Should All Government IT Systems Be Using Open Source Software?

Writing at Linux Journal, Glyn Moody reports that dozens of government IT systems are switching to open source software.

"The fact that this approach is not already the norm is something of a failure on the part of the Free Software community..." One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.... Another is transparency. Recently it emerged that Microsoft has been gathering personal information from 300,000 government users of Microsoft Office ProPlus in the Netherlands, without permission and without documentation.
He includes an inspiring quote from the Free Software Foundation Europe about code produced by the government: "If it is public money, it should be public code as well. But when it comes to the larger issue about the general usage of proprietary vs. non-proprietary software -- what do Slashdot's readers think?

Should all government IT systems be using open source software?

Who develops it?

[Skinkie]

Recently a Gartner report on open source in The Netherlands made an interesting case why with the current legislation the Dutch (and likely European) governments could not contribute to open source software. Governments may use it, but a software developer disguised as civil servant must never be provide patches or features back to the open source project, nor is the government allowed to publish their work in public, publication should be strictly limited to other governments. This would be prohibited due to unfair competition with software suppliers that build closed source software not having the advantage of government support. Now the case of no-vender-lockin still remains, but unless we first change these kind of laws, harnessing the true power of open source: collaboration, is legally not possible.

Re:Who develops it?

[stooo]

>> unfair competition

That's B.S.
The thing about free Open source software, is everybody can use it under the exact same conditions.
So it's fair, because that same company can just sell it also.

Re:Who develops it?

[Skinkie]

Considering the following real case. The City of Amsterdam created a new CAD plugin allowing to the export to contain all properties required for a government exchange. Everything they had seen on the market had issues, hence they developed something new. Other municipalities started to use this software, and one of the commercial suppliers of a competing plugin was not amused. Here the government puts in resources to compete with a market activity - even if they completely hate the product - the proper way to solve this is via a tender, which can obviously request all software assets to be available. The currently legislation prevents unfair competition by provision costs, hence the development costs (labor fees of the civil servant) should be balanced over all private users, unless legislation is made to prevent this. For open data this is for example the European Public Sector Information act.

Re:Who develops it?

[stooo]

>> the proper way to solve this is via a tender
Nope. That's the old way from the last millenium for governments to waste money. Welcome in 2019.
Still, the field is level, the commercial companies can pick up the FOSS and sell it with good support. Everybody wins, it's good for fair competition.

Re:Who develops it?

[El_Muerte_TDS]

That Gartner report is, obviously, quite pro-for-profit. According to the summary contributing to OSS is not allowed due to the requirement by law to be able to charge somebody for the made costs.
The made costs are listed as (time spend on):

1) Making code readable.
They agree that readable code has it's benefits either way. But making code readable for temporary solution is not. They forget the principle that nothing is more permanent than temporary solutions.
2) Performing security audits
Security through obscurity reasons.
3) Community support
You need to build and support a community which you need to control with an iron fist. Otherwise the community might go into a different direction. (i.e. fork your project).
No mention that if you contribute back to OSS you don't need to curate a community.
4) Community support
Basically the same reason. You need to spend time on processing community feedback (like bug reports/fixes).

They also fear reputation damage for low quality code :) Reputation damage, for a government... They should hide that the government in run on terrible code.

But what if the Government would pay a company to do all the above things? That's where the weird "unfair competition" comes to play. Requiring the work done to be made OSS is unfair to the companies which do not want to do that. (But now allowing small companies to bid on the tender isn't an issue)

Re:Who develops it?

[Skinkie]

Requiring the work done to be made OSS is unfair to the companies which do not want to do that. (But now allowing small companies to bid on the tender isn't an issue)

The government is allowed to set requirements on what they want to receive, and how they want it be be delivered. So technically speaking they can request a can of developers for 10.000 hours, and want to have a fair price in a tender for that. Or you can ask for a software license to allow you to do this and that. Hence if a solution company does not want to deliver such, they will not participate in the tender, but they have been allowed to participate and with a lot of experience might have been able to do so under a reduced cost (much experience in the field, able to reuse previous work). Less money spend is good for the tax payer. But this would still only be able to be used inside the government. Because there is a limitation a public body could act as a private body by the legislation of competition. Imagine the government buying all ground, developing real estate, there couldn't be any competition. The article is about should government require open source software to be independent of suppliers. There are quite a lot of examples where government software development is not about the next "Office" software but in CAD, geospatial, photogrammetry, simulation, urban planning where this software might benefit others. If the government would build a new OS-kernel we would likely all agree this is stupid, what about a competitor to ArcGIS/QGis?

Re:Who develops it?

[drinkypoo]

Other municipalities started to use this software, and one of the commercial suppliers of a competing plugin was not amused.

The city wasn't amused by the incompetence of the commercial supplier.

The currently legislation prevents unfair competition by provision costs,

There is no unfair competition because the commercial vendor is free to distribute the open source product as well.

All IT systems should be using open source softwar

[stooo]

>> Should all government IT systems be using open source software?
All IT systems should be using open source software.

Re:sometimes

The problem is that government systems tend to handle all kinds of really important information, and proprietary vendors have shown over the years over and over again that they simply are not trustworthy, and that the people responsible are not up to par WRT keeping them safeguarded.

Evidence? The massive hits by ransomware against various types of government agencies ranging from the NHS to the Alaskan administration, the latter I believe got hit so bad they were considering reverting to typewriters. And this is just the tip of the iceberg of the continual data leakage we never get to hear about.

Making sure the systems run on verifiable code were you don't have to trust external parties should be the starting point for every state run system. That would be intelligent spending. The government has a lot of information on all of us, and by collecting it it also collects the responsibility to protect it. Something which just isn't possible with proprietary software, Microsoft's latest offerings in particular.

Re:Not "Open Source" but "Free Software"

Open standards yes, since you avoid lock in. Open source maybe. Does it save money over the long term?

"Millions for defense, but not one cent for tribute."

This isn't a question of efficiency. It's a question being able to know 100% what the government is doing. There are proprietary breathalysers that sent people to prison and then turned out to be buggy. The manufacturers wouldn't let people see their source code so the defendants will often have never found out about this. If your town is not having it's road built because the Office356 regression function has a bug you will never be able to see that.

For democratic control you need both open (so you can see inside) and free (so you can test it) software.

PROTIP: We are part of "the market" too!

Yeah, the commercial offers sucked. And the market decided. For a better product and a better deal. Made by the "corporation" called "government", which is the "corporation" that we're all shareholders, employers and employees of.

The commercial suppliers simply hated an actual free market (and especially it balancing itself out). Like apparently all corporations and businesses without exception always do. Because they prefer unfair competition, but only if it's them doing it, e.g. in the form of a monopoly (even imaginary ones on imaginary property).

I think in the long run, FLOSS will win over all closed-source software. As an egoistical sole company simply cannot compete with everyone teaming up to make something free and libre. It's why social species succeed over everyone-for-himself species. And the imaginary property delusion won't last forever. People are gonna want to only pay for actual work, not for mere copies or mere profit, since they had to actually work for their money too. They only don't right now, because they have no choice, and because those who steal their money wrote laws and propaganda that became the cultural norm in some sad parts of this planet.

Re:unrealistic

[gweihir]

That is nonsense. Nonsense often repeated, but still untrue.

Unfair competition

And this "unfair competition" doctrine is the result of years (decennia!) of neoliberal lobbying. Why should be a government be prohibited to do what's best for its citizens and cater first to corporations which, in return try to avoid taxes as "cleverly" as they can?

I mean: corporations /can/ be the government's allies in fostering the citizen's well-being, but they can be also its enemies. It should be up to the government to decide when and how.

Lobbyists should be scrutinized much more closely. IMO half of them should be in jail, along with the politicians listening to them (the latter are worse).

One forgotten cost -- suppport

[CaptQuark]

One forgotten cost when using open source software is support. Every time an open source project adds or removes features it prompts a surge in support requests from users. Firefox is one example. When Firefox removed support for legacy add-ons everyone wanted to know how to replace their lost functionality. The removal of bookmark descriptions instead of just limiting their size caused another rash of questions. The removal of the Never Check for Updates means that every user is nagged to update to the newest version before it can be tested and rolled out in a controlled manner. Multiply these kind of problems to other OSS products for document processing, PDF, compression, graphic editing, multimedia playback, etc. and the support costs grow greatly.

Another problem with OSS is who do you call for tech support. Most OSS products have limited support for enterprise level problems. Many software packages STILL require a user to run in administrator mode to work properly. Saving user preferences in the Program Files area still happens in some software. Every software package that displays the infamous UAC warning will cause support problems in a managed system. Software packages that use the Windows Temp folder for some intermediate file use will be blocked by some anti-malware software. Who does a company contact to fix these types of problems? To be fair, some of these problems are still present in proprietary software.

Part of the appeal of OSS is the price; however, most people forget that part of the cost of retail software is the built-in cost of maintaining a support center, normally with a 1-800 number for question, or at least a knowledge base system to reduce the cost of support phone calls.

--

Re:One forgotten cost -- suppport

[l0n3s0m3phr34k]

Every new feature must also be evaluated if it makes baseline configuration changes. The software also needs to be able to have granular controls, and allow IT staff to BLOCK any upgrades that aren't vetted and authorized.

At my work, we are having to implement AppLocker and other mitigation because one of our core "business critical" applications needs Admin to run. And this is a paid-for application that has been around for many years, with a very deep support structure; but getting them to be 800-171 compliant has been like pulling teeth. We may have to also VLAN off the users who need PUA for this application, and even then on our next audit we may have several "findings" because of this.

Re:One forgotten cost -- suppport

[serviscope_minor]

most people forget that part of the cost of retail software is the built-in cost of maintaining a support center, normally with a 1-800 number for question,

We're talking about large organisations though. I've never encountered a large organisation that wants you to call some vendor's support. They expect all IT support stuff to be handled through the organisations IT department.

if the reason for NOT

[mapkinase]

is security, then that would be just an example of security hy obscurity.

Re:if the reason for NOT

[drinkypoo]

(1) Offensive cyber weapons. If they are even allowed to exist at all, I don't want my government supplying script kiddies with scary dangerous zero-day exploits.

They shouldn't exist at all. The responsible thing for an agency tasked with securing the nation's communications (like the NSA) to do is to report vulnerabilities to vendors, so that holes can be patched, and the nation's communications can be made more secure. That's literally their first job.

Software used in weapon systems. Why should we make it easier for adversaries to clone our tech? And why should we make it easier for them to come up with countermeasures for those systems?

Agreed.

Some software used in the criminal justice, law enforcement, and federal court system. This is a bit more ambiguous, but it is plausible to me that someone could use that software to either game the court system and make sure their cases only came before judges who would rule more favorably towards them, or could use them to make it more difficult for law enforcement to detect and combat criminal activities.

It sounds like you're advocating security by obscurity...

Yeah but in real life...

[Casandro]

... you have a piece of software that doesn't work. You call in the highly expensive support from the vendor and they won't be able to do much more than shrug at it. It's something I have seen at large companies and very large vendors.

"Free Software" means that you can change the software if you please. That implies that the software is simple enough for you to make meaningful changes to it. The simpler the software the more reliable and secure it usually becomes, that's why when hardening a system you throw out stuff you don't need. If you don't have your own staff understanding vital systems, you have done something severely wrong.

Re:Yeah but in real life...

[Anne+Thwacks]

That implies that the software is simple enough for you to make meaningful changes to it.

I think you missed the point: governments can afford to pay for a team with the necessary skills to maintain the open source software in the manner that most benefits them. However, they only need pay once.

With closed source, they need to pay through the nose possibly repeatedly for different departments, and still don't get what they want.

However, this does require a degree of sanity in government, and I am not holding my breath on that account.

Re:Yeah but in real life...

[markdavis]

>"... you have a piece of software that doesn't work. You call in the highly expensive support from the vendor and they won't be able to do much more than shrug at it. It's something I have seen at large companies and very large vendors.""

THIS

I can attest that "support" by major proprietary software companies is just as hit-or-miss as it is in the FOSS world. There is support that is great, and support that is expensive as hell and yet practically useless. So it is hard to generalize.

One of the best models yet is the RedHat one- which is why they have been so successful. It is FOSS, so MORE THAN ONE ENTITY can actually support it- the main one, additional ones, freelance people, and your own staff. This is almost impossible with proprietary systems. It is like having the best of all worlds- multiple support options, free use options, good free support options, good paid support options, very little "lock-in", less forced upgrades, ability to see code, ability to extend, ability to share.

Re:Yeah but in real life...

[nine-times]

Yeah, small businesses can't afford to support and maintain their own software, but an organization the size of the US government can. They could, at least theoretically, hire a team of programmers to develop and support the software they need. They can fix bugs and develop new features.

And it's true that having software vendor support is overrated. For an awful lot of the problems you'll run into, when you contact support they'll tell you, "Oh, right, there's a bug. The thing you want to do can't be done and the data you've lost is gone forever. Sorry." Having support doesn't mean that everything will work or everything will be fixed. It just means you'll have a specific group to be mad at when things don't work.

Re:Yeah but in real life...

[eddeye]

governments can afford to pay for a team with the necessary skills to maintain the open source software in the manner that most benefits them. However, they only need pay once.

Spoken like someone who's never worked in govt. In reality most govt agencies can't do that, for a variety of reasons:

• Agency budgets fluctuate year to year. Unpredictable funding can doom the project.
• Agencies change leadership quite frequently. Look at the massive changes in policy and priorities at DOE, HHS, State, and other agencies when the Trump administration came in. As political priorities change, support and funding for other projects dries up.
• Turnover. Many govt agencies have significant turnover, as people gain experience and contacts then jump to the private sector.
• Hiring. Govt hiring practices are abysmal. They make it way tougher than necessary with arbitrary restrictions, greatly reducing the pool of candidates. Many good people never both applying for govt jobs, or never figure out the arcane tricks just to get past the HR gatekeepers.
• Expertise. Project management is handled by mid-level bureaucrats with no experience in developing software. They're promoted based on skills at the agency's primary mission.
• Changing requirements. Due to a rotating cast of leaders and managers with constantly changing priorities, projects tend to change requirements frequently and often. Hard for even a good software team to deliver successfully when the metrics for success swing wildly.

In theory, there's no reason an agency can't recognize their own limitations and hire a skilled software manager to run the project. In practice there are tons of barriers to doing that successfully. Successes are rare.

I'm not against open source in government. There should be more of it. But there are practical reasons why open source is difficult for govt agencies. You have to pick and choose the right use cases for it.

Re:sometimes

[mrvan]

I see the same in higher education. There's a number of things we all need (like an electronic learning environment) but we buy it from vendors like Canvas or Blackboard, which is expensive and inflexible. Same for grading systems, scheduling, course guides, human resource, etc.

I think we should have moved to a cooperative structure for these things long ago and all pay into a group that develops the software and then releases it open source. Since this can be decided at the university system level there's less risk of freeriding, and since universities employ a lot of smart people who like tinkering there will be a lot of community contributions.

Open data standards and open APIs

[kosmosik]

No.

Public/government IT systems should use open data standards and open APIs so that data is not tied to one vendors system.

Having that you can use whatever licensed software that does the job and is economically viable.

Re:Open data standards and open APIs

[Anne+Thwacks]

In the "olden days" (when NASA was going to the moon) it was common for engineering procurement to require a "second source" - before aerospace would buy anything, there had to be an alternative source.

If you had an invention, you had to licence it to a competitor, or it would not be bought Typically, government procurement would buy from multiple suppliers, quantities in inverse proportion to price, to ensure that multiple suppliers would always be available.

I am not sure when this practice stopped - but it seems that things are no longer done this way - and as a result, we get Microsoft, Oracle, and Intel (or, to use the technical term: "totally shafted").

If that is not the decline and fall of civilization as we know it, I don't know what is.

Re:Of Course

If you need the source code to find an exploit, just give up, kid. The black hat doesn't fit you.

Re:sometimes

You don't have to trust an open source project, especially not when you have the resources of a national state behind you. It's all out there in the open, you don't have to take anyone's word for anything. All it takes is the actual will to shore things up.

Nobody said you should use any open source project for anything without vetting it. Remember, we're talking about governments here, different ballpark.

Re: Name them, then.

OpenSSL.
node.js last year
PEAR this year

Open Source also has some fairly substantial supply chain security problems. The delivery model, and update cadence can also be pretty terrible.

The requirements of using something at home are vastly different than for the government, and scale becomes an issue. Your either paying a closed source vendor to manage this, or your bloating the size of your IT team and paying for it that way.

Using open source to save money is a myth.

Re:sometimes

[nine-times]

Honestly, I've come to think that's a bit of a cop-out. If the government can't use FOSS, then I think they should fund the software they need, which should then also be open source.

That may sound excessive, but it's an investment. It accomplishes a bunch of stuff. First, over the long term, it does away with licensing costs. It also allows them to access the source code and verify its security, and then make modifications as needed. Also very importantly, it frees them from proprietary interests. They're not beholden to do things the way their vendor wants and serving their vendor's interests.

Also, whatever improvements they make to the FOSS are likely to be needed somewhere else. Improving public software serves the public interest.

The reality is, buying proprietary software may be "efficient" when looking at the short-term immediate cost, but it's much harder to say what will be efficient and cheap when viewed over the next several decades. I suspect that investing in public software now will pay off several times over in the next 50 years, and that's the sort of timeline the government should be considering.

Re:sometimes

[i.r.id10t]

Except Canvas is AGPL licensed.

https://github.com/instructure...

  Sure, you'll loose those nice integrations with Big Blue Button (conferences tool), some of the Speed Grader stuff, the equation editor, the "record from webcam" function in the HTML editor, etc. since those are licensed services or hosted via 3rd party contracts, but you can also replace them yourself.

Strangely, what the college I work for pays for Canvas hosting and support (not a license fee) is about what we paid Angel/Blackboard for license and hosting, but the software is better and our support experience is better AND we get a LOT more resources.

It makes more sense for Goverment

Yes, universities need student worker jobs for experience, research grant funding to try out new ideas in support software, longer term planning which requires investing instead of short term cloud fees.

But governments which exist as a representation of the collective... is deeply aligned with the shared public work that open source is; with the biggest difference being it has an organized management with funding, power and the overhead of safe guards. That power and funding are what brings about most it's political problems... Sadly, the corruption and failing to fight against marketing/lobbying but in the USA, the increasingly anti-social culture is the main reason we do not collectively take on any new pubic works.

Open source projects are so unorganized, volatile, unpredictable it deters adoption and isn't enough to counter the close-minded thinking it is wrong for collective works to replace privatized services.

I do not think a national highway system could be built today. Obvious new public work projects that in the past would have easily been done have had trouble getting serious consideration. Such as, an information super highway... public health insurance, public healthcare, public car insurance, legalized co-operative insurance (illegal in some places...like public ISP are illegal too,) free college (high school wasn't free either until everybody needed it.) public recycling, trash, electricity.... or what everybody would lke: automatic TAX preparation by the IRS... which was proven cheaper but lobbyists killed that off.

I've worked with local governments. They do have plenty of lazy workers. I've worked consulting too; they have just as many lazy workers but those are forced a bit more in my view. It comes down to management in each. The main difference is that the public employees care MORE than the private employee (especially now with the lack of loyalty to workers.) Public workers have at least tiny bit more loyalty to their community/country if not a lot more. Many of the poor ones I run into and explore out of curiosity actually cared too much and the dysfunction of the system crushed their spirit too much. This one is most easy to see in the ones who quit their careers as cops/teachers etc. and the ones who are still plugging along are in the middle ground. If we stopped hating on our public institutions (like Russia wants and has been doing since the cold war... you ignorant Americans haven't got a clue! ) these people would be far more productive and happy.

Open Standards are the most important part.

[biggaijin]

It seriously offends me when I download something from a government Web site and discover that I cannot read it without buying a copy of Microsoft Word or some other proprietary software. It is not my government's job to guarantee Microsoft a market for their products.

Re:sometimes

[DCFusor]

But government is all about the next election, like business is all about the next quarter. Wise investing is ancient history.

Re:All IT systems should be using open source soft

[drinkypoo]

Windows is not open source, but users and developers are cheaper.

You're ignoring the cost of running Windows. Not just the up front costs, but the maintenance costs, and the lost opportunity costs when closed source makes something difficult or impractical.

I'd rather not pay the taxes needed to support all OSS.

OSS supports YOU at the same time you support IT. It's not all outlay, you get the software back, and you get improvements from others.