More federal open source appreciated, if it behaves

Technology companies have welcomed the White House's recently unveiled policy that seeks to make software code used by federal agencies more open, sharable and reusable, but they're concerned about a few details.

Federal CIO Tony Scott announced a draft Federal Source Code policy on March 10 that would create a new set of rules for custom code developed by or for the federal government. The proposal is now open for comment on GitHub.

"Over the last two decades, we've seen open source bring more choice and flexibility to government IT," Gunnar Hellekson, director of product management at Red Hat, told FCW. "Many of the government's most innovative IT initiatives are built with open source. More open source is always a good thing."

The policy requires that custom code developed and paid for by the federal government be made available for reuse across federal agencies. Additionally, it would require a portion of that new custom code to be released to the public as open-source software.

"But not all open source is created equal," Hellekson said. "There's a significant difference between upstream or 'free' open-source software and what you'd consider 'enterprise-grade' or appropriate for government adoption in support of mission-critical systems."

Agencies must understand the difference because they might not have the resources to release the code or enough muscle to participate in the communities that support its development, he added.

Trey Hodgkins, senior vice president of the Information Technology Industry Council's IT Alliance for Public Sector, made a similar distinction.

"The dynamic has to be understood" as federal agencies move toward using more open-source code, he told FCW, adding that "it doesn't mean software is going to be free" for federal agencies. "It has to be licensed and managed."

He said ITI is talking to White House officials about making sure the policy remains technology-neutral and that business models for companies aren't endangered.

Some commenters on Github were also concerned about how open-source code would be maintained in the future.

Dave Taht, co-founder of the Bufferbloat Project and guest researcher at Karlstadt University who posts on GitHub as "dtaht," said making sure code is properly maintained and regularly updated is important in a world where bugs can be exploited worldwide in a matter of hours.

He attached a letter he and Internet pioneer and Google Vice President Vint Cerf sent to the Federal Communications Commission in October 2015. Signed by 260 cybersecurity and network experts, the letter asks the FCC to develop a new approach to improve Wi-Fi router security and manage open-source technology.

The letter recommends that the new approach mandate that to maintain FCC compliance, vendors of software-defined, wireless or Wi-Fi radios must make public the full and maintained source code for device drivers and firmware. In addition, the source code should be in a buildable, change-controlled repository on the Internet, available for review and improvement by all.