Should All Government IT Systems Be Using Open Source Software?

Writing at Linux Journal, Glyn Moody reports that dozens of government IT systems are switching to open source software.

"The fact that this approach is not already the norm is something of a failure on the part of the Free Software community..." One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.... Another is transparency. Recently it emerged that Microsoft has been gathering personal information from 300,000 government users of Microsoft Office ProPlus in the Netherlands, without permission and without documentation.
He includes an inspiring quote from the Free Software Foundation Europe about code produced by the government: "If it is public money, it should be public code as well. But when it comes to the larger issue about the general usage of proprietary vs. non-proprietary software -- what do Slashdot's readers think?

Should all government IT systems be using open source software?

sometimes

"Should All Government IT Systems Be Using Open Source Software? " where it makes sense sure. The primary thing I want government to do is spend intelligently, Open Source is definitely part of that, but don't use open source just because it is open source. I would rather them buy what is most efficient as the primary factor as those public servants are the costly inefficient piece and anything that makes there job slower is really bad for all of us.

Re:sometimes

The problem is that government systems tend to handle all kinds of really important information, and proprietary vendors have shown over the years over and over again that they simply are not trustworthy, and that the people responsible are not up to par WRT keeping them safeguarded.

Evidence? The massive hits by ransomware against various types of government agencies ranging from the NHS to the Alaskan administration, the latter I believe got hit so bad they were considering reverting to typewriters. And this is just the tip of the iceberg of the continual data leakage we never get to hear about.

Making sure the systems run on verifiable code were you don't have to trust external parties should be the starting point for every state run system. That would be intelligent spending. The government has a lot of information on all of us, and by collecting it it also collects the responsibility to protect it. Something which just isn't possible with proprietary software, Microsoft's latest offerings in particular.

Re:sometimes

The problem is many open source projects are also NOT trustworthy. Sure their are some great ones but Open Source ranges in quality from Awesome to dog turds.

Re:sometimes

[mrvan]

I see the same in higher education. There's a number of things we all need (like an electronic learning environment) but we buy it from vendors like Canvas or Blackboard, which is expensive and inflexible. Same for grading systems, scheduling, course guides, human resource, etc.

I think we should have moved to a cooperative structure for these things long ago and all pay into a group that develops the software and then releases it open source. Since this can be decided at the university system level there's less risk of freeriding, and since universities employ a lot of smart people who like tinkering there will be a lot of community contributions.

Re:sometimes

You don't have to trust an open source project, especially not when you have the resources of a national state behind you. It's all out there in the open, you don't have to take anyone's word for anything. All it takes is the actual will to shore things up.

Nobody said you should use any open source project for anything without vetting it. Remember, we're talking about governments here, different ballpark.

Re:sometimes

With the hundreds of billions of dollars available to the US government every year I'm rather surprised they haven't just developed their own OS from the ground up. Something that keeps everything locked down while having an easy to learn interface for the average worker.

Hell, they don't even have to roll it out any time soon. But start WORKING on it with a healthy budget for R&D.

Re:sometimes

'With the hundreds of billions of dollars available to the US government every year I'm rather surprised they haven't just developed their own OS from the ground up'

The current govt can't even get 5 billion to build a fucking wall.

Re: sometimes

Canvas is open source under the AGPLv3 license and the source is on GitHub. They are nearly what you are asking for (a group we all pay into to manage updates and adding of new features). But the rest is a pipe dream. Who has time to tinker with their LMS? Iâ(TM)m a CS prof and I donâ(TM)t do it. Also, the software is necessarily web based, and I donâ(TM)t want somebody adding some patch to the system that brings it down. Better to let IT manage the thing.

Re:sometimes

[Anne+Thwacks]

The primary thing I want government to do is spend intelligently,

Tell me - what is life like in Cloud-Cuckoo land?

Re: sometimes

You over estimate the skills of the government employee.

Re:sometimes

[nine-times]

Honestly, I've come to think that's a bit of a cop-out. If the government can't use FOSS, then I think they should fund the software they need, which should then also be open source.

That may sound excessive, but it's an investment. It accomplishes a bunch of stuff. First, over the long term, it does away with licensing costs. It also allows them to access the source code and verify its security, and then make modifications as needed. Also very importantly, it frees them from proprietary interests. They're not beholden to do things the way their vendor wants and serving their vendor's interests.

Also, whatever improvements they make to the FOSS are likely to be needed somewhere else. Improving public software serves the public interest.

The reality is, buying proprietary software may be "efficient" when looking at the short-term immediate cost, but it's much harder to say what will be efficient and cheap when viewed over the next several decades. I suspect that investing in public software now will pay off several times over in the next 50 years, and that's the sort of timeline the government should be considering.

Re:sometimes

The VAST majority of malware attacks are on the Window's based desktop and file servers that the majority of government employees have on their desks. It's a huge and varied network of networks normally with Windows boxes on the desktops. (And yes, I've been a government employee involved in software development.)

Generally speaking, Open Source software isn't the issue in malware attacks, it's Windows and the large number of attack surfaces that attracts and gives malware a home, and the woeful lack of technical expertise in the management and operation of such networks.

Re:sometimes

[i.r.id10t]

Except Canvas is AGPL licensed.

https://github.com/instructure...

  Sure, you'll loose those nice integrations with Big Blue Button (conferences tool), some of the Speed Grader stuff, the equation editor, the "record from webcam" function in the HTML editor, etc. since those are licensed services or hosted via 3rd party contracts, but you can also replace them yourself.

Strangely, what the college I work for pays for Canvas hosting and support (not a license fee) is about what we paid Angel/Blackboard for license and hosting, but the software is better and our support experience is better AND we get a LOT more resources.

Re:sometimes

'With the hundreds of billions of dollars available to the US government every year I'm rather surprised they haven't just developed their own OS from the ground up'

The current govt can't even get 5 billion to build a fucking wall.

And wasted likely more than 5 billion on the "shutdown" that never was arguing about who was supposed to pay for the wall..

But the problem isn't money, it's politics that drive the money in government. They spend plenty, but how and why they spend isn't really driven by getting the best deal or doing a good job.

Re:sometimes

universities employ a lot of smart people who like tinkering

There was a time that you had universities producing nice things like pine (now alpine/realpine, because the UW stopped development). Nowadays, the smart people have too much work on their hands. Professors have to profess, which means lots of articles and books need to be written. Tech support teams have a lot more on their hands in the era of BYOD and not much more in the way of resources. I used to be a tinkery sort of person, and now I'm busy writing instead, so I have no time to tinker. Tinkering won't get me tenure.

Re: sometimes

The skills are there, or can be hired. The problem is to get the right people to make the decisions rather than the usual stooges and cronies. But that's no different from a private business.

At least, once you get the right people, their interests should be aligned with the organisation and its needs, rather than the supplier. One can only ever have one master, and we all know who gets to call the shots when the best interests of the one who pays the salary gets into conflict with the best interests of the user/customer.

Re:sometimes

[Monoman]

I tend to agree. I see too many schools struggle to keep up with tech when they should be banding together to find solutions and share resources. Those solutions don't necessarily have to be open source.

Re: sometimes

[ranton]

The skills are not there, and cannot be hired, because in most cases the US government does not compete with private industry on salary. While this is theoretically a solvable problem, in practice it isn't. Even the vast majority of private companies cannot compete with large tech vendors for top talent.

Re: sometimes

So much this. Most programmers in the commercial sector aren't that good - you really expect government employees to do better?

Re: sometimes

As a retired costly inefficient public service employee I totally agree. Use open source where it makes sense. In the case of the DOD, I think they should have their own OSs hardened and maintained by a single department. For most other agencies, they should be in the cloud as much as possible and have an agency making sure everything is configured properly. One thing about open source that I found over my years in IT is that it's great until you put it into production. Just because it's open source, you better make sure you have a support contract with a reliable company. Free is not always free.

Re:sometimes

[DCFusor]

But government is all about the next election, like business is all about the next quarter. Wise investing is ancient history.

Re: sometimes

That's a bit of a fallacy you've got going there.

1. Salary isn't necessarily everything that counts. There are plenty of competent people who aren't necessarily mercenaries who will sell themselves to the highest bidder.

2. You're pretending that large tech vendors actually are interested in, and in fact do invest in top talent. A quick look at the reality, however, would indicate that opposite is true; experienced people (e.g 40+) regularly gets laid off, and are replaced by younger ones who are cheaper, less experienced and usually off-shored. Hardly a recipe that is hard to beat, both from a quality and a security POV.

Re: sometimes

Looks like the 40+ crowd is a ripe crowd for government agencies to hire.

Re: sometimes

in the past... (yesterday)... it's time for people to grow a long term brain...

Re:sometimes

Yes yes that all sounds good in theory but in practise you're making a whole lot of assumptions about the ability and will of the government to actually vet and securely develop these open source projects. Realistically they will be as bad, if not worse, than any proprietary solution will be.

In the end it's all going to be run on proprietary hardware anyway so your information is not verifiably safe, it's just ignorant to think that you're getting safety by running open source software on closed hardware.

The problem is that government systems tend to handle all kinds of really important information, and proprietary vendors have shown over the years over and over again that they simply are not trustworthy, and that the people responsible are not up to par WRT keeping them safeguarded.

Neither has the government, problems of data leakage are much more often issues of process than they are of software defects and beyond that the ability of government to manage IT projects in general is a disaster, making them a developer and manager of open source projects is even worse.

And don't even go down the path of "if it were all open source then people would just maintain and fix it for free and everything would be great". Successful open source projects that do operate like that are the exception, not the rule.

Re:sometimes

You don't have to trust an open source project, especially not when you have the resources of a national state behind you. It's all out there in the open, you don't have to take anyone's word for anything.

You don't see the problem with putting it "all out there in the open" for anybody to find vulnerabilities? Oh right, everybody who is looking for vulnerabilities is doing so to notify the developer, provide a fix and increase security. Nobody would ever want to exploit the security of a nation state thanks to them making it easier for people to find vulnerabilities would they? And we all know governments roll out software updates at a rapid rate so all those contributed fixes would be implemented immediately!

Nobody said you should use any open source project for anything without vetting it.

So what open source projects would you say are free of defects and vulnerabilities? What you don't seem to understand is the complexity involved in actually doing what you suggest. Even the Linux kernel, the most widely used and heavily vetted open source project in history is rife with bugs and issues that are constantly needing to be addressed and saying "oh but if it's open source you can vet it" completely ignores the practicality of doing so.

Remember, we're talking about governments here, different ballpark.

Yes, an entity way less technologically competent than your average retirement village.

Re: sometimes

Interesting business proposal. Code audit as a service.

Re:sometimes

[ElizabethGreene]

You don't have to trust an open source project, especially not when you have the resources of a national state behind you.

Pickett county Tennessee, population 5,100, does not have those resources. They are a very important government for the people that live there.

Re:sometimes

I realize you'll probably never read this, but that particular situation is a textbook example of why you need to pool your resources.

The solution is to have some kind of state or nation wide agency, cooperative or what ever you'd like to call it which has the responsibility to provide all these solutions to all the other government branches. The key is to get commercial interests out of the process and to make sure the people running the show is working for the benefit of the system, not their commercial employer.

Re:sometimes

You don't see the problem with putting it "all out there in the open" for anybody to find vulnerabilities?

Strong opening you've got there mate, already grasping for straws in your first sentence. First of all, the GPL is a distribution licence. You don't have to distribute your changes as long as you don't distribute your derivative outside your organisation. BSD you don't have to distribute at all, period. Not that I see a problem with contributing back though.

All the vulnerabilities are out there for you to find. Doesn't mean they are all there for everyone else. Vetting, remember. Finally, at least you can find them, unlike with proprietary software where you never know about a problem until it bites you in the ass. That's not any better.

Oh right, everybody who is looking for vulnerabilities is doing so to notify the developer, provide a fix and increase security.[yadda, yadda]

So, you're advocating security by obscurity, which isn't security at all. Not to mention that you'd have to be able to trust the suppliers, which reality shows you can't. Proprietary software is poisoned from the get go. Fail.

It doesn't matter how you slice it, open software is just better from a security POV, since at worst, you're no worse off than with proprietary software. Windows itself is a first class example of that closed source doesn't prevent anyone from finding flaws and bugs. Have you been living under a rock the last 30 years? All your flailing argumentation shows is that you're utterly clueless.

So what open source projects would you say are free of defects and vulnerabilities?

None, that's why I'm suggesting vetting anything that goes in. The point isn't that it's flawless, it's that it's better than the alternatives.

Even the Linux kernel, the most widely used and heavily vetted open source project in history is rife with bugs and issues

As opposed to Windows, which is what everyone is using ATM? The same Windows which has shown itself to be a massive target for malware, ransomware, viruses and spyware, over and over again over the years? You're suggesting Linux is worse than that? [Citation needed]

Yes, an entity way less technologically competent than your average retirement village.

Thanks for showing us your ignorant and arrogant stupidity again.

Re: sometimes

This has nothing to do with a product being comercial or open source, and more like the systems that aren't well configured to begin with. Time and time again I see implemented software or hardware with the default password/settings because it's easier to remember.

Defaults are just a easy way to start using the product to configure it for usage in the production environment , not to start using it right away as it is.i dare to say that most security breachs are due to bad configurations, outdated systems (patch management, legacy systems) and companies cheaping out on a few cents for better products or hiring people to property configure and maintain them.

What companies fail to realize is that IT is no longer a luxury, it's a necessity but with these new necessities there's new challenges for example a internet enabled toaster it gets all the benefits of a IoT device but also gets all the security issues that any device connected to the internet has, and we fail to act accordingly.

Re:sometimes

Moodle is a (non perfect) Virtual Learning Environment under GPL license and has 147 million confirmed users
https://moodle.net/stats/

Re: sometimes

[ranton]

1. Salary isn't necessarily everything that counts. There are plenty of competent people who aren't necessarily mercenaries who will sell themselves to the highest bidder.

I must have hit a nerve there. While there are plenty of people who can command $250k in the marketplace but are perfectly happy making $125k, they are very rare. I haven't found any, but I'm only a couple decades into my career. I have found many people content with $125k who could make $150k elsewhere (one even works for me) because they like the company, team, location, etc. But the chasm between what the government tends to pay and what private industry does is far too great.

The government is filled with big fish small pond types, like many small companies. That is far different than the big fish big pond types you will find at large tech vendors.

2. You're pretending that large tech vendors actually are interested in, and in fact do invest in top talent. A quick look at the reality, however, would indicate that opposite is true; experienced people (e.g 40+) regularly gets laid off, and are replaced by younger ones who are cheaper, less experienced and usually off-shored. Hardly a recipe that is hard to beat, both from a quality and a security POV.

Large tech vendors, and large consulting firms, are not made up of 100% top talent. Probably not even 20%. They are filled with younger "worker bees" who have very high turnover. But these companies still have the lion's share of the top people in the industry.

And even the rest of that talent in the field is getting the rare technical architect, director of IT, etc. jobs at large private companies outside of the tech industry. They still aren't making their way into government for the most part.

Re: sometimes

The major problem is NOT about skills. The major problem is politic. Many people who are higher up have NO IDEA about digital security or have very little knowledge about it. These people are the ones that keep steering any process or operation to a wrong way. As a result, nothing gets done correctly or never gets done at all.

Having skills or not is irrelevant because those who have skills can't do anything and would be very frustrated in the position. Those who don't have skills are there just to fill in the positions.

Re: sometimes

More funny reasoning.

People will not accept lower wages but better job security and other less tangible benefits, because they could earn top talent wages were the top wages go to less than 20% of the workforce, and the rest is treated like crap with a huge turnover? Not to mention they might already have been kicked out of it once because they were "too old"? And these businesses have the lion's share of the top people? Gee, I wonder why since the alternative ATM is zero. I'm sorry, you make absolutely no sense, you're actively contradicting yourself.

Besides, what I'm arguing for has a very limited need for these technical architects etc. It's about vetting and perhaps to some extent fixing the open source alternatives which already exists. Not embarking on new, large and ambitious projects. The biggest project no doubt would probably be to tie it all together, but I'm sure the people needed for this can be asked to work directly for the government rather than for someone else's business on the same project. This is a small project will less specialized people than say, making an atomic bomb, and that got done.

Re:sometimes

Strong opening you've got there mate, already grasping for straws in your first sentence. First of all, the GPL is a distribution licence. You don't have to distribute your changes as long as you don't distribute your derivative outside your organisation.

So the government is going to use open source software but you won't be able to see it, why does it matter if it's open source or not then? Governments around the world already get source code access to even the most closely guarded software packages like Microsoft Windows so if the government isn't going to release the source of what they're using then what's the point?

Vetting, remember. Finally, at least you can find them, unlike with proprietary software where you never know about a problem until it bites you in the ass.

No, you are confused. Governments already have access to the source for even MS Windows, they already do vet that.

In addition Microsoft has source access agreements with NATO and also with the EU.

So, you're advocating security by obscurity, which isn't security at all.

Actually you're very wrong if it is easier for white hat hackers to find bugs then it is also easier for black hat hackers to find bugs, I know that's an uncomfortable truth for FOSS advocates but the fact that it makes it easier to find vulnerabilities means it's easier for everyone to find vulnerabilities.

Not to mention that you'd have to be able to trust the suppliers, which reality shows you can't.

Wrong again. Governments have access to most proprietary software source code of the packages they use, even Windows, so no they do not have to trust the suppliers at all because they can vet the software.

So what open source projects would you say are free of defects and vulnerabilities?

None, that's why I'm suggesting vetting anything that goes in. The point isn't that it's flawless, it's that it's better than the alternatives.

The government can already vet what is going in, you really have no idea about what the government has access to.

Even the Linux kernel, the most widely used and heavily vetted open source project in history is rife with bugs and issues

As opposed to Windows, which is what everyone is using ATM? The same Windows which has shown itself to be a massive target for malware, ransomware, viruses and spyware, over and over again over the years? You're suggesting Linux is worse than that? [Citation needed]

No I am not suggesting that, you are again very confused. I am pointing out that it is no better. You're showing your ignorance by then going on to compare a kernel to an entire operating system to which the equivalent would in fact be a specific Linux distribution. But if you're comparing open and closed systems then what citation do you have that demonstrates than a Linux distribution of your choice is more secure than say macOS?

Re: sometimes

[ranton]

People will not accept lower wages but better job security and other less tangible benefits, because they could earn top talent wages were the top wages go to less than 20% of the workforce, and the rest is treated like crap with a huge turnover? Not to mention they might already have been kicked out of it once because they were "too old"? And these businesses have the lion's share of the top people? Gee, I wonder why since the alternative ATM is zero. I'm sorry, you make absolutely no sense, you're actively contradicting yourself.

I'm not sure what is confusing you. If any worker in question cannot make top wages (because they aren't in the top 20% or whatever), sure they could be convinced to work in the public sector. But they couldn't command the top salaries because they weren't the top talent. The government can probably get plenty of ex-Google/Facebook/etc workers, but not their best and brightest. Those individuals are either still at the top tech companies, have started their own private companies, or are working for other well funded private companies.

This is a small project will less specialized people than say, making an atomic bomb, and that got done.

If the government treated any single project with the importance of the Manhattan project, I'm sure they could get the funding to gather the best and brightest and would accomplish as much as any private company could. Probably much more, since profits wouldn't be the primary motive. But that is not how the vast majority of public projects are run. In fact the Manhattan project and moon landing may be it. Today the government would most likely license private companies and contractors to do that work, since they can justify paying a private company $100 billion much easier than they can justify paying individual government employees $500k/yr.

Re: sometimes

The point is that you don't need top talent for a project like this, or at least comparatively little of it. Look at the Linux kernel; do you think everyone contributing is a rockstar?

I'm pretty sure we could find a decent amount of competent people if we looked in the ranks of ex IBM or HP employees, for instance. There would probably be a fair few of them who would be happy to accept an offer that didn't turn into a pink slip for age-reasons. No reason to chase the script kiddes at FB.

Your final issue I've already alluded to

The problem is to get the right people to make the decisions rather than the usual stooges and cronies. But that's no different from a private business.

Hence the current situation. The problem is the lack of will to fix what is actually an untenable situation. Third party entities and should not have any control or access, direct or indirect to data or systems that isn't theirs to begin with. You claim it can't be done for technical and practical reasons, I say neither of those are real showstoppers. Rather amusingly, after all these disagreements, we both seem to agree that the real problem is more political than technical.

The lack of understanding of the long term consequences, the built in conflicts of interest in having commercial interests, controlled by people whose integrity is questionable at best. The indoctrinated, superstitious belief in the efficiency and capability of the commercial entities (despite the many, many, many real world examples of the opposite). All of that, combined and deeply rooted into mindset of those who should be responsible for the security, reliability, availability or even unavailability of the systems. There are the real blockers in my mind. Everything else seems quite possible.

Finally I'd like to repeat that the reason we're having this discussion is that I pointed out that it's the only way to resolving conflicts of interest associated with commercial actors, re-asserting control over the information stored in the systems, and ensuring the system is trustworthy, something which is as essential as it is impossible with proprietary software.

You might endorse that or not.

Re:sometimes

Lol, retard is retard. Just read the news. Fat lot of good all that access to the magical Microsoft sauce had done the NHS, or the poor Alaskans who had to dig out their typewriters again.

Crawl back beneath that rock you've been spending your life under until now. It would make the world a better place. Thanks.

Re: sometimes

[ranton]

So it appears we aren't that far off on our opinions, and the difference is basically that I have less confidence in the government being able to access the personnel to ensure systems are trustworthy (regardless of open source or closed source). And I think the main reason we differ is you believe it doesn't take as significant level of expertise to do that as I do, which is basically just a judgement call. Nothing to really argue there except an agree to disagree.

Finally I'd like to repeat that the reason we're having this discussion is that I pointed out that it's the only way to resolving conflicts of interest associated with commercial actors, re-asserting control over the information stored in the systems, and ensuring the system is trustworthy, something which is as essential as it is impossible with proprietary software. You might endorse that or not.

I would like to add that private companies perform audits on other private companies of their IT systems all the time. I work at a financial services company and we go through multiple audits per month by our partners, investors, and regulators. There is nothing stopping government officials from being able to view proprietary code theoretically, although in practice it is unlikely in most cases. Just like it is unlikely for government (or private companies for that matter) to thoroughly review the code of any open source solutions they use.

But it certainly isn't impossible to have a higher level of transparency with proprietary code than your average retail user. It just depends on what they work into their contract.

Re:sometimes

They would hardly be any better off with Linux given the at least 3 known privilege escalation flaws in systemd. Clearly you can't refute any of the points and nor do you have any knowledge of all the known vulnerabilities that exist in open source software.

Fat lot of good all that access to the magical Microsoft sauce had done the NHS

Yes as I said the government lacks the ability to properly vet the source code even when they have it so open source is of no benefit.

Re:sometimes

Fat lot of good all that access to the magical Microsoft sauce had done the NHS, or the poor Alaskans who had to dig out their typewriters again.

So first it was "The government needs to be able to vet the code!"

Now you've changed your tune to "There's no point vetting the code!" lol

Re: sometimes

The people getting the pink slips based on age ARE NOT the people you want. The skilled individuals do not ever get those. If it is someone that is considered expendable enough for those companies they are not the talents you need.

Re:sometimes

There is code access and then there's code access.

They are not necessarily the same. One is free, automatic and unfettered. The other certainly isn't. Code access does nothing for you if you're not allowed to fix the code and distribute the fixes within your entire organisation, all branches, everywhere, no fuss, no muss. For instance.

And that's leaving the ethical issue of even in your dream scenario where governments given free access to the code, and are free to distribute the fixes aside... I doubt that any business would pass up on the possibility to in return demand full rights to these fixes, and then suddenly you have government employees working for a commercial entity for free. I doubt that would be even legal.

But I guess that's too much for you to take in since you've clearly demonstrated that you do not understand neither the formulated nor the associated problems.

NO

Just because it's "open" doesn't mean it belongs to the goverment or the public.

It belongs to those that created it :)

Re:NO

If you leave your couch out on the street, it belongs to everyone or anyone, not just you.

Re: NO

The concept of free software in terms of freedon to share in the public domain, zero ownership and also freedom from government control means that truly free software is not the same thing as the current 'open source' licensing models such as GPL and BSD which include specific legal protections to ensure that the sources must be kept open and distributed along with any binaries and the license itself.

Re: NO

Although the differences are small between free software and open source software, they are important. Personally I think all software should be free, including those used for government systems but the challenge is that some proprietary closed software is useful and controlled by very large and powerful companies who lobby the government and provide significant incentives on support, volume licence agreements and education. Until more of the business world stops using Microsoft Windows and Office then governments will continue to be locked in too.

Re: NO

Not if Creimette is on the couch. Still my couch at that point.

Re: NO

yeah right, free as in Microsoft and IBM get to use your code for free, suckers! Open source turned out to be just more libtard propaganda.

Not "Open Source" but "Free Software"

[Casandro]

Just having the sourcecode of software doesn't mean much. Quite some governments have access to source code of proprietary software. What is more important is the freedom of software to be used and changed by anybody for their own purposes.

Re:Not "Open Source" but "Free Software"

Just having the sourcecode of software doesn't mean much.

Open standards yes, since you avoid lock in. Open source maybe. Does it save money over the long term? Assuming that government has to in part improve the OSS to use it, does the cost benefit ratio make sense? It is fair game to factor in the improvements that other people in the country will use. Basically do the math.

 

Re:Not "Open Source" but "Free Software"

Open standards yes, since you avoid lock in. Open source maybe. Does it save money over the long term?

"Millions for defense, but not one cent for tribute."

This isn't a question of efficiency. It's a question being able to know 100% what the government is doing. There are proprietary breathalysers that sent people to prison and then turned out to be buggy. The manufacturers wouldn't let people see their source code so the defendants will often have never found out about this. If your town is not having it's road built because the Office356 regression function has a bug you will never be able to see that.

For democratic control you need both open (so you can see inside) and free (so you can test it) software.

Re:Not "Open Source" but "Free Software"

[l0n3s0m3phr34k]

If the risk assessment shows green, then this stuff would be in the federal enterprise more. When it's for federal purposes, support is one of the most important aspects. And I'm not talking about "jump on Stack Exchange and post a question", but the 3:00AM hyper-visor heartbeat failure that by 7:00AM has corrupted several critical VMs. I can pick up the phone, and have an expert team swarm down (virtually), and fix the problem, get the VMs back online, etc. Most government offices don't have large IT staffs with esoteric Docker knowledge and capabilities to troubleshoot the intricacies of such systems.

How robust are industry-standard baseline configurations? For DoD-ish systems, do DISA STIGs exist for said software? Has it been thoroughly vetted under NIST's various 800 publications? More important, can the end user effectively use open-source desktop software without major training? Can the agency obtain support techs who can also pass background checks?

For a smallish company, these aren't issues. For large enterprise critical federal systems, this is just the tip of the iceberg. Outside of systems like RHEL, very few open-source products have the required vendor support capabilities that are regulatory mandated. Fedramp, 800-53, 800-171...is a whole different ballgame.

Re:Not "Open Source" but "Free Software"

What's the cost of not knowing what your system actually does, and having zero control over it? Is it even remotely reasonable to give a separate third party, which has shown itself to be unreliable multiple times in the past no less, the keys to the kingdom in the name of "cost"?

There is more to the equation than just pure monetary terms.

Re:Not "Open Source" but "Free Software"

Having access to source code is not the same as have either a group of people or a person who can really check it for bugs. If source code was the panacea that you Linuxtards are purporting to make it out to be, why are there bugs in applications and the kernel?

I am sure that all of the small business's out there who are falling for the FOSS BS would be willing to hire a "expert" to search the source code for "issues". So you expect a small business of say 10 people to go out and get a FOSS office suite, a calendar/scheduling package, backup package, monitoring package plus custom applications created for the business itself. One person, or even a small team, to coordinate all of these "things" and I haven't even brought up the idea of supporting corporate desktops, servers, routers, firewalls, phones etc. etc.

You people are living in a fantasy land. IT infrastructure is not just a simple "Let's just change to Linux and shaft Microsoft/Apple/Google/Amazon". Just what happens when a bug in your "free software" takes down your business and your employees 401K and your fleet and the rent you have on your building. Do you go after the pimple faced prick you hired for shit wages or do you want to have a real fucking contract with a reputable company to deal with.

You fuckers are not very good business people. Just because you use Linux/FOSS does not mean you are superior to other businesses.

No

Let me know when there is a decent OSS groupware out there. There's parts of government that still cling to Lotus Notes (shudder)

Considering how utterly Shiite Propietary software

Has become, I’m surprised the switch hasn’t happened earlierly.

It seems most proprietary software preempts the end-user or administrator in a myriad of ways, knowing “better” at best (I grew up luckily in an era where computers still took direction) or is just malware/spyware/adware at worst.

Which is why I loathe smartphones so. Such great potential. So utterly wasted. It’s a shame what the net turned into as well though.

Who develops it?

[Skinkie]

Recently a Gartner report on open source in The Netherlands made an interesting case why with the current legislation the Dutch (and likely European) governments could not contribute to open source software. Governments may use it, but a software developer disguised as civil servant must never be provide patches or features back to the open source project, nor is the government allowed to publish their work in public, publication should be strictly limited to other governments. This would be prohibited due to unfair competition with software suppliers that build closed source software not having the advantage of government support. Now the case of no-vender-lockin still remains, but unless we first change these kind of laws, harnessing the true power of open source: collaboration, is legally not possible.

Re:Who develops it?

[stooo]

>> unfair competition

That's B.S.
The thing about free Open source software, is everybody can use it under the exact same conditions.
So it's fair, because that same company can just sell it also.

Re:Who develops it?

Citing Gartner, lolololol. Gartner says whatever Microsoft and friends want them to, they have been the joke of the industry for decades.

Re:Who develops it?

[Skinkie]

Considering the following real case. The City of Amsterdam created a new CAD plugin allowing to the export to contain all properties required for a government exchange. Everything they had seen on the market had issues, hence they developed something new. Other municipalities started to use this software, and one of the commercial suppliers of a competing plugin was not amused. Here the government puts in resources to compete with a market activity - even if they completely hate the product - the proper way to solve this is via a tender, which can obviously request all software assets to be available. The currently legislation prevents unfair competition by provision costs, hence the development costs (labor fees of the civil servant) should be balanced over all private users, unless legislation is made to prevent this. For open data this is for example the European Public Sector Information act.

Re:Who develops it?

[stooo]

>> the proper way to solve this is via a tender
Nope. That's the old way from the last millenium for governments to waste money. Welcome in 2019.
Still, the field is level, the commercial companies can pick up the FOSS and sell it with good support. Everybody wins, it's good for fair competition.

Re:Who develops it?

[El_Muerte_TDS]

That Gartner report is, obviously, quite pro-for-profit. According to the summary contributing to OSS is not allowed due to the requirement by law to be able to charge somebody for the made costs.
The made costs are listed as (time spend on):

1) Making code readable.
They agree that readable code has it's benefits either way. But making code readable for temporary solution is not. They forget the principle that nothing is more permanent than temporary solutions.
2) Performing security audits
Security through obscurity reasons.
3) Community support
You need to build and support a community which you need to control with an iron fist. Otherwise the community might go into a different direction. (i.e. fork your project).
No mention that if you contribute back to OSS you don't need to curate a community.
4) Community support
Basically the same reason. You need to spend time on processing community feedback (like bug reports/fixes).

They also fear reputation damage for low quality code :) Reputation damage, for a government... They should hide that the government in run on terrible code.

But what if the Government would pay a company to do all the above things? That's where the weird "unfair competition" comes to play. Requiring the work done to be made OSS is unfair to the companies which do not want to do that. (But now allowing small companies to bid on the tender isn't an issue)

Re:Who develops it?

[Skinkie]

Requiring the work done to be made OSS is unfair to the companies which do not want to do that. (But now allowing small companies to bid on the tender isn't an issue)

The government is allowed to set requirements on what they want to receive, and how they want it be be delivered. So technically speaking they can request a can of developers for 10.000 hours, and want to have a fair price in a tender for that. Or you can ask for a software license to allow you to do this and that. Hence if a solution company does not want to deliver such, they will not participate in the tender, but they have been allowed to participate and with a lot of experience might have been able to do so under a reduced cost (much experience in the field, able to reuse previous work). Less money spend is good for the tax payer. But this would still only be able to be used inside the government. Because there is a limitation a public body could act as a private body by the legislation of competition. Imagine the government buying all ground, developing real estate, there couldn't be any competition. The article is about should government require open source software to be independent of suppliers. There are quite a lot of examples where government software development is not about the next "Office" software but in CAD, geospatial, photogrammetry, simulation, urban planning where this software might benefit others. If the government would build a new OS-kernel we would likely all agree this is stupid, what about a competitor to ArcGIS/QGis?

Re:Who develops it?

There are parallels in the construction industry. One of the difficulties of comparison is the way buildings are not copyrightable but the design documents are. Is the open source code considered a design document, or the end product? Still the documents are archived and the updated designs archived as the building evolves. The government regulates, inspects, controls, audits and buys design and construction services. But they don't design or construct new buildings in the normal conditions.

So the government could run a static analyzer over the code, for example, and notify the detected issues to the developer but not fix them by themselves.

Another issue is as the organizations become "digital", or are using software for organization and collaboration, a government using such software has to operate within the law as much as before. There has to be a way to verify that the code implements the processes as the law prescribes like in the "analog world" where there are documents related to private and public meetings, public announcements, legal texts and data. The processes implemented by the code has to be auditable by the relevant parties to enable the citizen to complain or legally challenge them. Governments change their processes all the time, like everybody else.

There are either two separate cases here, or the golden age of end-user-programming is just coming around the corner.

Re:Who develops it?

[markdavis]

>"Here the government puts in resources to compete with a market activity - even if they completely hate the product"

Another way to solve that is for the government agencies to pay COMMERCIAL companies to develop the FOSS code that is needed. Then the tax money of the people is not used against the commercial sector. It supports it AND provides FOSS code that reduces later costs and provides options to other government entities AND the public, which lowers taxes and provides more services. It also prevents lock-in AND allows for more companies to provide support AND supports open standards AND supports transparency. To me this seems like a win-win-win-win-win situation.

Re:Who develops it?

[Skinkie]

I totally agree. And that is why tenders with smart requirements are loving this.

Re:Who develops it?

[drinkypoo]

Other municipalities started to use this software, and one of the commercial suppliers of a competing plugin was not amused.

The city wasn't amused by the incompetence of the commercial supplier.

The currently legislation prevents unfair competition by provision costs,

There is no unfair competition because the commercial vendor is free to distribute the open source product as well.

Re:Who develops it?

[epine]

One can choose to view small patches as extremely crisp bug reports. Governments don't charge the private sector for bug reports (governments generate bug reports by the thousand almost entirely at their own expense).

And what about the case where government contracts out to the private sector to have a new module developed for a large, open-source framework, with the bidders informed in advance that the source code will be contributed back to open source so as to protect the government's future interests?

That's not unfair competition. That's merely a diverse and effective ecosystem, in which the government is free to control public expense by any means available.

Re:Who develops it?

[hellopolly]

Dutch governmental institutions are allowed to compete against commercial companies as long as they:
- Account for all cost
- Do not make misuse special governmental privileges. For example the government cannot use a loan that has better conditions then a private party could obtain.
- Do not gain advantage out of data use. You cannot use data that a commercial party would have to buy or cannot access.
- Individuals do the work should not have regulatory responsibility that may cause conflicts of interest.

So as long as those requirements are met the people that are writing the software account for their hours, and the cost is administrated properly, there is no problem

All IT systems should be using open source softwar

[stooo]

>> Should all government IT systems be using open source software?
All IT systems should be using open source software.

Right solution for the problem, what's wrong here?

[bogaboga]

..."If it is public money, it should be public code as well..."

No, dude...

"If it is public money, it should be public code as well only if it works and does work well..."

But I am almost embarrassed to say that in my little world, apart from the browser, open source desktop software sucks big-time. It just does not cut it.

One has to "fight" with a situation where you have the same library named differently, installed in different locations, installed with older versions of the same depending on distribution...The arrogance in the open source world simply makes matters worse. Who has the time for all this nonsense?

Re: unrealistic

And if the open source thing is abandoned, you have source code so no problem right?

Actually, wrong...

Yes.

[MessageDrivenBean]

Next question please.

Re:All IT systems should be using open source soft

And all OS software should be well documented and developers should continue to support it while there are users.

No, but only b/c government should not exist

The question should rather be so long as government does exist should it be mandated that it use free and only free as in libre software. Governments are a threat to the rights and dignity of the people. They are the use of force and any violent action against a non-violent individual is unconscionable up to and including theft of funds or property (fines) and kidnapping (imprisonment). It does not matter if it is a boarder guard restricting ones travel or a speeding ticket. Both are acts of aggression against what are under normal circumstances peaceful people. That should end. No matter what your argument is for taking other peoples money [outside of a violent act in self defence] the ends do not justify the means.

Re: No, but only b/c government should not exist

Uh, whut?
I suggest you test that theory in Lebanon, Sudan, Somalia... the list goes on. Ask someone whether they prefer FOSS or closed source in their government. You'll typically get a response along the lines of "What government?" and "What's software? Does it come with a bag of rice so I can eat this month? Will it keep my family from being shot for no reason?"
Come out from under your rock... without a government that enables a transactional relationship with its businesses and citizens, there's no reason to run it with any kind of software.

Not a failure of open source community, but greed.

The software has been more than good enough for a decade, or more if you have actually competent admins.
Not admins and users that are mentally stifled by having been treated like morons and unable to adapt their software to their actual needs for decades. Who had to settle for the dumbest common denominator, and eat whatever is put down their throat. (Yes, Windows 10 and macOS, I'm talking about you. Oh and don't think I forgot you, Gnome. You too.)

E.g. writing a shell script that gets triggered by a shortcut or udev or cron etc, should come naturally at least to the admins (who should be able to do it in their sleep), if not to the users. IMHO, current GUIs (but not GUIs per se) are considered harmful.

The failure has been, as always, in curbing the treason (aka "lobbyism") that drives deciders towards wasting money on for-profit imaginary "property" organizations instead of getting a fair deal for something made efficiently.

Also, closed-source software is a huge security risk, as security is incalculable by definition. And the constant drive to keep adding things to half-assedly justify making further money only makes it worse. Especially when combined with the death spiral of dumbing down that happens, when companies always want to make it "simpler" for users, but the dumbest users are the most vocal that they listen to, and if it's made easier, will just slack off even more and become even dumber, demanding to be spoon-fed even more... until you end up with today's UIs that are so "simple" that they are horribly painfully cumbersome. (E.g. the lack of being able to script/automate some repetitive task away forever, which would actually save time.)

The advantages of teamwork over a dog-eat-dog anarchy is the entire point of having a state and a government. That is also the key advantage of open-source over closed-source software. It's a human thing, dear lizard brains.

PROTIP: We are part of "the market" too!

Yeah, the commercial offers sucked. And the market decided. For a better product and a better deal. Made by the "corporation" called "government", which is the "corporation" that we're all shareholders, employers and employees of.

The commercial suppliers simply hated an actual free market (and especially it balancing itself out). Like apparently all corporations and businesses without exception always do. Because they prefer unfair competition, but only if it's them doing it, e.g. in the form of a monopoly (even imaginary ones on imaginary property).

I think in the long run, FLOSS will win over all closed-source software. As an egoistical sole company simply cannot compete with everyone teaming up to make something free and libre. It's why social species succeed over everyone-for-himself species. And the imaginary property delusion won't last forever. People are gonna want to only pay for actual work, not for mere copies or mere profit, since they had to actually work for their money too. They only don't right now, because they have no choice, and because those who steal their money wrote laws and propaganda that became the cultural norm in some sad parts of this planet.

Re:PROTIP: We are part of "the market" too!

[Kjella]

Yeah, the commercial offers sucked. And the market decided. For a better product and a better deal. Made by the "corporation" called "government", which is the "corporation" that we're all shareholders, employers and employees of. The commercial suppliers simply hated an actual free market (and especially it balancing itself out).

That's like saying that if the voters voted for universal healthcare it's a free market solution. Heck, it would make communism a free market solution. It's totally okay to say that the free market doesn't always deliver and that you're sometimes better off funding it through taxes so you don't have to worry about revenue, margins and profits. It's called socialism, look it up.

Re:PROTIP: We are part of "the market" too!

Yeah, the commercial offers sucked. And the market decided. For a better product and a better deal. Made by the "corporation" called "government", which is the "corporation" that we're all shareholders, employers and employees of. The commercial suppliers simply hated an actual free market (and especially it balancing itself out).

That's like saying that if the voters voted for universal healthcare it's a free market solution. Heck, it would make communism a free market solution. It's totally okay to say that the free market doesn't always deliver and that you're sometimes better off funding it through taxes so you don't have to worry about revenue, margins and profits. It's called socialism, look it up.

Why didn't you read through the whole post of the AC instead of pick a part and make a comment? As a result, you are slanting the point to support your own agenda.

The AC said that big corporations (not government) will cry foul when the rules don't apply to them by using unfair competition laws. But when they can monopolize the market, they never said or mentioned anything about the laws. And that's how the "free market" works nowadays in the country.

The AC however made a conclusion that overall FLOSS will win in the end. This may or may not happen, but it is a made up from the AC's logic. To me, most people would prefer free and libre, but the result comes with as much abuseable/exploitable as closed software. However, using closed software is an easy way out to push responsibility to the vendors.

Re:All IT systems should be using open source soft

[Bite+The+Pillow]

Nope, Windows is not open source, but users and developers are cheaper. I'd rather not pay the taxes needed to support all OSS.

In an ideal world where faries get you off daily? Sure. But in reality, no.

Re:Right solution for the problem, what's wrong he

[Bite+The+Pillow]

I've not had this problem. But I have not used anything other than Windows for most of 26 years. Every attempt, no library issues.

Of course I gave up each time so it was not long lived. So what are these libraries?

Yes, anything else is insanity

[gweihir]

Sure, everyday insanity that is prevalent in software selection, but insanity nonetheless. The waste of money and the sheer dependency on a single or small number of companies is not acceptable.

Re:unrealistic

[gweihir]

That is nonsense. Nonsense often repeated, but still untrue.

Unfair competition

And this "unfair competition" doctrine is the result of years (decennia!) of neoliberal lobbying. Why should be a government be prohibited to do what's best for its citizens and cater first to corporations which, in return try to avoid taxes as "cleverly" as they can?

I mean: corporations /can/ be the government's allies in fostering the citizen's well-being, but they can be also its enemies. It should be up to the government to decide when and how.

Lobbyists should be scrutinized much more closely. IMO half of them should be in jail, along with the politicians listening to them (the latter are worse).

Re:Unfair competition

'And this "unfair competition" doctrine is the result of years (decennia!) of neoliberal lobbying. Why should be a government be prohibited to do what's best for its citizens and cater first to corporations which, in return try to avoid taxes as "cleverly" as they can?'

Prisons are washing thousands of tons of hotel bed-wares every day, thereby being unfair to those businesses too, but those don't have any lobbyists.

Re:Unfair competition

[Required+Snark]

Exactly. It's not a level playing field, it's biased in favor of corporations. Because Politics!

It's not about the best tool or what is most cost effective, it's about lobbyist and the revolving door. When managers don't even consider the open source option they know a job may be waiting for them when they leave government service. That's how the Military/Industrial complex works. As for lobbyists, if there is any talk about open source it's certain that the campaign contribution tap will open wide.

As for all the whining "what about support!!!", that why it's call OPEN SOURCE. There's nothing stopping the government from either having in house support staff or paying a vendor to provide support. Does anyone think that paying Oracle or IBM rates for support is less expensive then going to the open market? Paying for bloated corporate costs is a form of hidden taxation that skips the middle man and put tax dollars directly in the pocket of Larry Ellison so he can buy his next generation billionaire yacht.

One forgotten cost -- suppport

[CaptQuark]

One forgotten cost when using open source software is support. Every time an open source project adds or removes features it prompts a surge in support requests from users. Firefox is one example. When Firefox removed support for legacy add-ons everyone wanted to know how to replace their lost functionality. The removal of bookmark descriptions instead of just limiting their size caused another rash of questions. The removal of the Never Check for Updates means that every user is nagged to update to the newest version before it can be tested and rolled out in a controlled manner. Multiply these kind of problems to other OSS products for document processing, PDF, compression, graphic editing, multimedia playback, etc. and the support costs grow greatly.

Another problem with OSS is who do you call for tech support. Most OSS products have limited support for enterprise level problems. Many software packages STILL require a user to run in administrator mode to work properly. Saving user preferences in the Program Files area still happens in some software. Every software package that displays the infamous UAC warning will cause support problems in a managed system. Software packages that use the Windows Temp folder for some intermediate file use will be blocked by some anti-malware software. Who does a company contact to fix these types of problems? To be fair, some of these problems are still present in proprietary software.

Part of the appeal of OSS is the price; however, most people forget that part of the cost of retail software is the built-in cost of maintaining a support center, normally with a 1-800 number for question, or at least a knowledge base system to reduce the cost of support phone calls.

--

Re:One forgotten cost -- suppport

[l0n3s0m3phr34k]

Every new feature must also be evaluated if it makes baseline configuration changes. The software also needs to be able to have granular controls, and allow IT staff to BLOCK any upgrades that aren't vetted and authorized.

At my work, we are having to implement AppLocker and other mitigation because one of our core "business critical" applications needs Admin to run. And this is a paid-for application that has been around for many years, with a very deep support structure; but getting them to be 800-171 compliant has been like pulling teeth. We may have to also VLAN off the users who need PUA for this application, and even then on our next audit we may have several "findings" because of this.

Re:One forgotten cost -- suppport

[serviscope_minor]

most people forget that part of the cost of retail software is the built-in cost of maintaining a support center, normally with a 1-800 number for question,

We're talking about large organisations though. I've never encountered a large organisation that wants you to call some vendor's support. They expect all IT support stuff to be handled through the organisations IT department.

Re:One forgotten cost -- suppport

[jythie]

Large and small though. The US government is huge, but it is made up of nearly uncountable groups, institutions, and offices, some of which are pretty tiny.

Why are these headlines so binary?

Why does it have to be all or nothing?

They should use what ever software best suits their needs. Each case taken on its own merits.

Re: Why are these headlines so binary?

There is an idealism behind open source, not much can be said for closed source. That's why it's binary, because open source is known ideal, and closed source will always have a flaw you can't fix, no source code. While every other aspect of Open Source can be improved upon.

+1 for open source, open government

Re: Why are these headlines so binary?

Software philosophy much like religion has no place in government.

Re: Why are these headlines so binary?

That sounds like a software philosophy there, so therefore by that philosophy, not for government.

FOSS should be the only code used in government.

As a stepping stone, open file formats.

IT information technology

[pigsycyberbully]

The antisocial man in the cupboard who finds it hard to interact with human beings and tells you the system is down because he is rebooting does not understand Linux.
Most libraries in the U.K. use a tiny box and on that tiny box is a Ubuntu Linux desktop with a ugly menu on the side of the screen and the screen monitor is the only thing that is full-size. Everybody says "it is cheap shit" including the man in the cupboard.

The NHS they have multiple men in the cupboard also but he they are not constantly masturbating to pornographic images on the Internet. He they just makes it impossible for everybody else to browse the Internet. He they use Windows. And all the staff use Windows XP, or Windows 7 home edition?

Nobody uses a Linux desktop because Linux desktops life-cycle is too short. And update manager can destroy a Linux desktop customised work programme in one strike where Microsoft would not dare.

The multi-million pound begging charity organisations use windows with a Godaddy domain name and some man in the cloud runs their system they just click with their desktops.

A Linux desktop is absolutely useless unless you are using LibreOffice and do not need anything else.
Moorfields uses Red Hat and the staff use Windows 7 pro, to exchange photographs with people in India and Pakistan to advise them what they should do about some Indian or Pakistani with a lazy eye.

Nobody should ever be made to use a Linux desktop or a Linux server.

I use Linux and a Linux desktop, and I have done since the little floppy disk days but I also use Windows 7 pro, and the Apple Mac and have no loyalties to a Linux desktop.

The IT problem is like the man who owns a poodle just because he knows which end the dog shits out of does not make him a dog expert.

Liability, integration etc.

[mccalli]

Who would deal with the inevitable liability suits? What about integration with vendor systems which are often proprietary or under NDA? What about vendor-derived systems full stop (not shrink-wrap, more thinking vendor has a core product which they then customise for each client)....

It's too blanket a rule.

Finland

Finland just put hundreds of millions to a healthcare program to a company developing it. And its not ready yet... This should without a doubt been put on a open source project instead. If for no other reason that other goverments would have been able to chip in and use the same program for their healthcare and continnue to develop it. Im 100% sure this would have been much better for society as a whole instead of now feeding a select few new millionares...

if the reason for NOT

[mapkinase]

is security, then that would be just an example of security hy obscurity.

Re:if the reason for NOT

And if the Security team members were all hired for their Windows security expertise, how long will it take for them to become experts in a new OS? And how vulnerable will your network be in the meantime?

Re: if the reason for NOT

What self respecting Windows specialist dont know Linux? Atleast not one i would hire...

Re: if the reason for NOT

You think the IT manager at, say, the county level has a clue what skills to look for? You think they are going to offer county-level money end up with someone better than an ex script kiddie who went on a 5 day course to get an Ethic Hacker cert?

Re:if the reason for NOT

[david_bonn]

is security, then that would be just an example of security hy obscurity.

Three examples where I think open-sourcing software used by the government would be insane:

(1) Offensive cyber weapons. If they are even allowed to exist at all, I don't want my government supplying script kiddies with scary dangerous zero-day exploits.

(2) Software used in weapon systems. Why should we make it easier for adversaries to clone our tech? And why should we make it easier for them to come up with countermeasures for those systems?

(3) Some software used in the criminal justice, law enforcement, and federal court system. This is a bit more ambiguous, but it is plausible to me that someone could use that software to either game the court system and make sure their cases only came before judges who would rule more favorably towards them, or could use them to make it more difficult for law enforcement to detect and combat criminal activities.

Re:if the reason for NOT

Well, security by obscurity is the reason why military sites use locks and guards to keep trespassers out.

Re:if the reason for NOT

Security by obscurity is better than no security at all. If every piece of software was open, there wouldn't be enough developers looking over everything to fix all the reported security bugs. Governments use a lot of software customized for their tasks, no one else will care about it so the code won't get the attention it needs.

What should be mandated is open file and format specifications, specifications detailed enough that they can be implemented by others. That's what prevents lock in. Open source software doesn't prevent lock-in if there aren't any developers left supporting and understanding the code. How long would it take for you to figure out how build and modify Firefox if all it's documentation and developers disappeared?

Second to that, the government should get the source code, but that doesn't require them to release it publicly. It's to prevent them from being cut off if the company dies or tries to blackmail them around. This is what the military does and it doesn't hurt their contractors, so the rest of the industry could adopt it as well.

Re:if the reason for NOT

[drinkypoo]

(1) Offensive cyber weapons. If they are even allowed to exist at all, I don't want my government supplying script kiddies with scary dangerous zero-day exploits.

They shouldn't exist at all. The responsible thing for an agency tasked with securing the nation's communications (like the NSA) to do is to report vulnerabilities to vendors, so that holes can be patched, and the nation's communications can be made more secure. That's literally their first job.

Software used in weapon systems. Why should we make it easier for adversaries to clone our tech? And why should we make it easier for them to come up with countermeasures for those systems?

Agreed.

Some software used in the criminal justice, law enforcement, and federal court system. This is a bit more ambiguous, but it is plausible to me that someone could use that software to either game the court system and make sure their cases only came before judges who would rule more favorably towards them, or could use them to make it more difficult for law enforcement to detect and combat criminal activities.

It sounds like you're advocating security by obscurity...

Re:if the reason for NOT

[urusan]

Here's an interesting option for controlling cyber-weapons without taking them entirely off the table. Instead of banning them or allowing unlimited secrecy, instead the following rules have to be followed:
1. The cyber-weapon has to be completely declassified within 1 year of becoming operational. (Perhaps a somewhat longer time could be mandated, such as 3 years or 5 years, but if the countdown becomes too long then the situation becomes more and more like unlimited secrecy)
2. The cyber-weapon has to be declared when it becomes operational, so we know when to start the declassification countdown.
3. The cyber-weapon cannot be used against the populace of the country operating the cyber-weapon. If this is the case, the exploits involved have to be reported to vendors immediately, and it has to be declassified more quickly as the vendors fix the issue. (What constitutes being usable against the populace is an interesting question, as stricter interpretations of this may rule out cyber-weapons usable against any public software, also note that private/secret forks of public software used by specific countries for country-specific purposes would almost certainly count as country-specific).

The overall effect of this should be that cyber-weapons are short lived and limited in scope (mainly attacking the secret capabilities of other countries instead of public software/infrastructure). It incentivizes improvement of existing nationally-used public software by defence actors, as they can no longer exploit loopholes in the software used by their own nation. It also incentivizes other countries to use public software for their infrastructure, and increases the quality of said infrastructure dramatically as everyone would want said infrastructure to be of top notch quality. The relatively quick declassification time means that any scandalous abuse of the system can be detected quickly (such as if they ignored rule 3, or if they created a cyber-weapon that was brutal enough to cause war crimes). The cyber-weapons declarations also serve as a deterrent, indicating that such weapons exist without giving away details about who is targeted or what it's for (at least until it is declassified, at which point there should be new weapons in existence). If it ever got to the point where it'd be impossible to create a new weapon before the old ones expired, then there wouldn't be many vulnerabilities out there and so we'd live in a very safe cyber-environment, making cyber-warfare moot.

If there were reasons to classify some cyber-weapons for longer periods, then I would recommend that they at least be required have an accurate summary of their purpose and reason for the classification extension declassified after the normal period, and they should be subject to substantial court scrutiny, with an ultimate declassification required at some later date. If this is allowed at all, it should be rare.

As for your other two suggestions, I definitely agree that software used in weapon systems is important to keep classified. However, I strongly disagree that criminal justice software should be secret. The benefits of public review of criminal justice software outweigh the possibility that some genius could find an exploit that makes them harder to bring to justice. Also, such exploits are more likely to be detected in the first place.

It should also be noted that the complete "source code" of the law itself is already out in the public view, yet we don't worry about someone finding an exploit in the law, even though it happens from time to time, allowing some people to exploit the system. Clearly, having a transparent code of law is much more important than catching every criminal.

Yeah but in real life...

[Casandro]

... you have a piece of software that doesn't work. You call in the highly expensive support from the vendor and they won't be able to do much more than shrug at it. It's something I have seen at large companies and very large vendors.

"Free Software" means that you can change the software if you please. That implies that the software is simple enough for you to make meaningful changes to it. The simpler the software the more reliable and secure it usually becomes, that's why when hardening a system you throw out stuff you don't need. If you don't have your own staff understanding vital systems, you have done something severely wrong.

Re:Yeah but in real life...

[Anne+Thwacks]

That implies that the software is simple enough for you to make meaningful changes to it.

I think you missed the point: governments can afford to pay for a team with the necessary skills to maintain the open source software in the manner that most benefits them. However, they only need pay once.

With closed source, they need to pay through the nose possibly repeatedly for different departments, and still don't get what they want.

However, this does require a degree of sanity in government, and I am not holding my breath on that account.

Re:Yeah but in real life...

[markdavis]

>"... you have a piece of software that doesn't work. You call in the highly expensive support from the vendor and they won't be able to do much more than shrug at it. It's something I have seen at large companies and very large vendors.""

THIS

I can attest that "support" by major proprietary software companies is just as hit-or-miss as it is in the FOSS world. There is support that is great, and support that is expensive as hell and yet practically useless. So it is hard to generalize.

One of the best models yet is the RedHat one- which is why they have been so successful. It is FOSS, so MORE THAN ONE ENTITY can actually support it- the main one, additional ones, freelance people, and your own staff. This is almost impossible with proprietary systems. It is like having the best of all worlds- multiple support options, free use options, good free support options, good paid support options, very little "lock-in", less forced upgrades, ability to see code, ability to extend, ability to share.

Re:Yeah but in real life...

[nine-times]

Yeah, small businesses can't afford to support and maintain their own software, but an organization the size of the US government can. They could, at least theoretically, hire a team of programmers to develop and support the software they need. They can fix bugs and develop new features.

And it's true that having software vendor support is overrated. For an awful lot of the problems you'll run into, when you contact support they'll tell you, "Oh, right, there's a bug. The thing you want to do can't be done and the data you've lost is gone forever. Sorry." Having support doesn't mean that everything will work or everything will be fixed. It just means you'll have a specific group to be mad at when things don't work.

Re:Yeah but in real life...

[eddeye]

governments can afford to pay for a team with the necessary skills to maintain the open source software in the manner that most benefits them. However, they only need pay once.

Spoken like someone who's never worked in govt. In reality most govt agencies can't do that, for a variety of reasons:

• Agency budgets fluctuate year to year. Unpredictable funding can doom the project.
• Agencies change leadership quite frequently. Look at the massive changes in policy and priorities at DOE, HHS, State, and other agencies when the Trump administration came in. As political priorities change, support and funding for other projects dries up.
• Turnover. Many govt agencies have significant turnover, as people gain experience and contacts then jump to the private sector.
• Hiring. Govt hiring practices are abysmal. They make it way tougher than necessary with arbitrary restrictions, greatly reducing the pool of candidates. Many good people never both applying for govt jobs, or never figure out the arcane tricks just to get past the HR gatekeepers.
• Expertise. Project management is handled by mid-level bureaucrats with no experience in developing software. They're promoted based on skills at the agency's primary mission.
• Changing requirements. Due to a rotating cast of leaders and managers with constantly changing priorities, projects tend to change requirements frequently and often. Hard for even a good software team to deliver successfully when the metrics for success swing wildly.

In theory, there's no reason an agency can't recognize their own limitations and hire a skilled software manager to run the project. In practice there are tons of barriers to doing that successfully. Successes are rare.

I'm not against open source in government. There should be more of it. But there are practical reasons why open source is difficult for govt agencies. You have to pick and choose the right use cases for it.

Re:Yeah but in real life...

[wisnoskij]

It is not like this has not been tried. Governments have been spending billions developing their own software since software has existed. I have yet to see a single one that even worked and did the job it was designed to do. And I can assure you it was many times more expensive than leasing existing systems.

Take for example my latest foray into the government system. First I had to sign up for a ONE-key account, to enable me to sign up for a service Ontario account on a second website, which allowed me to sign up for a ministry account on a third website. Strangely it did not even appear like it was possible to access any of these accounts without following them through the previous account. I was given a multi page guide on how to accomplish this, but strangely it appears most of the steps are just a little off; Most buttons, links, steps are worded exactly as specified or located exactly where they should be. Finally we get to the point of the whole exercise, renewing an exterminator licence. We start filling out the forms and oh, and error and we are booted out.

Well try again, "Error: form not saved". Apparently this is common according to tech support. Any data you enter into any forms that does not get saved, any applications that do not get completed, any problems anywhere at any time makes the site display nothing but an error about how you have to save the data before continuing. And the kicker, all of these government sites only function if viewed through Chrome on Windows.

Re:Yeah but in real life...

I always thought a "National Data Systems Agency" would have made a lot of sense. I.e a national agency which solely exists to centralize and deal with all the various issues you're mentioning. E.g there's no real reason government computers should run Windows. People might want it, but ultimately it's a workplace and its requirements should trump that quite handily. Whiners can find another job.

The political issues you bring up are probably the worst of the lot, particularly since American politics are so polarized. If it worked more like other, more civilized countries, it would be a lot easier to have a general agreement covering all parties which would stabilize things like budget, projects and leadership. It's egotistical idiots who just have change things up just because they can who screws things up.

I have more trouble to see what the problem with turnover is; it's not like normal businesses are immune to this - heard of "I've Been Moved"? I.e there is no silver bullet. If you care about your staff, make sure they feel appreciated and have meaningful work. You know, the standard stuff.

As far as expertise goes, we're talking about the government. I doubt if there is a serious desire to get the right people, this will prove to be very hard.

Finally, "changing requirements", ho, hum, yeah, that has never been a problem outside government....

Re:Yeah but in real life...

But you have provided jobs for at least three different companies to come in and develop thier vision of what the government wanted. You go you job creator you.

Re:Yeah but in real life...

Yes some of these issues exist in other places. I'm not denying that. Govt is the perfect storm where they all come together at once.

Govt hiring is a lot tougher than you think. HR puts up so many arbitrary hoops to jump through just to be considered. Most people never make it that far.

Could the govt fix the HR process to recruit better candidates? Sure, in theory. But it won't happen. Too much inertia in the current system. Hiring rules aren't just for techies... you'd have to change all hiring across the entire govt. Good luck with that.

Thanks for the productive reply. That's rare these days.

Re:Yeah but in real life...

You have no idea how difficult it is to "Change the software if you please." If you are a government entity, that means that peoples (as in we the people) welfare and possible lives or at least livelihoods are at stake.

You have never had to change a application across thousands of devices located across the country/planet have you. ID10T

Re:Yeah but in real life...

[jezwel]

...these government sites only function if viewed through Chrome on Windows

So they've finally ditched the IE6 requirement?!? Now that's progress.

Sarcasm aside, government core business function almost everywhere is unrelated to OS development, and application development is usually business specific. I'm sure that certain security related agencies could be set as responsible for developing a secure core OS for use across all government sectors, but you're also running against corporate interests in regards to some pretty large US based companies out there. Considering this is a US centric site, supporting US centric companies is no-where near as big a deal as every other country also doing it.

China has their Red-Flag (RH) linux, so it's certainly being done. I think there's little political capital around supporting that type of operation though, so it just won't happen.

Re:Yeah but in real life...

[l0n3s0m3phr34k]

I'm sorry you've had such horrible support before, sounds like you should have vetted your vendors better. I've had pretty excellent results with real warranties from large companies, including Dell, VMWare, HPE, and so forth. I've had VMWare rebuild VMs pretty much by hand (we had VMware 6, not 6.5 with more advanced rebuild features), HPE support for blade servers, often they will open up support tickets FIRST when they see potential issues in various subsystems before we have time to go over the logs. Synology is pretty decent too; proactively helping with patching firmware across multiple SANS at multiple locations.

We can't just "change stuff", we have baseline secure configurations, proper change control, and have to abide by both 800-171 and SOX. My coworkers have a VERY deep understanding of our systems. For us to use most open-source products we would need to test all the dependencies, hire more people to do low-level code reviews, and still it wouldn't be regulatory compliant due to lack of real vendor support. I'm guessing my "corporate world" is probably vastly different than yours; if we have a massive equipment failure...well, I can't say exactly but CENTCOM isn't a customer you want to fail an audit for.

Re:Yeah but in real life...

[l0n3s0m3phr34k]

So, open source products never do any updates, change libraries, new dependencies...your install of Debian is forever set in stone and is never updated? You personally vet every new dependencies that comes up when you yum update, and go in to and review all 50+ package's code to make sure it's all complaint with the Application Security and Development Secure Technical Implementation Guide? You can verify that absolutely none of the code violates V-70363? This requirement here is why Open Course isn't widely used in Federal systems, outside of very specific products and applications. If you can't call a toll-free line, open up a real support ticket (NOT just posting to a forum), etc then it's "Remove or decommission all unsupported software products in the application". Any libraries that use cryptography need to be FIPS compliant, listing their module that can be verified.

How do you specify a secure baseline for your open-source applications?

Of Course

[dohzer]

How will I easily find exploitable flaws if they use closed source software?

Re:Of Course

If you need the source code to find an exploit, just give up, kid. The black hat doesn't fit you.

Re:Of Course

Need and want are different things.

Open source is not free, even as in beer

Keep in mind that the open source is not free as in beer. You still have top hire people. The main thing you get is flexibility. That said, one big issue for government and their suppliers/contractors is how to contribute back. Many open source projects have bugs, security issues, and feature completeness issues and there isn't always a clear way for contributing back, and in many cases staying in compliance with open source licenses themselves. I've seen a lot of taking but no giving back, a distructive way of doing things.

Open data standards and open APIs

[kosmosik]

No.

Public/government IT systems should use open data standards and open APIs so that data is not tied to one vendors system.

Having that you can use whatever licensed software that does the job and is economically viable.

Re: Open data standards and open APIs

[madsh]

Spot on! I actually been reading the comments, to decide if I had to write this... Soon Gartner will start taking about âdata lessâ(TM) applications. A concept of strictly managing software and data separately. It turns out government data often has a longer life span than the software used to create and read that data. That said.... Code is data and data is data...

Re:Open data standards and open APIs

Absolutely agree.

Seems that support from anyone is available, given those standards.

Re:Open data standards and open APIs

[Anne+Thwacks]

In the "olden days" (when NASA was going to the moon) it was common for engineering procurement to require a "second source" - before aerospace would buy anything, there had to be an alternative source.

If you had an invention, you had to licence it to a competitor, or it would not be bought Typically, government procurement would buy from multiple suppliers, quantities in inverse proportion to price, to ensure that multiple suppliers would always be available.

I am not sure when this practice stopped - but it seems that things are no longer done this way - and as a result, we get Microsoft, Oracle, and Intel (or, to use the technical term: "totally shafted").

If that is not the decline and fall of civilization as we know it, I don't know what is.

They probably should

[cyber-vandal]

It's whether they're able to or not. There will be custom and proprietary software and hardware running on a variety of Unix, Windows and posiibly even mainframe systems. There will no doubt be plenty of OSS in there as well but until there's an easy and cheap migration path then the proprietary software isn't going anywhere.

Only if

Only governments that want to use their money on something else than software licenses should use open source.

Name them, then.

In response to a claim about malware and indication to the news reports that would have shown the proof of the malware attack, it is a nonsequitur to claim some OSS is insecure. AT WORST you're no worse off: insecure. But since you give no indication of what the hell you're talking about, I will simply dismiss your claim and equally substantiatedly claim that OSS is trustworthy, no dog turds.

Re: Name them, then.

OpenSSL.
node.js last year
PEAR this year

Open Source also has some fairly substantial supply chain security problems. The delivery model, and update cadence can also be pretty terrible.

The requirements of using something at home are vastly different than for the government, and scale becomes an issue. Your either paying a closed source vendor to manage this, or your bloating the size of your IT team and paying for it that way.

Using open source to save money is a myth.

Re: Name them, then.

Using open source to save money is a myth.

OSS doesn't always save money, but may. Open standards may allow you to change supplier, though, and allows you to shop around the market better if others are using open standards. If the software you are using does not use open standards then you may have issues with integration, which can cost money.

Re: Name them, then.

Maybe somebody shoul d explain to you that open standards and open source are both the same thing

Re: Name them, then.

Maybe you should do some research before opening your mouth. They absolutely are not the same.
An open standard allows anyone to create an implementation that is interoperable, regardless of whether it's oss or closed-source.

Re: Name them, then.

Yeah, like systemd - claimed to be internally modular, but the inter-module contracts are closed and changed at will. Is that what you mean? Is systemd not theoretically open source? Are there standards that'd let me replace some internal part I don't like? Or is it a more or less opaque opsys that someone needs to write an init for?

Re: Name them, then.

>Using open source to save money is a myth.

Whether or not FLOSS save money, depends upon what the comparison is with.

License Fees: FLOSS is usually gratis. Non-FLOSS is usually non-gratis.

Support:
* Tier 0: Gratis for both FLOSS and non-FLOSS;
* Tier 1: For non-FLOSS, when offered by the developer, it usually is gratis for a short period of time --- 90 days from date of purchase, or date of registration, is typical. When offered by a Third Party, as oft as not the cost of the first year or two is included in the price charged by the retailer, and the developer being completely out of the picture. Usually not available for FLOSS;
* Tier 2: FLOSS is usually more expensive than non-FLOSS. FLOSS support packages tend to be per incident. Non-FLOSS support packages tend to be per seat, per year;
* Tier 3: Non-FLOSS Tier 3 support generally requires a minimum number of seats per year. FLOSS Tier 3 generally looks at incidents per year.

Training:
* Non-FLOSS: First Party Training: Typically available, albeit at a high price;
* Non-FLOSS: Third Party Training: Typically available, pricing is all over the map. Quality of training is also all over the map;
* FLOSS: First Party Training: Typically not available;
* FLOSS: Third Party Training: Can be difficult to find. When available, the cost is usually higher than the equivalent non-FLOSS Third Party Training;

For Joe Sixpack, LibreOffice is going to be less expensive than Microsoft Office, simply because Joe Sixpack will purchase neither training nor support.

For MySmallCompany, INC. Microsoft Office, with genuine Tier 2 or Tier 3 support, will save money, when compared to LibreOffice with Tier 2 or Tier 3 support. Unfortunately, most Third Party Tier 2 and Tier 3 non-FLOSS support is run by scam artists;

For LargeEnterprise, INC. the cost for Tier 3 support is roughly the same, regardless of FLOSS or non-FLOSS status. The cost of training users for FLOSS is higher than training for non-FLOSS.

For VeryLargeEnterprise, INC, FLOSS with Tier 3 support is cheaper than non-FLOSS with Tier 3 support. The additional cost involved in training for FLOSS may or may not equal the reduced costs of Tier 3 support.

Remember, Sun purchased StarOffice, GMBH, because it was cheaper to do so, than purchase the same number of licenses for Microsoft Office.

If you're a SOHO looking to migrate from Microsoft Office to LibreOffice, your best course of action is to retain a migration expert, to guide your organization in how to store and archive your existing data. Budget for per incident Tier 2 and Tier 3 support, for at least five years after migrating.

If you're an SMB looking to migrate from Microsoft Office to LibreOffice, your best course of action is to retain the services of a company that has experience in migrations, for the migration period. Then retain an individual to do Tier 3 support. This individual can be either an independent contractor, or an in-house employee.

Large organizations should have at least one individual, either an independent contractor, or in-house employee, whose sole function is to provide Tier 3 support for the FLOSS software that it uses.

Re: Name them, then.

Not sure how, but the word both is supposed to say NOT. You are totally correct.

You actually believe that PR?

I guess you haven't ever looked into it, and just swallowed it whole.

No, for-profit is, by its very definition, never cheaper. Since it's the cost of doing the work, plus the profit, plus the training that you have to pay.
And even non-profit closed-source is also not cheaper, since it's effectively still a (imaginary) monopoly combined with artificial scarcity. You know... those things that are major crimes in any non-imaginary-property industry.
Finally, even training is easier for open-source software, as you can see every time your beloved Microsoft alters their damn UI for the sake of justifying paying money for a "new" version again.

Also, listen here, lizard brain: Sure, you can refuse to chip in, and keep all your things for yourself. But how do you not realize that we won't share any of ours with you either? Even crows and squirrels realize that! Wasn't the whole point of the invention of commerce, that you can exchange things you don't need that much for things you need more? Isn't humanity so successful due to, among other things, using the advantages of teaming up?
I think your chances in natural selection look pretty bad, compared to social humans.

I do live is this ideal world. My OS has been the same for the last 15 years. The system is still clean as a whistle, yet I've got all the new features unless I didn't want them. Thanks to it being open source, I grew a host of little scripts and patches that make it fit me more snugly than a perfect glove. My computer does its actual job: Automate my work away, unless it really needs my input.
While my girlfriend transitioned from Windows 7 and MS Office to Linux Mint and LibreOffice without any hassle whatsoever. ... What's so hard about it anyway? It’s all menus and bars of icons and property/settings widget blocks and input fields. You look for the word or image that's closest to what you need. Her old printer even works again under Linux, so she doesn't need to buy a new one. Thanks to some contributor.
And we haven't paid a cent.

I think the only ones who still argue like you, are the ones who have never actually used a computer, but only used software like a fixed-function appliance that happens to use a computer internally. And that still treat Linux, if they ever tried it, like Windows. (Hint: If you run across a repetitive task... like always placing a window a certain way, or always executing a certain task at a certain event... find the setting to do it, and if you can't, for the love of cod, at least learn to write yourself a small shell script. Even Windows can partially do that sort of thing nowadays.)
It's not hard! If you can write a recipe, you can write a shell script.

Re: You actually believe that PR?

I love how these anecdotal stories are all centered around someoneâ(TM)s personal computer and their girlfriend/wife/mom.

If this was so easy to do you would think that every business would be doing it. Itâ(TM)s like you are smarter than every business out there and if they just listed to you then maybe, just maybe, they would be saving massive amounts of money. Itâ(TM)s not like like a for-profit business has any motivation to reduce costs and increase profit - oh wait they do....

meh

Only if reasonable OSS alternatives exist for a given use case, AND if there is a healthy market for companies providing commercial support for that. Otherwise (unless we are talking of the largest of government organisations, which might perhaps afford having their own devops teams) this is dangerous and plainly stupid DIY which.

Wetware Problem

There are lots of problems with doing a major switch to FOSS but the biggest one is human. The first thing you would have to do for a major switch to FOSS is retrain all of the Ops and Support people. It takes years to become proficient in Ops for a new OS. So let's say you just go for apps. Even then you have the transition period from the old to the new. It is almost always much easier and cheaper to pay for a new SQL Server licence than it is to retrain your DBAs and Ops guys to use PostgresQL and persuade all of your vendors to support it.

It is also particularly risky for business continuity because even if you do manage to train your Ops well, the next time there is a problem that is outside of their training, it will take much longer to find a fix because they have no experience of the quirks.

If you really want government to move to FOSS, what needs to happen is something that allows a long, gentle transition. E.g. encapsulate an app within a lightweight Linux distro VM and something like a specially configured VirtualBox that presents the app in Seamless mode, i.e. it appears to the users and Ops as a normal Windows app. As IT Ops and the users become more used to these apps as more of them are introduced, eventually it would make sense to do it the other way around, i.e. run a Linux desktop with legacy apps encapsulated on a Windows VM.

But even then, the reliability and maintainability would almost certainly reduce. The government Ops people often struggle with Windows let alone moving them to something that has more moving parts than needed.

Forget any idea of a move to FOSS happening in a big bang. There's just too much cost, risk and downtime involved.

At least we can be happy that lots of them are using vendor-supplied, open source back end stuff on AWS.

open standards are more important

to my mind the utopia of IT desirability is that the OS that the end user has is immaterial because the goal should be that centralized systems can support any standards supporting device that cares to connect

just the one that most frequently annoys me, it is unfathomable why VPN connectivity hasn't yet been entirely standardized and then built into each operating system and I lay the blame on Checkpoint for using their market position to prevent exactly that because they don't want it to be easy for you to switch VPN services

Out of date software the problem

I think for the most part government deals more with out of date old technology then anything. Not sure if open source would solve this? Or make everything more secure. Whatever a target like government uses, it will have people trying to attack it. Were fooling ourselves to think open source doesn't have its own set of security issues. We have seen governments try and use open source and in a matter of a short time revert back to closed source.

Re:Right solution for the problem, what's wrong he

[Freischutz]

I've not had this problem. But I have not used anything other than Windows for most of 26 years. Every attempt, no library issues.

Of course I gave up each time so it was not long lived. So what are these libraries?

That kind of depends on the distribution you are using, some of them are crap when it comes to this but there are enterprise distributions that do some good and proper quality control. However, if you pick some thing like the Ubuntu or Fedora community distributions you are going to have this problem because those people have no issues with backwards compatibility, a lot of them just don't understand what all the fuss is about. The people running the enterprise distributions do understand it because they get angry phone calls and e-mails from customers every time, for example, the Python team decides to break backwards compatibility because they came up with a more elegant way to structure their API. You could also make the case that Windows is better because of QA and they do good QA these days but keep in mind that there you are limited to one distribution and no tech support worth mentioning unless you pay through the nose. I used to work for a telco that had a gold plated support agreement with Microsoft but apparently that didn't even include a provision for Microsoft to get off their ass and fix bugs. All the local MS dealer seemed to do was collect extra payments for marginally better support. For proper support from MS you needed a solid gold, platinum plated diamond encrusted support agreement that ships in an unobtanium case and that we could not afford. With FOSS you can at least either change distributions or hire a mercenary coder to fix your issue because you have the source.

All? Stupid question.

[Oligonicella]

Apparently the submitter - and editors - fail to realize that many IT systems in the government are not PCs. How many open source projects are there for IBM mainframe, Tandem and other architectures? How many of those that *do* exist (show me they do first, of course) perform the specialized functions the feds need and use, like FedWire to name one.

"If it is public money, it should be public code as well.

In a number of cases no, no it should not. FedWire being one.

Re:unrealistic

[Oligonicella]

Nonsense? Point me to the code in open source that can move wire transfers, both Fed and SWIFT.

It makes more sense for Goverment

Yes, universities need student worker jobs for experience, research grant funding to try out new ideas in support software, longer term planning which requires investing instead of short term cloud fees.

But governments which exist as a representation of the collective... is deeply aligned with the shared public work that open source is; with the biggest difference being it has an organized management with funding, power and the overhead of safe guards. That power and funding are what brings about most it's political problems... Sadly, the corruption and failing to fight against marketing/lobbying but in the USA, the increasingly anti-social culture is the main reason we do not collectively take on any new pubic works.

Open source projects are so unorganized, volatile, unpredictable it deters adoption and isn't enough to counter the close-minded thinking it is wrong for collective works to replace privatized services.

I do not think a national highway system could be built today. Obvious new public work projects that in the past would have easily been done have had trouble getting serious consideration. Such as, an information super highway... public health insurance, public healthcare, public car insurance, legalized co-operative insurance (illegal in some places...like public ISP are illegal too,) free college (high school wasn't free either until everybody needed it.) public recycling, trash, electricity.... or what everybody would lke: automatic TAX preparation by the IRS... which was proven cheaper but lobbyists killed that off.

I've worked with local governments. They do have plenty of lazy workers. I've worked consulting too; they have just as many lazy workers but those are forced a bit more in my view. It comes down to management in each. The main difference is that the public employees care MORE than the private employee (especially now with the lack of loyalty to workers.) Public workers have at least tiny bit more loyalty to their community/country if not a lot more. Many of the poor ones I run into and explore out of curiosity actually cared too much and the dysfunction of the system crushed their spirit too much. This one is most easy to see in the ones who quit their careers as cops/teachers etc. and the ones who are still plugging along are in the middle ground. If we stopped hating on our public institutions (like Russia wants and has been doing since the cold war... you ignorant Americans haven't got a clue! ) these people would be far more productive and happy.

Re:It makes more sense for Goverment

[volcan0]

It is crazy, but I think you are right. I don't see how such a project would work today. Too much corruption and inflation. In Québec, we can't even build our own bridges anymore. We let private company do it, then charge tolls for like 20 years, they they give us the bridge back ( well maintained, I am sure....). All under the guise of we can't afford to build a new bridge. Well, you would if you were getting the tools ! I think the real problem is that we don't teach critical thinking in school anymore...

lazy politicians and incompetent voters

The responsibility is the governments and it's elected officials. ultimately the voters. in an age of democracy under a multi-billion $ attack by Russia and wealthy privatization people (kind of same thing, with Putin and friends being some of the biggest) you can't get things off the ground on multiple fronts.

Governments can easily fund and replace anything. They have the power to even take away patents and pay low prices for them; they could play nasty in the courts too. It's the lack of media access that makes them weak against a company who can wage big media attack campaigns against them misleading voters. Microsoft did this in big ways to make sure leaders suffered and nobody could know the benefits but would hear about every ordinary problem hyped up 300%.

Re:All? Stupid question.

[fluffernutter]

Most of the IBM hardware supports Red Hat and SUSE, but you still have a good point because I couldn't see anyone buying a pseries machine and not putting AIX on it. You would be losing so many capabilities such as being able to dynamically resize partitions etc.

Meh

[fluffernutter]

Government has an obligation to make our data as safe as possible for as cheaply as possible and it ends there. If an open source solution fits those qualifications than use open source; but it's usually going to be a bad idea.

Depends. Some systems should never be public

But all the office-document crap should be and most of the infrastructure should.

Voting software should be too. BIG TIME.

Paying yearly for the same software over and over without any real control over the direction and bug fixes is stupid.

But I don't think anyone wants the code for the F-22 or even F-16s to be public. Same for missiles, most spacecraft guidance code. It shouldn't be public.

There is a sad truth to govt IT. Sometimes they don't hire the best people and it shows.
I worked in govt for 7 yrs. There were some brilliant people there, and some truly "special" idiots. On my team of 8, 2 were idiots, 2 were terribly lazy and the other 4 were well above average. So if we assume this as a normal make up, 50% in govt IT should be fired and their pay spread among the remaining people.
My team spent 10-20% of our time fixing screw ups from the others. 1 guy deleted 3 months of work just before our replacement backup system came online. The first system fell over and killed a data center worker and was inoperable after that. The worker didn't set the wheel brakes while working inside the raised floor. Basically, a full fridge fell onto him.

Specialized code being open source, but with limited distribution makes sense. Not sure that the IRS code to validate tax returns should be public, but I wouldn't mind a look myself.

So, the answer is "it depends."

Open Source in The Netherlands

The Dutch National Government has a policy that mandates the use of Open Source software (by govermment departments and agencies) unless a serious impediment prevents it. They also have a policy that mandates the use of Microsoft produtcs.

You're all forgetting corruption

One visit to the executive's office (governor, mayor, president) by a campaign cash carrying proprietary software company lobbyist, and all internal efforts to introduce open source or open standards come to a crashing halt.

The pent up demand is there in the government technology trenches.

But until this campaign finance corruption is resolved, nothing will change.

Theory vs practice

[McLae]

In theory, open source should be a no brainer to save money. Using open source can save tons of licence fees.

IN practice, open source may not be compatible with legacy systems, or missing critical functionality. And support can be a nightmare, with no vendor to provide updates or respond to bug support.

And before you say do it yourself, that adds more cost than the licences, for programmers, managers, testers, etc.

Re:Theory vs practice

[CRB9000]

Unfortunately, you are wrong. The U.S. Government requires all software purchases come with maintenance and support. When looking at software, the acquisition may be free, but we must purchase support licensing and the developer must be providing maintenance. This can be as costly as commercial closed source.

Re:Theory vs practice

[CRB9000]

Sorry, hit the wrong reply button, I'd say you amplified my other post.

Government/Software Inside Baseball Stuff

[CRB9000]

(Note: This applies to most U.S. Government agencies, but not all.)

O.k., here is some "inside baseball" stuff. Every bit of software, from major applications, application helpers, plugins, drivers, etc. must be tested and accredited and supported. In a number of agencies, there are U.S. origin requirements.

The large corporations, for example, Microsoft, host government employees, to include DOD civilian and uniformed, to be part of the testing process. A few years ago, Microsoft implemented changes to Windows 7 authentication directly as a result of the DOD move to smartcard (CAC/PIV).

Support is another area of concern for the USG. All hardware and software must have continuing support, enterprise licensing, and continuing maintenance. The major corporations and some opensource do provide this, complete with published support and maintenance plans. They also participate in vulnerability assessment and reporting.

If you want an open source project to be considered, you need invite the government in, and understand the software/hardware acquisition process and requirements. Simply tossing your source to the government saying, "Here, check it out for yourself" doesn't work.

Direct experience: OSS is not a panacea

[david.emery]

I worked on a large program (that you probably heard about) with a lot of embedded and command & control software. We made extensive use of both COTS products and open source.

Here are some of the impediments to using OSS we observed

1. The plethora of licenses! We kept 2 lawyers (one government, one prime contractor) busy nearly full-time for several years evaluating open source licenses. Each project had a different license, that needed to be understood for its impacts on procurement, use, distribution and maintenance, and how the licenses work together in a deployed system.

2. There was a big fight on the GPL. Many believed GPL would require the government to reveal all of its source code for this (weapon system) project. We never really did resolve this, and some GPL projects were disqualified from consideration due to license issues.

3. Maintenance was a key concern. For a commercial product, you can negotiate maintenance with the vendor. For OSS, you -might- be able to negotiate a support contract with a vendor (e.g. RedHat). But the government also might need to assume the maintenance burden if it couldn't buy support.

4. Related to #3: control of the evolution. With COTS products, there's a commercial entity that you can influence (including pay) to get the changes you need. With OSS, there's no guarantee the OSS product would migrate the direction you needed.

5. Related to #4: Complexity of integration. If you have N products, you have N! ways those could fail to integrate :-)

That being said, we used a lot of OSS in the project. We also took advantage of government site licenses on COTS, negotiated specific COTS contracts, and in some cases ended up writing our own code where we couldn't find an alternative. The project had a formal process for each significant component that required government and prime contractor concurrence. OSS tended to win in cases where there was a solid user community, some options for support (including training, by the way), and we understood the life-cycle risks. COTS won where there was an established product with clear maintenance costs (and things that the government already had site licenses for were obviously at a significant advantage.)

And I still remember the one government group that showed up with a 1.2m line application written in Visual Basic, who were totally pissed when we told them "We have no provision for Microsoft Windows in our computing environment. If you want to use a Windows application, your group will be responsible for the life-cycle costs to buy WIndows licenses where you need them, install/provision Windows and the associated software such as Anti-Virus, pay for the support costs including software maintenance and the people costs to maintain a Windows environment, and the training for the users and administrators for Windows applications."

Open Standards are the most important part.

[biggaijin]

It seriously offends me when I download something from a government Web site and discover that I cannot read it without buying a copy of Microsoft Word or some other proprietary software. It is not my government's job to guarantee Microsoft a market for their products.

Re:Open Standards are the most important part.

Why not just use LibreOffice to open a Word document?

Re:Direct experience: OSS is not a panacea

[angel'o'sphere]

4. Related to #3: control of the evolution. With COTS products, there's a commercial entity that you can influence (including pay) to get the changes you need. With OSS, there's no guarantee the OSS product would migrate the direction you needed.
The idea of OSS is: you hire people to make the changes/evolution you want. So you actually have much more influence over an OSS project than over a closed source project. However you rather pay the $130/h to a company which might make some changes in time instead of the $100/h to a freelancer.

Hint: if the software you want to be changed is Java, C++ or Python, you find hundreds of people here on /. who jump into it directly. Probably even a few dozen C# fans ...

As I mostly live in Thailand no, I probably would even lower my price to $90 :P

Re:Direct experience: OSS is not a panacea

[david.emery]

That depends, of course, on finding competent workers and companies (even body shops) to contract with. For my project, that included all the overhead and pain of doing contract work for the US government. Usually, defense work requires be performed in the US by US citizens, so that rules you out :-(

The EU...

...has an open source first procurement policy for all its agencies & governments. This means that only if an adequate open source option is not available, can they procure proprietary software. For example, I had a student in Spain whose job it was to develop a national standardised data schema for public health records so that each region could procure software independently but still have them interoperable. No need for a single massive, expensive, & likely unstable database & proprietary lock-in. That sounds like a good strategy to me.

It's not that simple

Apart from security matters, would they be permitted or expected to contribute fixes? That might be interesting. The fact is, the GOV'T produces their own chips and other infrastructure -- so naturally, they would also have code that is highly specialized to operate those. As for general-use PCs, they still have a rigorous process in labs -- code needs to be reviewed carefully etc. They don't have the time and resources to perform this task for the public.

Re:Right solution for the problem, what's wrong he

[drinkypoo]

One has to "fight" with a situation where you have the same library named differently, installed in different locations, installed with older versions of the same depending on distribution...

Unix supports that scenario just fine. It was only Windows where it was ever a problem (DLL hell) though even Microsoft has largely solved it now.

Re:All IT systems should be using open source soft

[drinkypoo]

Windows is not open source, but users and developers are cheaper.

You're ignoring the cost of running Windows. Not just the up front costs, but the maintenance costs, and the lost opportunity costs when closed source makes something difficult or impractical.

I'd rather not pay the taxes needed to support all OSS.

OSS supports YOU at the same time you support IT. It's not all outlay, you get the software back, and you get improvements from others.

no, but

[Tom]

No, they should not exclusively use Free Software (sorry, "Open Source" guys, I never hopped on that bandwaggon) but they should have a strong preference for it.

Sadly, there are many areas where no Free Software of adequate quality exists. Areas that are vital for government work, and a government should not restrict itself. However, if an adequate Free Software exists, the government should strongly prefer it.

Security? Let's not forget two things: a) Free Software isn't bug-free, either, and especially tricky parts with security implications regularily don't get enough eyes on them. And b) we're talking about governments here. Unless you're the government of some tiny island, you can probably pressure big software vendors into giving you their source code for inspection. I mean, you seriously think the NSA (which is tasked with keeping the US government IT infrastructure secure) doesn't have access to the Windows, Office and whatever other source code they want? For large enough governments, every software is open source.

Re:All? Stupid question.

[drinkypoo]

Apparently the submitter - and editors - fail to realize that many IT systems in the government are not PCs.

The non-PC systems are waning, though. These days, the government is more likely to use cloud services, or otherwise employ a cluster of PCs.

Re:Right solution for the problem, what's wrong he

Linux and FOSS in general are finally coming into their own. Welcome to DLL hell, a problem solved 20+ years ago.

The problem is a lack of standards when it comes to where things should be placed, and the fact that there is no mandate that all libraries maintain backwards compatibility. Without that, installing new versions of things can break everything on your system.

And that doesn't even get to the point of discussing how unusable the free Office alternatives still continue to be. Ugly. Hard to use. Hard to install.

Re:Direct experience: OSS is not a panacea

[angel'o'sphere]

Perhaps I can masquerade as one :D

Anyway, such jobs I would do remote, so it rules me out, as I don't plan to live in a mayour US city. Country side would probably be ok. But honestly I'm to old to do this green card shit and follow all the regulations, I would not even work for Apple or something like that. Oki, Space X ... that I probably could not resist.

Re:unrealistic

So a closed system is created that specifically excludes open implementations and you use that as your example?

While not the same how about pointing out crypto-currencies and block chains? Did government invent those?

Re:unrealistic

[gweihir]

An exotic example does not make a valid argument here. Incidentally, this will often be interbank agent owned software that they developed in-house and that is a trade secret. You only get the client side or the interface spec and that you may not even be able to buy.

No,

[WorBlux]

It's not always feasable. However every government contract for non open source should include a provision for data export in an open format.

Re:All IT systems should be using open source soft

Yeah, then all IT systems would be infected with political correctness, vendetta seekers, and disgusting SJW's.
Fuuuuccckkk that.

I'd go further...

[HiThere]

They souldn't only be using Open Source, they should be using Free Software, preferably under some GPL or BSD license, with the weighing tilted towards GPL. And if they can't find it available, they should build it themselves (and publish it).

There may be a very few small instances where they shouldn't publish it, but in those cases the software shouldn't be distributed in object form either.

Re:I'd go further...

[bloodhawk]

FUCK that. government don't exactly have the best developers to start with. The last thing I want is them building it. It will mean $100,00 piece of commercial software will instead cost $10 million in development and then be ditched 2 years later for being unusable

Re:All IT systems should be using open source soft

All IT systems pretty much do use open source software somewhere.

For governments, show me an open source version of SAP that could seamlessly translate 20+ years worth of infrastructure development from each agency and prime contractor site from proprietary to open, and I will be the first to agree with you. Unfortunately, this is more than just database applications or running reports

An example: Bioresearch

[feranick]

A possible example is in federally sponsored bioresearch. If money from the Feds are used, the data needs to be made public. Why not software? The fact that some is bad could be an opportunity to fund it to make it better. I don't really buy the idea that only FOSS software can be bad, while all paid one is worth. The former can be held accountable for its quality but not the latter...

Re:unrealistic

huh - well I guess the the NACHA library I am working on at work will rectify that...

A failure for...?

"The fact that this approach is not already the norm is something of a failure on the part of the Free Software community..."

Not really fair, as this is more a victory for lobbyists and a fail on the part of our elected representatives. I would trust open source more than most proprietary software.

Try again, dumbo.

Those are not untrustworthy. They had bugs that included security incidents. Try those when closed source hasn't got them. See Windows.

You claimed UNTRUSTWORTHY. Not bugged. Not flawed. Untrustworthy.

Fucking idiot.

You haven't a clue what you're talking about.

GPL is the most free. The restrictions are on how you can not make it unfree. Manumission was not a lack of freedom (for slave owners) it was a law that forbid slaves and freed everyone.

Moron.

The only way to get what you claim to want (other than just "NO GPL!!!") is to remove copyright altogether.

YES! YES! YES!

I work in tech support at the IRS. Billions each year are thrown in fire for Microsoft software that is unreliable, and broken worse by every "fix" they send out. The Windows 10 Upgrade is a disaster. The ticketing system from HP is a waste of billions that gets in the way of doing our work. Adobe Acrobat is an unjustifiable expense now the PDF is no longer a patented technology. I could go on forever about the awful software billions have been wasted on, and how tech support is stretched way to thin trying to babysit all the junk. Instead of that, I will talk about something good. The VA's Vista system. It is the only electronic medical records system developed hand in hand with the doctors and nurses who had to use it, and the only one in the industry medical professionals don't hate. It was developed in house by the VA on the sly, as the bureaucrats never would have authorized its development. Government should stop wasting taxpayer dollars on commercial software, period.

Re:YES! YES! YES!

[uncoveror]

I work in tech support at the IRS. Billions each year are thrown in fire for Microsoft software that is unreliable, and broken worse by every "fix" they send out. The Windows 10 Upgrade is a disaster. The ticketing system from HP is a waste of billions that gets in the way of doing our work. Adobe Acrobat is an unjustifiable expense now the PDF is no longer a patented technology. I could go on forever about the awful software billions have been wasted on, and how tech support is stretched way to thin trying to babysit all the junk. Instead of that, I will talk about something good. The VA's Vista system. It is the only electronic medical records system developed hand in hand with the doctors and nurses who had to use it, and the only one in the industry medical professionals don't hate. It was developed in house by the VA on the sly, as the bureaucrats never would have authorized its development. Government should stop wasting taxpayer dollars on commercial software, period.

I feel your pain.

It Depends...

Fundamentally, open government is about open data. As long as the data can be read by and used in any reasonable application, it's fine to use non-open software to generate it. Ideally, that would mean using open data formats (such as ODF), but it could also mean using one that's almost universally readable (like DOC, XLS, etc.).

Then there's software. EPA, for instance, won't accept an air quality model for regulatory purposes unless it's open source, even if it's otherwise well documented and even distributed as freeware. That's so anybody can read the source and (if they're a sufficient wonk) understand what the model's doing. Interestingly, most air quality models are still written in FORTRAN...

The real problem is

The real problem is Microsoft comes in and gives the 8-10 key decision makers in the organisation incentives to remain on MS.

Oh Bullshit

All decision making of this sort needs to be practical and business driven. This isn't; it's ideological.

It's right there in the headline: "Should All Government IT Systems Be Using Open Source Software?"

And it comes from LinuxJournal. Gee, ask a salesman if the product they are selling is the greatest ever, and exactly the answer to your problem, what do you think they are going to say? "Why no sir or madam, you should check out the product offerings of our competitor!"

Ask yourself this too. Why is government different? Would business ask themselves this question, or would they snort and dismiss it for the ideological clickbait it is?

Yes, sometimes FOSS is a good answer. Other times proprietary is going to kick FOSS' ass, and you'd be a fool to choose FOSS. The problem is that far too many in the FOSS community don't have clear eyes. They can only choose FOSS and will put up with whatever shitshow that decision puts them into. Every FOSS problem will actually, somehow, by mysterious and inscrutable means, be the responsibility of some organization in the proprietary community.

You know, like Microsoft paying bribes to the customers. Which no one has ever found out about or has any evidence for. Because, while it's possible, failing to produce evidence for that behavior is called 'lying' and 'dishonest'. But as long as you are lying about Microsoft, it's OK, I guess the thinking is?

Do what's best for your users. Do what's best for your business or government. This notion that FOSS is automatically best is ideological nonsense and dooms you to years of pain if you choose poorly.

Re:unrealistic

That is nonsense. Nonsense often repeated, but still untrue.

Yup. You see this often coming from Open Sores zealots. It's similar to the Crapple "It Just Works" lie.

Yes

I believe government IT systems should only rely on open source technologies. The opposite is morally wrong

Re:Right solution for the problem, what's wrong he

What busted-ass distribution re you running that distributes conflicting libraries under the same name?

In many cases, they already do

[whitroth]

For example,Biowulf, 100th fastest supercomputer on the planet, at the NIH, mostly runs Linux. And many peopel use R, rather than paying the licensing for Matlab.

Now, whether management wants to support Linux and OSS, or repeats in their sleep "THE WORLD BELONGS TO M$" is another story... but it's heavily used.

Just for fun, slashdotters, look up https://www.spi.dod.mil/lipose... - a lightweight secure distro of Linux, can run from a flash drive.

Put out by the US Air Force.

Re:All IT systems should be using open source soft

[Voyager529]

Windows is not open source, but users and developers are cheaper.

You're ignoring the cost of running Windows. Not just the up front costs, but the maintenance costs, and the lost opportunity costs when closed source makes something difficult or impractical.

These also apply for running OSS. I'm sure it's possible to ultimately replace Active Directory with some implementation of LDAP on CentOS, but a virtually any sysadmin with a pulse can go from bare metal to multiple domain controllers with checkbox-compliant GPOs, DHCP, DNS, shared folder permissions, and server clustering in an afternoon or two. I've yet to come across a drop-in replacement for that sort of core functionality in an OSS package. Additionally, a whole lot of closed source software only runs on Windows; moving to not-Windows yields lost opportunity costs on that end as well.

I find myself as a software pragmatist. I would love nothing more than the Department of Developers (DoD?) whose job is to write OSS software that is compliant enough to replace closed source titles in use by the federal/state/local government. However, it would be a matter of principle, not a matter of cost savings...and it's been a very, very long time since we've had a political climate where such a department could be effectively founded and funded.

Re:All IT systems should be using open source soft

First off; In a world without Windows, why would you need AD?

I'm not asking to be mean, but IMO this is one of the bigger problems with switching out proprietary software, specifically Microsoft's offerings. People are so indoctrinated, that they keep trying to solve Microsoft problems, the Microsoft way, which invariably leads to anything different being deemed "inferior". If you look at it that way, your question is the perfect example.

Secondly, your version of a DoD sounds like a good idea, but it wouldn't just be a matter of principle. It would be a matter of trust and control too. One can only ever have one master, and as long as we (as in we, the people of the state) rely on commercial actors, who ultimately have a completely different agenda and set of desires from what a state has, there will be conflicts of interests. It's crazy to have a state beholden to the whims and desires external entities!

Use the best tool for the job

[Kryptonut]

If one of those tools is Windows and one of those tools is Linux, who cares? As long as it's the right tool.

Re:Use the best tool for the job

[JustNiz]

Except Windows isn't a good tool for anything on its own merit.

Re:All IT systems should be using open source soft

[Voyager529]

First off; In a world without Windows, why would you need AD?

I'm not asking to be mean, but IMO this is one of the bigger problems with switching out proprietary software, specifically Microsoft's offerings. People are so indoctrinated, that they keep trying to solve Microsoft problems, the Microsoft way, which invariably leads to anything different being deemed "inferior". If you look at it that way, your question is the perfect example.

Let's look at a handful of things AD does that would likely apply to Linux clients:
1.) Centralized authentication. Users should be able to have their password apply to any computer in the environment. LDAP does this particular part pretty well.
2.) Failover/Replication. LDAP supports this. LDAP does not support this in less than an hour from a bare metal install unless you have a bunch of scripts already written.
3.) Group policies. How do you ensure different departments can only print to their own printers (Linux users print, right?)? How do you make sure profile folders are transparently redirected to the server (Linux users store data, right?)? How do you schedule patching intervals (Linux users want patches applied after hours, right?)? How do you specify proxy settings, especially when adding a trusted certificate for HTTPS filtering (Companies don't allow free-for-all internet access for Linux users, right)? Now, the answer may well be "shell scripts at logon", but do you have different scripts for different user/computer combinations? All of this is done via group policy.

That's just off the top of my head.

Secondly, your version of a DoD sounds like a good idea, but it wouldn't just be a matter of principle. It would be a matter of trust and control too. One can only ever have one master, and as long as we (as in we, the people of the state) rely on commercial actors, who ultimately have a completely different agenda and set of desires from what a state has, there will be conflicts of interests. It's crazy to have a state beholden to the whims and desires external entities!

I'd love there to be a DoD, but I also fear that government developers would be hamstrung in some of the very worst ways. infinite scope creep, "why are we funding this finished project; we don't need no stinkin' patches?", "Your EMR connector needs to be able to understand data from $STATE_A and $STATE_B, each of whom use different systems built by direct competitors to be as incompatible as possible", constant subservience to the political and budget wind, standoffs regarding who gets to make the standard and who gets to conform to it (exacerbated if a state who has opted out of a new system still has to get their current one into compliance), incumbent systems dating back to the 80's, kowtowing to requests of different states if they're willing to directly fund projects, secondary effects from/to the private sector, and even the fundamentals - do they assume you're running GovSys from the BIOS up, do we assume Windows and GovLinux versions of everything, can they write a program with a depedency on Oracle? Could they do so if Oracle was compelled to release a version of their software that could be utilized to fill that requirement without expenditure, and if so, do we now reopen the can of worms that was the San Bernadino iPhone case?

A new country starting today could probably make that one of their enumerated departments and require conformity from the very first computer purchased might have a fighting chance. China and DPRK who own the major software houses anyway could have one; it'd basically be a standards body at that point - one of the silver linings of an absolutist government. The USA...sadly...would be a super difficult place to make that happen.

Re:All IT systems should be using open source soft

1. You answered that yourself?
2. You answered this yourself, but added a separate criteria, which is pretty much a one time issue. 1 hour extra work, potentially, vs being beholden to MS and the horrific AD? I'd take the 1 extra work, thanks.
3. Groups. NFS. Cron. Etc, etc. Basically every real problem you can come up with are, as you correctly point out, problems for Linux/Unix users too. And they've had them for longer than Windows have even existed. I dare not say there are solutions for absolutely everything, the matrix is way to big for that, but the vast, vast majority of all real problems, i.e not self inflicted Microsoftisms, there is already a solution. The only thing you need is to realize you're using a different OS, which will solve these problems differently, i.e the Microsoft way is not the one and only, be all end all way to do things.

Re:Direct experience: OSS is not a panacea

"1. The plethora of licenses! We kept 2 lawyers (one government, one prime contractor) busy nearly full-time for several years evaluating open source licenses. Each project had a different license, that needed to be understood for its impacts on procurement, use, distribution and maintenance, and how the licenses work together in a deployed system."

Surely the opposite is true?
There are a handful of standard open source licenses that are well known and understood, GPL, LGPL, BSD, MIT etc, whereas each proprietory vendor will have their own bespoke license which you need to go through with a fine tooth comb to find out where you stand.

Sshhhhh!

Sshhhhh! /. user biggajin is seriously offended. Your helpful suggestion just isn't welcome as it kills his angry buzz!