Open source software
A brief-ish explainer of open source software.
By: Luke Fretwell
Posted: October 21, 2024
Estimated read time: 7 minutes
TLDR đĽ
- Government leaders are still confused by, ambivalent to, or dismissive of open source.
- For IT modernization and digital transformation to thrive, they must know and embrace open source technologies and culture.
Why it matters đ¨
Open source software and hardware powers the world. This includes government websites, applications, databases, computers, servers and critical infrastructure.
Fully knowing open source means youâre dialed in deeper to how modern technology works.
Knowing how to buy, build, and maintain open source:
- Scales digital services.
- Keeps systems secure.
- Lessens vendor lock-in.
- Saves taxpayers money.
- Fosters open innovation.
- Opens government tech talent.
What they say đŹ
The U.S. federal government publicly accepts, adopts and supports open source software.
- âNearly every popular software product relies heavily on open source software.â
- âThere are great benefits to be gained in reliability, performance, and security.â
Cybersecurity & Infrastructure Security Agency:
- âOpen source software is widely used across the federal government and every critical infrastructure sector.â
- âWe also actively contribute by open sourcing much of our code via our âopen-by-defaultâ software development policy.â
General Services Administration:
- âWe believe in being âopen firstâ with working to realize 100% open source code across the Agency.â
- âWhile we may be a little ways away from being fully 100% open source, we take pride in being the government (and industry) standard for open sourcing.â
What is open source? đ¤
Defining open source is tricky. There are many license types, like MIT, GNU GPL, Apache and Creative Commons.
Free vs. open source: Thereâs a philosophical (some say political) debate over what itâs called and how itâs defined.
- âOpen source doesnât just mean access to the source code,â says Open Source Initiative. OSI has a set of standards with varying rights.
- The Free Software Foundation is firm on free: âusers have the freedom to run, copy, distribute, study, change and improve the software.â
- âThink free speech, not free beer,â FSF and GNU Project founder Richard Stallman famously quipped.
Bottom line: Read the license. Whether itâs freely downloadable or vendor managed, open source is subject to different licenses that impact usage rights and derivative products.
Tools of the trade âď¸
Developed by Linus Torvalds in 2005, Git is the open source tool that helps dev teams build digital products.
Software-as-a-service platforms GitLab and GitHub are the household names. They make it easier to perform Git functions (like branching and version control), They also have features like repository and project management, continuous integration, security monitoring, AI coding co-pilots that streamline collaborative development.
But is it secure? đ
Open source raises IT eyebrows because adoption is widespread and security exploits are more public. Of note, the Heartbleed and Log4j vulnerabilities that critically impacted technical systems worldwide.
Much of this is due to the nature of OSS: code and reporting transparency means heightened visibility of security flaws.
Linusâ Law: âGiven enough eyeballs, all bugs are shallowâ is a common open source mantra.
The flip side: Security reporting for proprietary technologies is more opaque and less public. This makes it seem like open source is less secure, but proprietary software can be just as susceptible to vulnerabilities.
What they say:
- DOD: âThere are some misconceptions ⌠that open source software is not secure.â
- CISA: âCISA has several ongoing initiatives around open source security.â
Key gov efforts:
- The Office of the National Cyber Director published a request for information.
- The White House hosts summits with business and key nonprofit orgs.
- CISA created an OSS security roadmap.
- The National Institutes of Standards and Technology maintains the Open Security Controls Assessment Language.
Acronym FYI: The SBOM, or software bill of materials, is an âinventory for software, a list of ingredients that make up software componentsâ (National Telecommunications and Information Administration).
Bottom line: âSome OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Each product must be examined on its own merits,â says DOD.
Government open source đď¸
The U.S. government published a 2016 open source software policy saying it must be technology neutral. Agencies âmust consider open source, mixed source, and proprietary software solutions equally.â
And they should build and release code that:
- âfosters communities around shared challengesâ
- âimproves the ability of the OSS community to provide feedback on, and make contributions to, the source codeâ
- âencourages Federal employees and contractors to contribute back to the broader OSS community by making contributions to existing OSS projectsâ
Notable government open source projects include:
- U.S. Web Design System
- Ghidra software reverse engineering framework (NSA)
- California Design System
- Files and infrastructure to run vote.gov website
- Federal Election Commission website content management system
- Canadian Digital Service website
- Government of Canada Notify
Industry open source đ˘
The private sector buys, builds and funds open source.
Buying:
- IBM bought open source pioneer Red Hat.
- Microsoft bought GitHub, the largest community for open source developers.
Building:
Funding:
Google, Apple, Amazon, Meta, Cisco â to name a few â are key financial supporters of OSI and OpenSSF.
OSPO: governmentâs new acronym đ¤
Open source program offices are common in the private sector (TODO Group charts the landscape).
As OSS value becomes more obvious to government work, the public sector will follow suit.
Whatâs an OSPO? Itâs âresponsible for managing and coordinating an organizationâs open source activities,â says a Linux Foundation deep dive.
Inaugural gov OSPO: The Centers for Medicare and Medicaid Services may be governmentâs first OSPO. CMS works in the open on GitHub (note its OSPO maturity model).
Its purpose: âEstablish and maintain guidance, policies, practices, and talent pipelines that advance equity, build trust, and amplify impact across CMS, HHS, and Federal Open Source Ecosystems by working and sharing openly.â
Ideas đĄ
Government technology limits its impact if leaders donât learn, buy, build, adopt and support open source technologies and culture.
- Leaders: Build OSPO teams.
- IT/digital teams: Consume and publish code and supporting docs.
- Procurement: Become conversant about open source licenses.
- Funding: Financially support leveraged open source projects.
Go deeper âď¸
Reading:
- The Open Organization: Igniting Passion and Performance
- Working in Public: The Making and Maintenance of Open Source Software
- Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure
- The revolution will be forked: How open collaboration is helping to reimagine the way government works
Orgs: