How to be smart about open source

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Troy K. Schneider
 

Connecting state and local government leaders

By Troy K. Schneider

|

Experts offer five strategies for choosing, contracting for and contributing to open-source software projects.

Open source is everywhere in government, but many agencies still struggle with the specifics of choosing, contracting for and contributing to open-source software projects. GCN spoke with open-source advocates in government and industry, and came away with five fundamental lessons.

1. Be clear about your end goal

MORE INFO

NASA’s systems for sharing code

A federated code-sharing system integrates disparate code repositories, and a search function shows what software is available inside of NASA, no matter where it’s physically housed. Read more.

“The most important thing when selecting a [free and open-source] project is picking one that aligns with your business goals,” said Marc Jones, an attorney and longtime systems architect in state government. “You do not want to pick a project and then realize you now need to invest a lot of effort into modifications to meet your needs. In that respect, it is very similar to acquiring proprietary software.”

Tom Cochran, chief digital strategist and vice president for public sector at Acquia, agreed. “It would be myopic for any organization to say, ‘We’re going to default to open source for everything,’” said Cochran, who previously worked at the State Department and the White House. “Open source should be considered as part of the suite of possible solutions.... It really needs to be done on a case-by-case basis.”

CivicActions CEO Henry Poole, however, argued that open source can and should be an end goal for government. “Public funds are paying for the public good,” he said. “Having that code be publicly available, in my opinion, is the right thing to do, just from the point of view of the taxpayer.... You really want to move your acquisition strategy to paying for new technology, not paying for something that already exists.”

“At the White House, we actually did plant a flag in the ground saying, ‘It had to be open source,’” Cochran said. “Some of that was in reaction to such poor closed-source systems that we had that we didn’t want to be boxed into yet another sort of bad procurement.”

Avoiding vendor lock-in is a good reason to seriously consider open source, he added. “There’s a massive number of small and midsize companies that can do this. And if you don’t like the work or support you’re getting, you don’t have to re-platform.”

Everyone interviewed for this article agreed, however: Each open-source solution should be viewed as a potential tool, but the agency mission must drive the decision about which tool to choose.

2. Know what a healthy open-source project looks like

First make sure the software in question “is actually a free and open-source project and that all of the features you want to use are also free and open source,” said Jones, who now works at CivicActions. Especially in niche markets, companies will offer “what is known as ‘open core,’ where the base features are FOSS, but the valuable stuff that sets them apart in the market is proprietary.”

Even worse, some allegedly open-source projects carry restrictive proprietary licenses. “They simply mean that you can view the source code,” he said.

Once potential open-source solutions have been identified, ProudCity CEO Luke Fretwell said his firm offers a short checklist to gauge viability.

First, he asked, “are there maintainers who are true leaders in the community?” Brian Behlendorf and Matt Mullenweg, for example, are the highly collaborative faces of the Apache web server and WordPress, respectively. “That’s one litmus test because they are banking their personas and careers on those projects.”

Second, Fretwell asked, “is there a sustainable business that is basing its primary business model off of this product? If there is, that’s another check.”

Third is use. The “consumption side” is important — a broad user base means there’s demand for continued development — but what he looks for is the number of contributing software developers, both individuals and businesses.

Fretwell also said he checks to see whether the open-source project has “the standard aspects of any sort of industry. Does it have annual events or local communities that are engaging? Are those active?”

Poole echoed those points and stressed the need to “analyze the ecosystem around the code.”

For the web efforts for former President Barack Obama’s White House, Cochran said, Drupal was picked “largely because of the community. The bigger the support community is, that’s how you’re magnifying and amplifying your own engineering team.”

3. Pick your vendors wisely

“The first and most important thing is to have someone on staff who knows what they’re doing and what they’re talking about,” Cochran said. It’s even more important to have someone “who knows what they don’t know.”

“Honestly, it just comes down to relationships and finding the right people who can help you navigate whichever community it is you’re trying to get into,” he added.

Fretwell said a contractor’s qualifications boil down to two things: “Show me your code, [and then] how involved are you with the community?”

Any organization serious about its open-source contributions will have an active GitHub presence where that work can be examined, he added. And a firm whose employees are maintaining components of an open-source project, speaking at conferences and engaging with other contributors will have the expertise and connections to deliver for an agency.

“There’s no barrier to entry” in open source, Fretwell said. “It’s all passion and effort. So if you’re assessing a company...that’s a litmus test: How engaged are companies’ leadership and employees with those communities?”

Jones seconded the emphasis on active contributors, and he suggested looking for vendors “whose default is to mainstream the customizations” back into the open-source project — whether in the main codebase or via plugins or a FOSS fork. Those firms “are going to be focused on selling you the new code they have to write to meet your specific needs and not trying to profit off of selling code they already wrote.”

4. Embrace the collaboration

Government agencies, of course, can be creators as well as consumers. At the federal level, the Office of Management and Budget launched a pilot program last year that requires agencies to release at least 20 percent of their custom-developed code as open-source software, and some agencies have hundreds of developers scattered among their ranks. Successfully sharing, however, requires both policy and infrastructure.

NASA, for example, has developed a suite of systems to inventory the code being created and encourage collaboration across the agency’s many components (see “NASA’s systems for sharing code”). The Defense Department has long relied on Forge.mil, and in March, the Defense Digital Service unveiled an initiative dubbed Code.mil to address the licensing challenges that can complicate DOD code development.

Yet even an agency with no in-house developers can contribute to an open-source project, Jones said — and benefit from doing so.

“The simplest way is to hire contractors to make modifications to the [free and open-source software] you are using and require by contract that they publish the changes as FOSS and try to get it upstreamed,” he said.

Getting those changes incorporated into the core codebase “will help you avoid lock-in, and you get a free third-party assessment of the work quality,” Jones said. “If your contractor gets the changes upstream, then you know at least one expert liked what they did.”

Agencies that have in-house developer talent should encourage active involvement, Poole said — not only because it strengthens the code, but also because it can help with staff development and retention.

“If you have a piece of free and open-source software and you can contribute back to it, I think there’s no reason not to do that,” he said, although it’s important to recognize “there is a learning curve. You can make changes that are very hard to maintain and not know it. There are coding standards and practices that are specific to particular technologies and communities. It can take some back-and-forth to learn those.”

Ultimately, though, agencies “should just do it,” Jones said. “You really have to think about free software in the same ways that we think about professional development and sharing best practices in other areas.”

For example, “when your job is to figure out rural development, you don’t figure out how to do rural development and then keep it secret from other agencies that are doing rural development,” he said. “When your colleagues ask you for checklists and best practices, you share them. And it’s the same thing in IT.” 

5. Be prepared to bust myths

Greg Elin is CEO of GovReady, a startup company that is working to make cybersecurity compliance less painful. As the Federal Communications Commission’s chief data officer, however, he “was a govvie who wanted to use open-source tools” — and he found himself in an uphill battle.

“I went into government in 2010,” he said. “In the first couple of years, there was a lot of resistance.”

Much of that resistance centered on security. “Maintaining security compliance on a project built with open source is not harder than it is with proprietary software components,” he said. But with commercial software, “people feel that they have someone identified as accountable. And they’re unsure who’s accountable when it comes to open source.”

In truth, Elin said, proprietary software licenses explicitly state that the vendors “are never accountable and will pay no penalties for anything that goes wrong with their software.” He stressed that it’s the agency’s responsibility to make sure someone is monitoring security announcements and making the necessary updates.

“It’s really not about proprietary versus open source,” he said. “It’s about whether or not the organization is making leadership decisions about how they’re managing risk, communicating those decisions and having the resources to adequately pursue those goals.”

Similarly, acquisition officers can complicate efforts because “it’s very difficult for people who don’t know open source to wrap their head around how to procure something that doesn’t cost anything,” Cochran said.

Jones agreed. “Too often, especially in government agencies…they confuse procurement and purchasing,” he said. “The procurement process really has to start before you decide to spend money and say, ‘Hey, how do we want to acquire this? Is there something out there we can build on? In which case, we should go out to bid for the customization services. Or not bid at all because it already does what we need.’”

More broadly, Jones said, one of the biggest myths about open source is “that it’s a purely charitable activity where it’s going to cost you to do it.”

“Most of the costs that people mention are costs they’re already incurring,” he said, even if agency leaders don’t recognize it. “The IT folks are already bringing free software into your shop. Your IT staff is already writing software — even if they’re not software developers — that is useful not just for them but for other people.”

Furthermore, Jones said, “if they were to share that and get feedback from other IT people, it would make them better at their jobs.”

NEXT STORY: Who Exactly Is Asking States for Voter Roll Data?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.