White House Releases Federal Source Code Policy To Help Government Agencies Go Open Source

dwheeler writes: The U.S. federal government just released a new Federal Source Code policy (PDF). For each of the next 3 years, at least 20 percent of custom-developed Federal source code is to be released as open-source software. Earlier this year, Tony Scott, Federal CIO of the U.S. government, wrote on the White House blog that the U.S. government "can save taxpayer dollars by avoiding duplicative custom software purchases and promote innovation and collaboration across Federal agencies." Today, they released the Federal Source Code policy. TechCrunch reports: "The main requirement is that any new custom source code developed 'by or for the Federal Government' has to be made available for sharing and re-use by all Federal agencies. For example, this means that the TSA can have access to custom made software that was commissioned by the FBI. Considering there is probably a great deal of overlap in applications needed by certain branches of the Federal Government, this rule alone should save the government (and taxpayers) a great deal of money. In fact, the policy states that 'ensuring Government-wide reuse rights for custom code that is developed using Federal funds has numerous benefits for American taxpayers.'"

Re: I thought we wanted security

I, the taxpayer, paid for it and demand that it's open. If it gets attacked, it will be fixed.

Re:I thought we wanted security

[dcollins117]

The source code should be secret, which will help keep out hostile countries.

Obscurity is not security. I'm more comfortable looking at a disassembly than I am with source code. The disassembly doesn't lie.

I'm a white hat, for the record. It's my job to help people, not inconvenience or hurt them.

Break-even point?

[namgge]

IME, writing code that is reusable is quite hard. Getting it into a form that using it in another project is worthwhile is costly. It'll be interesting to put in a FOI enquiry in a few years to see whether the benefits outweigh the costs.

Re:I thought we wanted security

[Dutch+Gun]

I'd really prefer that federal agencies be secure against hackers. If they use open source, hostile countries like Iran and North Korea will be able to look for vulnerabilities in the code and more easily hack into the federal government. The source code should be secret, which will help keep out hostile countries. Security should be the primary goal, and therefore the source must be closed.

All this means is that you don't understand software security. There's no guarantee that open source is free of security issues, of course. But at the very least, it does mean that you're not depending on some "secret" in the code to remain secure, which is NOT any sort of security at all.

The most widely used security algorithms in the world are open specifications and have open source reference implementations, in case you aren't aware. These algorithms and implementations can never be proven secure except by their resistance to determined attacks over time, and this can only occur when they are publicly available for researches to work on ways to crack them.

Public money

[phyr]

Public software from public money. The model works well for scientific software at NASA, ESA, CSA, etc.

Software needs to be written for reuse

[Todd+Knarr]

Big problem here: a lot of software where the functionality could be reused can't be reused because it wasn't written for reuse. It'll have a lot of instance-specific code scattered throughout, for example logging functions that're specific to the system it was first written to run in. The result is it's easier and faster to write it from scratch than to try and remove the instance-specific code from the original source to make it suitable for use somewhere else. An open-source policy doesn't need just a mandate for reuse, it needs a mandate for making software reusable at the time it's written. That, unfortunately, is something any developer can tell you is really hard to get management to agree to.

Source Control

[reemul]

I don't honestly care if the software is open source, use what works best regardless of whether RMS approves or not. What I really want to see instead is publicly accessible document management for the laws and regulations. I want to be able to determine exactly who entered in every single word, made every single edit, and when they were committed to the document. No more "I don't recall who added that" or "I have no idea who made that change". And make sharing a login a felony, so a member of Congress can't give out their login credentials to their entire staff and then disavow personal responsibility. If someone pastes in 5 pages from a lobbyist late at night hours before the vote, I want to know precisely who did it and under what circumstances. Full transparency, right down to the single word or punctuation mark. The technology is cheaply available right off the shelf, they could implement GitLaw across the entire government by year's end for less than they spend on lawyers to defend FOIA lawsuits in a single quarter.