New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Formal Comments from the Department of Homeland Security Chief Information Officer #222

Closed
lukemccormack opened this Issue Apr 18, 2016 · 5 comments

Comments

Projects
None yet
4 participants
@lukemccormack
Copy link

lukemccormack commented Apr 18, 2016

Note: DHS previously submitted comments (#152) which reflect a variety of individual positions across DHS components. The comments below reflect the DHS Office of the Chief Information Officer’s formal position. Prior comments do not represent DHS policy or views.

The Department of Homeland Security (DHS) strongly supports the proposed Federal Source Code Policy. We believe moving towards Government-wide reuse of custom-developed code and releasing Federally-funded custom code as open source software has significant financial, technical, and cybersecurity benefits and will better enable DHS to meet our mission of securing the nation from the many threats we face.

We support sections 1-4 (Objectives; Scope and Applicability; Software Procurement Considerations; and Government-wide Code Reuse) and section 6 (Implementation) without revisions. While we agree with the exception for National Security Systems, we do not expect to use this as a blanket exception and will evaluate each system on a case-by-case basis to identify components where the Government or public would benefit from their release as Open Source Software (OSS).

With regards to section 5 (Federally Funded Code as OSS), we applaud the objectives but suggest alternatives to the implementation. We worry that the requirement of releasing 20% of custom code will encourage releasing code without thinking thoughtfully about how the government and community can get the most value from it. We appreciate that the policy makes several references to these objectives, but these considerations could be overcome by the requirement for code release. The private sector has rejected looking at lines of code as a metric for engineering productivity, and we do not believe it is the most appropriate metric here either.

Instead, we suggest a requirement that significant portions of at least 20% of systems in an agency must be released as OSS, with encouragement that agencies refactor code into reusable modules before release, or develop with this approach in mind. This will increase the likelihood of substantial community use and improvement to released code.

When managed appropriately, releasing code as OSS and engaging with the community can have extensive cybersecurity benefits. Security through obscurity is not true security: we cannot depend on vulnerabilities not being exploited just because they have not been discovered yet. There are many examples of widely-used pieces of software that benefit greatly from constant and vigorous community reviews and contributions to find bugs, and thus making them more secure. We look forward to government systems joining them.

However, agencies should thoughtfully consider what components and libraries they release, and build active communities around their projects to ensure these benefits are realized. Without proper management and feedback from these communities, we believe the value of OSS is significantly diminished. As such, the policy should consider making recommendations in this area.

DHS looks forward to implementing this policy towards improving the way custom-developed Government code is acquired and distributed in the future. Participation in the open source community will further strengthen our systems and help fulfill the mission of the Department. Likewise, we believe in the potential of this policy to incentivize innovation and enable a new generation of companies to do business with the Government.

Luke J. McCormack
Chief Information Officer
Department of Homeland Security

@johnnewton

This comment has been minimized.

Copy link

johnnewton commented Apr 18, 2016

Thanks. This is far more promising than 152. As you mention, the number 20% is a bit arbitrary and does not reflect whether code is ready for release. However, rather than refactor code, it might be worth considering which code might ultimately be released OSS and build it up front to be OSS. This will get developers thinking upfront about the architecture of the code and avoid OSS being an afterthought. It is likely to have a positive motivational influence on the developers as well knowing that their work will be recognized, even if it has to be recognized anonymously.

In addition, please see issue 221 where I propose that types of code be considered based upon their potential reusability. Some types, such as infrastructure, lend themselves to OSS more than others. I think that may address some of the concerns that you lay out above.

@inetbiz

This comment has been minimized.

Copy link

inetbiz commented Apr 18, 2016

@lukemccormack Their contributions would not be anonymous if you are using GitHub. Their code commits in your team carry over in pull requests. You can also create a markdown page with a list of contributors.

Some agency within government that creates ad media buy should begin a campaign now of signing up Americans to contribute. Not just source code. Why not software documentation, design, et al. ;-)

@johnnewton

This comment has been minimized.

Copy link

johnnewton commented Apr 18, 2016

@inetbiz I am assuming that even though a developer contributes through GitHub, that does not guarantee that their identity is known. They can still be anonymous if need or want to be.

Unless it is policy that everyone contributing to federal open source code must be identified. Doesn't really sound like open source, but I know there has been discussion about those contributing to the code must be a US citizen or US person.

@lukemccormack

This comment has been minimized.

Copy link

lukemccormack commented Apr 18, 2016

I'd also like to share the comments (#239) from our colleagues at DHS National Cybersecurity Assessments & Technical Services (NCATS), which further stress the important role open source can play in increased software security and provide additional valuable feedback. Entities across DHS look forward to engaging further on refining and implementing this policy.

@chasingamy chasingamy closed this Apr 19, 2016

@inetbiz

This comment has been minimized.

Copy link

inetbiz commented Apr 19, 2016

@johnnewton in as much information a person fills out for a profile is how you add members to your various teams and can assign teams to tickets, milestones. Github allows all to see code commits and committal reports. Other websites aggregate data from github via application layer interface. That's the extent and laws should be passed concerning profile requirements to avoid anonymity of contribution.

@lukemccormack why do you keep opening issues that are similar in scope? Stop that. Keep one issue open and use link reference from DHS policy website for citizens to read. Thank you in advance. ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment