White House Releases Federal Source Code Policy To Help Government Agencies Go Open Source (whitehouse.gov) 61
dwheeler writes: The U.S. federal government just released a new Federal Source Code policy (PDF). For each of the next 3 years, at least 20 percent of custom-developed Federal source code is to be released as open-source software. Earlier this year, Tony Scott, Federal CIO of the U.S. government, wrote on the White House blog that the U.S. government "can save taxpayer dollars by avoiding duplicative custom software purchases and promote innovation and collaboration across Federal agencies." Today, they released the Federal Source Code policy. TechCrunch reports: "The main requirement is that any new custom source code developed 'by or for the Federal Government' has to be made available for sharing and re-use by all Federal agencies. For example, this means that the TSA can have access to custom made software that was commissioned by the FBI. Considering there is probably a great deal of overlap in applications needed by certain branches of the Federal Government, this rule alone should save the government (and taxpayers) a great deal of money. In fact, the policy states that 'ensuring Government-wide reuse rights for custom code that is developed using Federal funds has numerous benefits for American taxpayers.'"
Re: I thought we wanted security (Score:2, Insightful)
I, the taxpayer, paid for it and demand that it's open. If it gets attacked, it will be fixed.
Re: (Score:1)
Security through obscurity is a phantasm. But closed source companies (and their sympathizers) continue to tout it.
This is not to say that open source has had no vulnerabilities. But far fewer than closed source, albeit closed source has more attackers.
Re: (Score:2)
Or should we get into a "Which is better, Chocolate or Vanilla?" thing.
Open source projects managed by systems like GitHub and forums are often maintained very well. But there are hundreds of projects placed into the open source that are left floating with no support for every one project which actually has a support infrastructure.
Federal contracts work
Re: (Score:2)
At the _minimum_ a source code escrow service, so if a contract is left unfinished or a business files for bankruptcy, the work made can be picked up by others and things continued. If I were paying someone megabucks to write up something, either the source code will be part of the contract, or it will be escrowed so that one party doesn't have a monopoly.
Re: (Score:2)
Wether code is open or closed has no relevance on the decision of the original authors to continue supporting it, the two things are not directly related at all.
Many closed source projects also cease being maintained, you just don't see the code languishing on github because its languishing on an internal code repository at the original vendor instead.
Some vendors decide to open source code that they no longer have any interest in, but the fact they're open sourcing it is not the reason they've lost interes
Re: (Score:2)
It's also a myth that closed source is truly closed, the source code is out there somewhere and malicious parties certainly have the source for various closed source software.
The difference is that when the only way to obtain the source is illegal, legitimate whitehat researchers won't be able to look at it which gives the upper hand to those who don't care about legality. With open source, everyone has equal access.
It's also not really true that closed source has more attackers... Most networks place devic
Re:I thought we wanted security (Score:5, Insightful)
The source code should be secret, which will help keep out hostile countries.
Obscurity is not security. I'm more comfortable looking at a disassembly than I am with source code. The disassembly doesn't lie.
I'm a white hat, for the record. It's my job to help people, not inconvenience or hurt them.
Re: (Score:2)
I'd prefer it if trolls were hunted down by hungry dogs with steel fangs, castrated, and then sent to work in coal mines without air filters.
I guess neither one of us is going to get what we want.
Re:I thought we wanted security (Score:4, Insightful)
I'd really prefer that federal agencies be secure against hackers. If they use open source, hostile countries like Iran and North Korea will be able to look for vulnerabilities in the code and more easily hack into the federal government. The source code should be secret, which will help keep out hostile countries. Security should be the primary goal, and therefore the source must be closed.
All this means is that you don't understand software security. There's no guarantee that open source is free of security issues, of course. But at the very least, it does mean that you're not depending on some "secret" in the code to remain secure, which is NOT any sort of security at all.
The most widely used security algorithms in the world are open specifications and have open source reference implementations, in case you aren't aware. These algorithms and implementations can never be proven secure except by their resistance to determined attacks over time, and this can only occur when they are publicly available for researches to work on ways to crack them.
From US GSA 18F on security and open source... (Score:2)
From: https://18f.gsa.gov/2014/11/26... [gsa.gov]
Security and open source
"System security should not depend on the secrecy of the implementation or its components."
-- Guide to General Server Security, National Institute of Standards and Technology
A codebase is a terrible secret.
Because a codebase is so large, it cannot easily be changed. Furthermore, it must be known, or at least knowable, to the large number of people who work on it, so it cannot be kept secret very easily. This is represented at the bottom of figur
Re: (Score:2)
Break-even point? (Score:3)
Re: (Score:2)
Re: (Score:2)
> IME, writing code that is reusable is quite hard. Getting it into a form that using it in another project is worthwhile is costly.
Writing code to do extremely similar or even identical functions 3 times for 3 different projects is much _more_ costly, and each version is likely to have unique bugs. I'm also afraid that it's extremely common. Standardizing poorly integrated code from different companies or different projects covers a great deal of my paycheck and has vastly improved performance and relia
Public money (Score:4, Insightful)
Re: (Score:2)
It is a great model.
Too bad that's not what this is.
Re: (Score:2)
So as it is public software for public money, then the US Library of Congress should be expanded to incorporate a FOSS software repository. Which would be made available for people to deposit, maintain and download FOSS software, this as a matter or public record to apply some security principles for that software so that it is safe to use by government departments. A copy of the source code of all government software projects should reside there.
Re: (Score:2)
From the first link (PDF):
SUBJECT: Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software
to release at least 20 percent of new custom-developed code as Open Source Software (OSS) for three years
develop an open source software policy that, together with the Digital Services Playbook, will support improved access to custom software code developed for the Federal government
and several other instances of the term.
Also, under the first heading "Objectives" it clearly speaks to sharing code with the public as well:
Establish requirements for releasing custom-developed source code, including securing the rights necessary to make some custom-developed code releasable to the public as OSS under this policy's new pilot program;
Did you even try?
Software needs to be written for reuse (Score:4, Informative)
Big problem here: a lot of software where the functionality could be reused can't be reused because it wasn't written for reuse. It'll have a lot of instance-specific code scattered throughout, for example logging functions that're specific to the system it was first written to run in. The result is it's easier and faster to write it from scratch than to try and remove the instance-specific code from the original source to make it suitable for use somewhere else. An open-source policy doesn't need just a mandate for reuse, it needs a mandate for making software reusable at the time it's written. That, unfortunately, is something any developer can tell you is really hard to get management to agree to.
Re: (Score:1)
Re: (Score:1)
I think one big problem will be NIH - Not Invented Here syndrome. So many guys in the industry, if they didn't write it and it wasn't written by their group, it's crap. Never mind another agency.
We may see *standards* out of this. Standards are wonderful. They're so many of them to choose from.
Source Control (Score:3)
I don't honestly care if the software is open source, use what works best regardless of whether RMS approves or not. What I really want to see instead is publicly accessible document management for the laws and regulations. I want to be able to determine exactly who entered in every single word, made every single edit, and when they were committed to the document. No more "I don't recall who added that" or "I have no idea who made that change". And make sharing a login a felony, so a member of Congress can't give out their login credentials to their entire staff and then disavow personal responsibility. If someone pastes in 5 pages from a lobbyist late at night hours before the vote, I want to know precisely who did it and under what circumstances. Full transparency, right down to the single word or punctuation mark. The technology is cheaply available right off the shelf, they could implement GitLaw across the entire government by year's end for less than they spend on lawyers to defend FOIA lawsuits in a single quarter.
Re: (Score:2)
Scale is important, son. Now go back and figure out how much you'd like to raise your taxes to pay for such a scheme. Get back to us on that figure.
Re: (Score:2)
I assume this is what code.gov will be for.
Bug bounty program? (Score:2)
Hello,
I did not see any mention of a bug bounty program. Is there one? If the federal government would like to not just have its open sourced software reviewed but actually receive reports of bugs, they should consider adding a bug bounty program to encourage programmers to report any errors they find to the federal government, instead of selling it to an adversary.
Regards,
Aryeh Goretsky
Re: Bug bounty program? (Score:2)
No, really is OSS (Score:2)
'Open Source' redefined? (Score:2)
Has 'open source' been redefined to mean nothing more than custom government software being shared with other branches of the same federal government?
'Open Source Software' has reasonable definition (Score:2)
Evil Obama!! (Score:1)
This is not Open Source.. (Score:2)
Unless I'm missing something there, but this just requires that code developed for one agency should be available to other agencies. Not that it should be 'open'.
This just sounds like 'we wanna get past licence agreements and not have to pay for it', not 'we want to make our code open'.
Re: This is not Open Source.. (Score:1)
Re: (Score:2)
Clearly doesn't understand the business (Score:2)
This guy clearly doesn't understand how cut-throat and back-stabbing federal contracting is. People will throw you under the bus in a heartbeat if it means they can weasel their way to a contract ahead of you. Hardware is easy to duplicate/copy, software is not. By forcing private industry to give up their intellectual property rights opens the door to well-connected contractors stealing from the little guy.
Obligatory Schlock Mercenary (Score:1)
http://www.schlockmercenary.co... [schlockmercenary.com]