Not only FOSS should be promoted in use (as in PostgreSql) but in making (as in budget execution platform). Anything custom made for the gov MUST BE FOSS as money is from the people, so people MUST own it. Vendors should earn on initial development, and eventually subsequent support/consultation/upgrade if it happens (i.e. work exceeds gov capacity).
Big vendors that now get to do this via tenders do not have best interest in mind for the government (as it contradicts profits most of the time) and consequently people suffer. Also, there are usually independent levels of government that need to use the same or similar software (now they each order it from independent vendors so there are multiple platforms doing the same/similar thing each payed by tax money). Not to mention that they have access to local production data by necessity.
This could be further organized to include academia that could use those projects to bring on new generation of developers, security testers etc. There is really no down side to this, only benefits, along with less Oracle yacht racing.
I thought this went well with Germany’s Corona Warn App [0], which even resulted in a fork of the android app [1] that has a few more features, but most importantly supports more devices and works with microG instead of Google services.
Now, if the resulting service and maintenance fees in the millions are fair, is another question. But the open source work was great.
I would like to throw in the often used "Public Money = Public Code". I personally agree with your sentiment but would like to throw in that an open source, but not open contribution, similiar to SQLite may be a good addition for using OSS at this level.
Largely licensing issues. For example, from SQLite's copyright page [1]:
> In order to keep SQLite in the public domain and ensure that the code does not become contaminated with proprietary or licensed content, the project does not accept patches from people who have not submitted an affidavit dedicating their contribution into the public domain.
That's not any different from the many open source projects that require a CLA.
Also, SQLite would have it easier if they had chosen, or written, an actual open source license rather than a public domain dedication considered invalid in many countries; they even sell "yes this was meant to be open source" warranties.
While 1. may be meaningful on mainstream IT FOSS projects, this has probably next to 0 relevance to gov FOSS services. Issue 2 is solved already. Issue 3. also seem irrelevant - I doubt folks other from academia and specific nerds will try to PR on gov service given the extensive in domain hard to get knowledge that is needed for that in genral.
It is also VERY patriotic thing to do for your country - bring out your best brainz and make stuff better for your people, instead of promoting more insidious forms of it that we can witness today first hand.
I would very much like to see countries on GitHub the way we have organizations now (or GitLab as its core is FOSS).
> Anything custom made for the gov MUST BE FOSS as money is from the people, so people MUST own it.
This should also include the operating systems and associated tools used to run such software. Right now there are countries around the world shoveling loads of money to alternatives because they suddenly realized Kaspersky can't be trusted.
It seems that Bulgaria allows for usage of proprietary mainstream tools (such as Sql Server) but doesnt recommend it. Custom made software MUST be FOSS tho. which is IMO good middle ground. Also, that law was adopted 6 years ago. FOSS is stronger then ever IMO now, and there is really no reason nowdays to use propriatery stuff for majority of things.
There is a problem with this though. FOSS licenses (by OSI standards) demand that you should have the right as a user to redistribute that software and that the license should be non discriminatory. Now I'm going to go out on a limb and say that as a government licensing your custom built missile defence system control software as open source is not a good idea, because you probably want to restrict it's distribution for very good reasons. While this is an extreme example there are lots of other bits of software that you might not want to give away to your geopolitical rivals. So no, OSS has its place in government, but it shouldn't be universal.
No it's a very good example to your argument that "Anything custom made for the gov MUST BE FOSS" precisely because it is an exception, and an obvious and absurd one. That there is such an example makes a mockery of your position. See reductio ad absurdum.
I agree in principle but not everything is useful for the public, and making code FOSS is not just a matter of uploading it somewhere - this requires documentation, regular updates, clear assignation of responsibility, etc. You'd be surprised by how strapped for resources even powerful government bureaucracies can be - committing time to foss-ing is time not spent on operational needs.
So I would argue: open source anything that can be expected to have wider reuse or transparency benefits. But don't just spam any code produced to the public.
> Anything custom made for the gov MUST BE FOSS as money is from the people, so people MUST own it.
I tend to think the same way/hold the same ideologies, but is this really "true"? Something like, say, a tank is also produced by money from the people, but it's quite a stretch to demand that the people own it. Why is software different?
> Anything custom made for the gov MUST BE FOSS as money is from the people, so people MUST own it.
I like and agree on this, but just out of curiosity is it more reasonable to attribute the rights for the software to only taxpayers if the rationale is just about where the money come from?
This sounds good, however, the biggest problem is sustainability of FOSS if there are commercial alternatives. FOSS needs to be simply made competitive and agencies need to get their procurement processes straight. FOSS is already better and cheaper in the long run, but commercial companies will likely win most bids. FOSS is IMHO no value in itself, but it has value if used and supported by govs and it is just procurement that has gone all wrong.
Edit: to explain the value thing: just look at all the crappy FOSS build by many H2020 funded projects(there are exceptions) You can waste money also for building FOSS. Particularly if companies building it see no value in maintaining it and nobody has incentives to jump in.
Vendor sustainability is questionable at best. I hear this most of the time, that those companies will be there in 20 years when the world turns upside down and you can always hunt them for fixes, support etc.
In practice, however, at least in my country, it doesn't happen. Vendors of course gamed the system.
Denmark really needs to step up its game here. We function on a public tender system where behemoth private corporations bid on public sector solutions (like our digital ID system, public childcare app, corona pass, digital post, etc.) None of this code is OSS and the result is very shady behavior from certain giants (I'm looking squarely at you Netcompany) who hold our digital infrastructure hostage.
I've worked directly in this sector as a SWE for a few years now and I can tell you it is rotten. We pay vast quantities in taxes and what we pay to these parasitic corporations out of our taxes is exploitive.
I hope we can turn this ship around but we're so deep in the muck I don't know how we can extricate ourselves without getting pulled down in the consequent riptide.
I advocate Citizen Owned Software. Taxpayers must own all the software (and stack) that they fund (pay) to develop.
Back when I wrote software for hospitals, we had to put our entire stack into an escrow. So that if we disappeared, or the relationship ended for whatever reason, our clients weren't left high and dry.
Software and stack in escrow should be the norm.
Further, that software should be FOSS.
I'm totally fine with orgs (govt, NGOs, not-for-profits) buying COTS. Provided that any and all customizations are citizen-owned.
The European Ministers responsible for public administration, public transformation and the civil service, with the support of the European Commission, declare their intention: […]
To promote open source software within public administrations and their sharing, by:
- Recognising the major role played by secure open source solutions in the transformation of public administrations, which allow for the pooling of investments among multiple organisations, offer transparency and interoperability by default and guarantee control over the technologies used as well as greater technological independence;
- Leveraging open source solutions to strengthen collaboration between public administrations, by promoting the sharing of such solutions created or used by administrations within the European Union;
- Promoting a fair redistribution of the value created by open source solutions, especially for those who produce and share open source code.
Sounds very wishy-washy. The action verbs here are "recognize the [...] role played", "promoting the sharing of [...] solutions created/used", "promoting a fair redistribution of the value created [...]".
This stuff is so vague that I have zero idea what it's supposed to mean in practice.
The language also seems to be quite deliberately referring to stuff that's already there, and definitely not saying anything like putting more of it into place or systematically favouring open source over closed source or anything like that.
The EU commission already sponsors FOSS software, directly and indirectly ( bug bounty programs), so it's really not hot air. Also some EU countries, like France, open source a lot of their code ( e.g. the French government SSO is on GitHub).
The language is vague because it's a generic policy to follow, not "Portugal will replace all MS Office with LibreOffice". That's how policies work, they're generic guidelines to follow.
VLC and 7zip are among the projects sponsored, so you're just spouting nonsense which you could have easily verified.
And again, various EU countries open source software they've created, or data they have for that matter ( open data). Your contemptuous pessimism is fully unwarranted.
When software is developed in house in public administration, then open sourcing it, in my mind, is kind of a no brainer, because it was financed with the taxpayer's money. If they keep it as a "trade secret" it most surely won't maximize value creation throughout society. They're probably not going to spin it out into a government-owned for-profit entity that competes in the market. (Might be interesting if it generates a lot of profit that relieves our tax burdens, but it really doesn't sit right. There are probably laws against that sort of thing. Also: Free markets). So that really only leaves open source / open data as the only viable path.
The real question is: What sort of circumstances drive a government to develop something "in house" that they'll later open source, or adopt an open source solution, when that competes with giving the government contract to your industry cronies.
It would be real nice, if we could get a clear policy framework that basically just says: Whenever open source is an option, the government must go with open source. But we are far away from anyone in power clearly calling for that.
And we've seen some real setbacks where that is concerned: For example the city administration of the city of Munich had that policy in the late 00s / early 10s, to the point where they had migrated 15000 workstations to Linux in 2013, shaving €10M/yr off the Microsoft tax.
All it took was some government officials getting frustrated over a glitch in the e-mail server once in 2017 and compatibility issues about MS Office vs OpenOffice and they reversed course and decided to migrate everything back to Windows by the end of 2020. (It definitely had nothing to do with Microsoft moving their German headquarters to Munich in 2016, if you're naive enough to believe that). -- Don't know the extent to which that actually happened.
As I'm researching this right now on Wikipedia [2], I'm seeing that apparently the new government decided to reverse course back to open source in 2020. -- Don't know the extent to which they've actually finished/begun anything here.
I've also dug into European funding schemes that maintainers of open source projects can tap into for their own living expenses in recognition of their contribution to open source. -- That is incredibly thin. You'd have to be a maintainer of a superstar open source project if you want even the minutest chance at a one-off stipend of up to €50k.
Compare that to how science funding works: I travel extensively in circles of people who do EU-funded science projects and many of them will readily admit that they are downright embarrassed by how little value they create in return for that funding that they get from the EU. These science projects quickly run into the millions, even when they are quite small projects, and the total budget at the government level is quite considerable. When compared to that, the money that they sometimes throw at open source seems like a symbolic amount at best.
I don't know about this significance of something like this, but I wouldn't dismiss it out of hand. I know in Denmark, academics have fought to convince regional administrations to contract companies to build open source software, but the companies push back and try to convince the govt to buy closed source instead.
That sounds like pressure from above could matter. Of course not clear if pledge will create such pressure.
I think the impact of OSS is much smaller now that most people use their devices as web browsers to interact with cloud applications. It's still important, but just a small part of the puzzle, rather than a game changer like it was before in the times of doing most activities through desktop applications.
Quite the contrary. The browsers people use are largely based upon open source engines. The cloud applications people used are built upon ecosystems of highly successful open source projects. Basically every major web development framework is open source.
The role of open source has shifted, but it's more important than ever.
That's why you start hearing FLOSS talking from governments: these days FLOSS does not means FLOSS but being able to grab free code to serve jails to end users... Proprietary development model is not sustainable anymore, and IT giants have found the way to sell mainframe-alike systems where the users just get dumb terminals, than they push FLOSS.
Today we not only need mandatory FLOSS in the public administration: we need a public IT development that push back the classic desktop model against the worst-than-classic-mainframes cloud model, starting forbidding certain web services for the public administration and reaching the point of forbidding modern web at a whole.
All the core software and much of the tooling running cloud infrastructure is OSS. The browsers are OSS. The allowable space for proprietary software has shrunk significantly.
> The allowable space for proprietary software has shrunk significantly.
Not really. It has just shifted.
All the proprietary software we use today are through various SaaS offerings. And that these are built on an OSS base and freeloading off all the work and effort invested by volunteers into OSS software-components is not something that you as a user get to benefit from.
While not illegal or a license-violation in itself, it does strike me as somewhat immoral.
I just started working for a small SaaS company that uses open source extensively, and I'm of two minds about this. On the one hand I agree that we are "standing on the shoulders of giants" or perhaps "freeloading" by using this software to support a proprietary solution. On the other, this is far from glamorous SV software development - it's run on a little more than a shoestring and the product is fairly small and reasonably priced, so in a sense, we're using open source to serve customers very productively by focusing only on a narrow solution for them.
This is exactly one of the things the FSF tried [1] for more than a decade at least. It is very good to promote free and open source software in the public sector, but it seems that legislators are again late on the issue (and incidentally that Stallman was again early).
We wouldn't have cloud applications without open source software: FOSS software underpins everything and the reason for its success is that there is no fee, it's just free and easy to use. It's as if sugar and flour was free for the food industry.
Actually the EU should build common administration platforms for all members of EU. There is no reason that each individual country is building its own e-government platforms. If they are OSS a plus
Well, they should but apparently these things take time. The level of incompetence in the public sector here in Bulgaria is so obviously mind blowing, it can only mean one thing - corruption.
E-government services speed things up and reduce opportunities for taking bribes. Of course the mob that ran the country since 2009 fought progress on every step.
How can we protect against people like RIAEvnagelist and whole node-ipc fiasco who undermine whole point of OSS? Imagine if public admin app uses some library written by lunatic? Whole goverment system can be target of such terrorist attack.
By having reputable sources. And most likely having people reviewing upgrades, what you're installing and what the building code is doing (and running it in a sandbox). This role is usually taken by the distribution's packagers. As some kind of users cooperative, distribution have very distinct incentives from software vendors. This separation has been eroded with the advent of self-publishing "app stores" (like the commercial ones, but also by npm, pypi, crates.io etc, and by flathub or snapcraft). See [1] and [2] from DeVault on this topic. This topic has been solved, it just needs manpower. And just because major distributions have some perceived bureaucratic overhead doesn't mean it's an intrinsic caracteristic. Official repos on arch, alpine and probably tons of other distribs are actually updated really quick and really simply (and still sometimes have patches applied to them, or support files, etc).
PS: These aren't "terrorist attacks". It's quite emotional, judgmental and not very precise nor meaningful. Some random dude pushed malware in a supply-chain attack. From wikipedia on terrorism:
> Having the connotation of "something morally wrong", the term "terrorism" is often used to abuse or denounce opposite parties, either governments or non-state groups.
> It is common for both parties in a conflict to describe each other as terrorists.
Well to me it was clearly attempt to wage war against civilians, so the definition should apply. What if that malware ended up in Russian hospital which treated sick children?
Proprietary software is very likely to rely on the same open source dependencies, also using NPM, pypi, etc, with the same baked assumptions that allow for that type of supply chain attack.
Just saying that it’s a systematic problem in the way we use, manage, and consider 3rd party dependencies. And the risk already exist right now, without administration promoting open source software.
At one point node-ipc deleted all files on the filesystem if the user had a Russian/Belarusian IP, they have since made it non-destructive (just adding a file to the desktop).
3 areas I want OSS to have REAL government backing:
- Libre / Open Office because open document standards aid collaboration and reverse compatibility.
- Video / audio conferencing because security and the network effect there are so important.
- Operating system because if you make the leap to an OS OS then all the incentives align to promote usage of open source software for everything by default.
Sometimes I think about governments paying for proprietary software. I wonder why not FLOSS? The answer I estimate: "There's no FLOSS replacement". Then I think: "Why not pay for the development of a replacement?", the answer I estimate: "Because it would be even more expensive than using proprietary software. Which takes me to the next question: "Why don't many government unity to pay for FLOSS development?"
For the last question I never got a reasonable answer. Probably the answer is just lack of coordination. If FLOSS became a need thing in even a small group of governments, I'm sure dependency on proprietary software in the public sector would diminish and that is a very good thing.
Governments are terrible at scope and requirements. Bring 10 local governments together to run development of a new FOSS software thingy and you’ll get something that none of the 10 would ever use in practice, if it ever gets finished at all
Probably. But I don’t see how that could happen regarding accountability. “Why is our municipality donating hundreds of thousands to something that is free whilst increasing ticket prices for the swimming pool?”
At least with the idea of combining the funding of municipalities to build something together as FOSS, they’re not paying for something that already exists
My one experience with a FOSS consortium was terrible.
I got hired by a uni explicitly to work on FOSS. The project was Kuali Student. I didn't care about the stack, the language, or methodologies. I only cared about FOSS and governance. I wanted to learn how these orgs work.
Amongst many, many other problems, Kuali is the living manifestation of Byran Cantrill's wisdom about why OpenSolaris failed: Although our team had the right to fork, we didn't have the power. So we couldn't ever fix stuff, nor feed patches upstream. We were reduced to mitigating and workarounds. For years.
I fear that humans don't (yet) we have the governance technology to make FOSS consortiums viable.
If anyone has success stories, please please share.
There are many FLOSS projects with contributions from many different players from the 'industry'. From the top of my head a few complex ones: linux, gcc, llvm and apache.
What governance models do they use? Any run as a consortium? Any orgs suitable for otherwise unrelated govts and agencies (local, county, state, fed)?
I'm most familiar with Apache. While some individual projects do well, most do not. Any ideas what accounts for the different outcomes? Has anyone since adopted Apache's structure and governance?
(I should probably read up about the orgs behind gcc and llvm. Clearly, llvm is doing something right.)
Initially, no one considered the possibility. The necessary infrastructure was never built out. The owners of the repos became gatekeepers. So I'd create patches and then spin my wheels trying to get them submitted, reviewed, triaged, merged, released, etc.
Consequently, a problem with anyone who maintains a fork is familiar with, keeping my patches up to date as upstream dropped new releases became ever more work.
Hintjens advocates the very open, generous policy of accepting and merging patches by default. Then do the hard work of review and finesse.
I'd love to find and talk to maintainers who have experience with Hintjens' strategies. How does it work IRL? Of course ZeroMQ is a huge success. Is that success reproducible?
Thanks for the followup question. I'd love to brainstorm with others about the practical challenges of FOSS orgs, maintenance, and so forth.
This is a typical EU declaration. Many bureaucrats with their snouts in the trough in Brussels work out some whitepaper to get billable hours. The city of Munich tried to use Linux until Ballmer et al. visited and they backed off.
The EU is a racket for government officials. Most countries are worse off than before, wages go down and the middle/working class is poor. Government buildings look like palaces next to decaying houses of private "citizens" who cannot afford to maintain them (if they can buy a house at all in the first place).
Honestly closer to the truth than is comfortable, even improvements to public utilities are routed through private companies with such vague contractual agreements that the primary losers are the supposed beneficiaries?!
Have seen this up close in Denmark but the tales from the rest of the block speak for themselves.
Most of the software that I have seen implemented in government organizations is COTS(Commercial off the shelf) software. Governments prefer it because they can usually get multiple vendors to bid on it and can also get SLA.
A big problem with implementing custom software is that maintenance of that software would only be done by the organization that wrote it.
Let's suppose you work in government and want to build a business case for using and contributing to FLOSS.
Idealogical arguments will only go so far; the priority is to cut costs, make do with limited resources (staff) and ensure systems are reliable and flexible.
What do you do? Are there any tried-and-tested approaches? Asking for a friend. ;-)
OT, but who thought this "declaration style" is a good idea for larger texts? To me it seems this is extremely hard to read, and makes it almost impenetrable. By putting the verb in the gerund and hiding the subject of every sentence somewhere 2 pages above this is very effective in obfuscating who wants to do what. Clearly no normal citizen could read this.
FOSS alone is no enough anymore, we need lean, simple from all perspectives (but able to do a good enough job), and stable in time FOSS.
For instance, noscript/basic (x)html browsers are beyond than enough for citizen access of administration sites (namely a google(blink|geeko)/apple(webkit) should not be mantadory).
Big vendors that now get to do this via tenders do not have best interest in mind for the government (as it contradicts profits most of the time) and consequently people suffer. Also, there are usually independent levels of government that need to use the same or similar software (now they each order it from independent vendors so there are multiple platforms doing the same/similar thing each payed by tax money). Not to mention that they have access to local production data by necessity.
This could be further organized to include academia that could use those projects to bring on new generation of developers, security testers etc. There is really no down side to this, only benefits, along with less Oracle yacht racing.
I congratz Bulgaria for making those efforts and it looks like they succeeded: https://futurism.com/bulgaria-amends-law-to-require-open-sou...