Matt Asay wrote a very compelling blog last week regarding open source use in the Federal Government. From my standpoint, the content of the blog served as much more than a topic of discussion it was a call to action for the open source community.
I haven't yet decided if the "open source phenomenon" has moved into "be careful what you wish for" territory quite yet but surely its popularity and increasing acceptance among the enterprise set presents some large challenges not yet addressed by the open source community. Government use of open source is a whole 'nother ball game. While I strongly believe that it's a good thing, it also asks the open source community to show what they are made of and asks that they prove the stability and security (by government standards no less) of their projects.
The government has been a big open source supporter for many years. They are a huge proponent of its efficiency, malleability and cost-effective nature. However, as Asay points out, there are much more stringent guidelines for procurement when dealing with the government than there are in the civilian world. They have begun to see OSS procurement for what it is - a new, completely informal, (ad hoc if you will), web of developers who assume the role of "procurement officers" by nature of their development processes. By folding open source code into their applications, and ultimately into the code base, developers, for all intents and purposes, are "procuring" open source on behalf of their organizations.
Why does this matter? Failing to monitor, understand and effectively manage this process, which may be replicated hundreds of times over depending on the size and geographic disbursement of the development teams, introduces not only intellectual property risks (license ambiguities and use/distribution restrictions) but also vulnerabilities that would be unacceptable if found in any commercial software brought into a government organization.
It is part and parcel of normal business process for a commercial software vendor to go through a formal vetting process before any implementation can take place. Why then, would it be acceptable for open source vendors, and/or open source code, to pass into mission-critical applications without this same consideration? Undocumented code accounts for a significant amount of serious security issues in all types of businesses. With the state of the Nation in its hands, the government can hardly afford infiltration and malicious intent.
The bottom line is that the new "informal" open source procurement process must be documented, especially in the government sector. It must be managed in a non-intrusive and non-restricive manner in order to make the most of its value while ensuring its integrity and security.
--Melisa LaBancz-Bleasdale
