “While we may be a little ways away from being fully 100% open source, we take pride in being the government (and industry) standard for open sourcing.”

What is open source? 🤔

Defining open source is tricky. There are many license types, like MIT, GNU GPL, Apache and Creative Commons.

Free vs. open source: There’s a philosophical (some say political) debate over what it’s called and how it’s defined.

• “Open source doesn’t just mean access to the source code,” says Open Source Initiative. OSI has a set of standards with varying rights.
• The Free Software Foundation is firm on free: “users have the freedom to run, copy, distribute, study, change and improve the software.”
• “Think free speech, not free beer,” FSF and GNU Project founder Richard Stallman famously quipped.

Bottom line: Read the license. Whether it’s freely downloadable or vendor managed, open source is subject to different licenses that impact usage rights and derivative products.

Tools of the trade ⚒️

Developed by Linus Torvalds in 2005, Git is the open source tool that helps dev teams build digital products.

Software-as-a-service platforms GitLab and GitHub are the household names. They make it easier to perform Git functions (like branching and version control), They also have features like repository and project management, continuous integration, security monitoring, AI coding co-pilots that streamline collaborative development.

But is it secure? 🔒

Open source raises IT eyebrows because adoption is widespread and security exploits are more public. Of note, the Heartbleed and Log4j vulnerabilities that critically impacted technical systems worldwide.

Much of this is due to the nature of OSS: code and reporting transparency means heightened visibility of security flaws.

Linus’ Law: “Given enough eyeballs, all bugs are shallow” is a common open source mantra.

The flip side: Security reporting for proprietary technologies is more opaque and less public. This makes it seem like open source is less secure, but proprietary software can be just as susceptible to vulnerabilities.

What they say:

• DOD: “There are some misconceptions … that open source software is not secure.”
• CISA: “CISA has several ongoing initiatives around open source security.”

Key gov efforts:

• The Office of the National Cyber Director published a request for information.
• The White House hosts summits with business and key nonprofit orgs.
• CISA created an OSS security roadmap.
• The National Institutes of Standards and Technology maintains the Open Security Controls Assessment Language.

Acronym FYI: The SBOM, or software bill of materials, is an “inventory for software, a list of ingredients that make up software components” (National Telecommunications and Information Administration).

Bottom line: “Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Each product must be examined on its own merits,” says DOD.

Government open source 🏛️

The U.S. government published a 2016 open source software policy saying it must be technology neutral. Agencies “must consider open source, mixed source, and proprietary software solutions equally.”

And they should build and release code that:

• “fosters communities around shared challenges”
• “improves the ability of the OSS community to provide feedback on, and make contributions to, the source code”
• “encourages Federal employees and contractors to contribute back to the broader OSS community by making contributions to existing OSS projects”

Notable government open source projects include:

• U.S. Web Design System
• Ghidra software reverse engineering framework (NSA)
• California Design System
• Files and infrastructure to run vote.gov website
• Federal Election Commission website content management system
• Canadian Digital Service website
• Government of Canada Notify

Industry open source 🏢

The private sector buys, builds and funds open source.

Buying:

• IBM bought open source pioneer Red Hat.
• Microsoft bought GitHub, the largest community for open source developers.

Building:

• Google
• Microsoft
• AWS
• Meta

Funding:

Google, Apple, Amazon, Meta, Cisco – to name a few – are key financial supporters of OSI and OpenSSF.

OSPO: government’s new acronym 🤓

Open source program offices are common in the private sector (TODO Group charts the landscape).

As OSS value becomes more obvious to government work, the public sector will follow suit.

What’s an OSPO? It’s “responsible for managing and coordinating an organization’s open source activities,” says a Linux Foundation deep dive.

Inaugural gov OSPO: The Centers for Medicare and Medicaid Services may be government’s first OSPO. CMS works in the open on GitHub (note its OSPO maturity model).

Its purpose: “Establish and maintain guidance, policies, practices, and talent pipelines that advance equity, build trust, and amplify impact across CMS, HHS, and Federal Open Source Ecosystems by working and sharing openly.”

Ideas 💡

Government technology limits its impact if leaders don’t learn, buy, build, adopt and support open source technologies and culture.

• Leaders: Build OSPO teams.
• IT/digital teams: Consume and publish code and supporting docs.
• Procurement: Become conversant about open source licenses.
• Funding: Financially support leveraged open source projects.

Go deeper ⛏️

Reading:

• The Open Organization: Igniting Passion and Performance
• Working in Public: The Making and Maintenance of Open Source Software
• Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure
• The revolution will be forked: How open collaboration is helping to reimagine the way government works

Orgs:

• Open Source Initiative
• Software Freedom Conservancy
• Open Source Security Foundation