[HN Gopher] Public Money, Public Code
___________________________________________________________________
Public Money, Public Code
Author : modinfo
Score : 308 points
Date : 2022-04-27 18:29 UTC (4 hours ago)
(HTM) web link (publiccode.eu)
(TXT) w3m dump (publiccode.eu)
| didip wrote:
| I hope this apply to patents as well. There are too many drug
| research funded by the public but the IP ended up owned by
| private companies.
| 4khilles wrote:
| Is this a case where 100% of a research effort is publicly
| funded or more like 10%? If it's closer to 10%, why would a
| company take the risk of putting up 90% of the capital when
| they can just wait for their competitor's IP to become public?
| Maybe the duration of a patent should depend on how much public
| funding was received.
| reillyse wrote:
| Large consulting companies like Accenture have entire divisions
| of their business devoted to "government". These divisions make
| money by developing software for governments. It is very much
| against their interest for this software to be open source
| because 1) there is visibility into their performance and 2) they
| can't sell very similar software to the same government if
| everyone knows what software they've already built.
|
| These are the real vested interests preventing this code becoming
| open source and why lots of government agencies who do their own
| development are perfectly happy to release the code or access to
| their APIs.
| mt_ wrote:
| The reason you pointed out why this won't gain traction is why
| it needs to gain traction.
| Zigurd wrote:
| One reason why government software development is separated
| from contract development work for private sector clients is
| that private sector clients understand that they own the
| results and can disclose that code if they want to. They are
| relying on bamboozling government clients. All the more reason
| for struct laws about disclosure of software developed for
| governments.
| krisoft wrote:
| > These are the real vested interests preventing this code
| becoming open source
|
| Absolutely.
|
| They are not going to do this by asking them nicely. That is
| why it must become the law. Software developed for public money
| must be released under a recognised open source licence.
| puritanicdev wrote:
| A few years ago, I did a consulting for an IT agency and had
| insight into their code, including some projects done for the
| government. It was a worst mess of spaghetti code I've ever
| seen. For one of those projects they've hired people without
| any or little experience for cheap, and sold them as seniors
| for a crazy price.
| RcouF1uZ4gsC wrote:
| Why do software developers always shoot themselves in the foot
| with regard to their economic value?
|
| Governments pay all the time for development of technology that
| they buy, but that doesn't mean that the IP is released. For
| example, the government paid Boeing to develop transport
| aircraft. However, that does not mean that all the
| drawings/plans/etc for the aircraft are made public.
|
| The government is buying a set of functionality with public
| money. As long as they are getting that functionality, it doesn't
| matter that the code is proprietary.
| ceeplusplus wrote:
| The government paying for software to be developed is quite a
| bit different from a SaaS offering. If I pay some guy on Upwork
| to build something for me I expect the source code.
|
| Of course the SaaS model is much better for developers to
| realize their worth, because you are essentially creating
| capital goods as a developer and being the owner of those goods
| is much more profitable than selling them.
| postalrat wrote:
| What would be the expectation of source code ownership if you
| hired consultants or a team of developers to produce a piece of
| software for you? Do they keep it proprietary to themselves or
| should it belong to you?
| automatoney wrote:
| Some of us value other things
| (https://en.wikipedia.org/wiki/Open-source-
| software_movement#...) more than additional compensation. These
| ideas have roots in the original hacker culture that this site
| was named for - this stuff is the foundation of a lot of
| computer culture.
| nonrandomstring wrote:
| Increasingly I hear this expressed as "Technology In The
| Public Interest", and is a movement I strongly affiliate with
| because it is related to national security (as I have defined
| it elsewhere) [0] as resilience and sustainability. See
| writing [1] and institutional support [2][3] separate from
| notions of software freedom as traditionally carried by
| Stallman et al/EFF/GNU/FSF.
|
| [0] https://news.ycombinator.com/item?id=31108570
|
| [1] https://www.schneier.com/essays/archives/2019/01/the_publ
| ic-...
|
| [2] https://www.macfound.org/programs/technology/
|
| [3] https://www.fordfoundation.org/news-and-stories/big-
| ideas/pu...
| bombcar wrote:
| IIRC they actually can demand copies of the drawings/plans _for
| their own records and use_ so that they can dig them up if the
| B-52 needs to be extended another decade.
|
| Governments are better at keeping ancient records around than
| most companies.
| nickff wrote:
| > _" However, that does not mean that all the
| drawings/plans/etc for the aircraft are made public."_
|
| The (US) government actually tried the approach of purchasing a
| few initial runs and the plans for some missiles, but the
| results were bad. Initial development costs were high,
| reliability was low, and manufacturability was poor.
| OkayPhysicist wrote:
| Having private companies control the intellectual property of
| our defense systems is a disaster that leads to aggressive
| rent seeking by defense contractors.
|
| Now, missile guidance software may not want to be open
| source, but the navy engineers down at China Lake should
| definitely have unrestricted ability to read, modify, and
| reproduce anything developed in their behalf.
| nickff wrote:
| I have long thought that missile and aircraft avionics
| should be made into more of a standardized, modular system
| (possibly open or government distributed source), for
| better upgradability and maintainability. I am sure this
| has been considered, and wonder why it hasn't been done.
| sam_lowry_ wrote:
| I signed up, but it gives me a stupid "20 requests per hour"
| error page.
| layer8 wrote:
| While I generally agree, publishing code commonly requires
| additional effort and diligence, such as checking the licensing
| situation of third-party code used, possibly anonymizing the devs
| involved, maintaining the public repository and credentials,
| dealing with all the communication from the public caused by
| publishing the code, and so on.
|
| Hence it also increases the cost for the taxpayers, and that
| needs to be factored into the cost estimates of software
| projects. It's not like they can just dump their git repository
| into alt.binaries.
| SparkyMcUnicorn wrote:
| > Hence it also increases the cost for the taxpayers
|
| Isn't that just a short-term problem? Mid to long term, it
| should decrease costs dramatically.
| layer8 wrote:
| How so? Because of external contributors? Most software
| developed for the public sector is quite use-case specific
| (and the use-cases are often quite boring), so I don't see
| that happening for most projects.
| SparkyMcUnicorn wrote:
| Once a workflow is adopted, it becomes normal and the
| hassles start to go away. That 3rd party library with an
| incompatible license now has a good alternative, code re-
| use is higher, handing off to new developers is easier, and
| identifying development teams that are highly inefficient
| (or incompetent) becomes possible.
|
| I feel like there's too many benefits to even list. Having
| seen some of the proprietary code developed for 3 letter
| agencies, it's shocking how bad some of it is (and there's
| even projects that have better open source alternatives
| that solve every use-case) and adding transparency can only
| be a good thing... in my opinion.
| bombcar wrote:
| Over time the use-cases will grow, and if done right you'll
| start being able to "borrow" from similar use-cases in
| other areas/governments.
|
| It WOULD likely require massive retooling as much
| "government code" is more like "black box machine that does
| X" than "fancy new web-app".
| layer8 wrote:
| In my experience, that doesn't happen much even between
| projects within a single software company, because
| requirements are too diverse and change too frequently.
| Pushing for synergies also tends to create all sorts of
| internal political dynamics. At best it's a long shot,
| with high risk of not amortizing the cost. The rest of
| the world, including the open-source world, also isn't a
| promising role model, with the constant churn,
| fragmentation and evolution of languages, frameworks,
| libraries and tooling.
| bombcar wrote:
| Yeah, I suspect most people are thinking "government
| code" is like Chrome or something, whereas most
| government code; most business code, hell, most code in
| the world is random business logic/glue code which often
| doesn't have much portability or usefulness.
| giobox wrote:
| I've often wondered if we need to radically change the State's
| relationship with the software it produces. As Robert Lessig
| famously observed, "code is law" in a world controlled by
| computers. There is increasingly a strong argument I feel in
| States directly employing software engineers much like they
| typically employ armies of civil servants to implement policy.
|
| Why is software treated as something to be outsourced to a
| private sector company? Why can't we have "civil programmers" who
| contribute to an ever growing body of public code just as the
| legislative process contributes to an ever growing body of laws.
| This body of civil programmers (terrible name but hey) could also
| work hand in hand with the open source community, letting
| stakeholders (citizens) contribute too.
| rozularen wrote:
| I think it's mainly because of money? Sure if there were any
| existing public open source infrastructure people would be more
| willing to contribute for free.
|
| I think this brings the open source developers income issue to
| the table which is getting better but at its own pace.
| jmole wrote:
| Code is only half of the problem here. The other half is
| operations. Applications don't just run on their own; they need
| deployment, maintenance, backup, recovery, new feature
| requests, etc. etc.
|
| Unlike the majority of infrastructure in the world, software
| literally isn't set in stone. This makes it much more powerful
| in some senses, but also much more fragile.
|
| Look at Hoover Dam - a project designed to last a hundred years
| with a pretty singular purpose. The operation and maintenance
| burden is clear, and basically unchanging throughout the
| lifetime of the dam.
|
| I agree with you in general here, but I think the actual work
| involved with your proposal is more akin to what the IT
| departments at agencies like the IRS or DMV are already doing.
| Specing systems for internal processes, and managing dataflow
| from old systems to new ones.
| bombcar wrote:
| Mainly because the government has no expertise in the area, so
| you have to convince politicians (who have no expertise in the
| area) that it is important, against those who DO have funding
| and will fight it as being "insecure" and various other
| buzzwords.
|
| Governments often don't even employ the armies of civil
| servants anymore, lots and lots of stuff is contracted out.
|
| The way around this might be to convince some of the smaller
| "tech wannabe" states to enact something, and let it grow from
| there.
| squinta wrote:
| Italian Digital public administration code (CAD - Codice
| amministrazione digitale, art. 68 and 69) requires software
| created with public money to be open sourced and made accessible
| for reuse by everyone. https://developers.italia.it/en/reuse
|
| Formerly it was accessible only to other public administrations.
| That provision didn't generate any meaningful outcomes as it was
| not avalable to other developers, just to public administrations
| in-house developers. With the last reform of the CAD in 2016, it
| was open to everyone and development of digital public services
| accelerated.
| yoru-sulfur wrote:
| There are a few groups doing public open source that I'm aware
| of:
|
| - 18F https://github.com/18f
|
| - GDS https://github.com/alphagov
|
| - CDS https://github.com/cds-snc
|
| I do agree with the sentiment, it's absurd that any software
| developed through public means is not available to the public.
| sublimefire wrote:
| Interesting comments throughout but..
|
| - Selling to public sector is a costly and lengthy process. Not
| to mention the lack of competence from the public sector
| partners.
|
| - Usually, the money is made by making sure the entity will
| subscribe for as long as possible, and it should be possible to
| repackage the same software and sell to somebody else with little
| effort.
|
| - Open sourcing puts the company into a position where it's own
| code could be reused by the competitor without investing as much.
|
| - Furthermore, the projects are usually short lived due to the
| nature of procurement, budgeting and changing regulations.
|
| - It is a risky business that requires complicated solutions to
| complicated problems, not much of it is reusable outside of the
| specific domain.
|
| I was developing such software for years. Better ask yourself why
| huge IT departments are doing barely anything despite their
| funding.
| _trackno5 wrote:
| Question for HN: How could this possibly work with software
| developed for the military?
| nonrandomstring wrote:
| Kerckhoff-Shannon principle. Unless I can assume that my enemy
| has total access to knowledge of my mechanisms, but is in no
| way advantaged with respect to my operations, it is not an
| effective weapon.
| krisoft wrote:
| Freedom of information laws frequently have national security
| interest exceptions. A similar carve out can be made from the
| requirement of open sourcing public funded software.
| [deleted]
| AlbertCory wrote:
| Totally right. The same applies to publicly funded research
| (goodbye, Elsevier), and even to court filings (goodbye, Pacer).
|
| As for postalrat's comment: there is a certain bureaucratic
| mindset that wants "their" stuff secret. Even when there's no
| possible justification. "You can't get in trouble for saying No"
| is their philosophy.
|
| Example: on Nextdoor (home of the dumbest people on the web), I
| stopped getting my daily email digest. Since this happens to be
| my ideal way to get Nextdoo, I emailed Support, and their person
| insisted that they _were_ going out, and I should contact my
| email provider (they were not going to Spam, if that 's your
| guess).
|
| I asked "how do you know? did you look in the Sent folder?" and
| he/she said "we're unable to share any information about our
| internal tools."
|
| Ooh, it's a SECRET! I went through Twitter and found out they
| were running an experiment.
| [deleted]
| inChargeOfIT wrote:
| The US is getting better about it, some more than others, but a
| few off the top of my head..
|
| https://github.com/department-of-veterans-affairs
| https://github.com/nationalsecurityagency https://github.com/GSA
| https://github.com/CMSgov https://github.com/CDCgov
| Maxburn wrote:
| If I was the software developer forced into this I'd just raise
| my price knowing I can no longer sell it elsewhere, IF I even
| agreed to it. That's going to hurt tax payers. It's a catchy
| title but just doesn't take more than a moments thought to see
| how it's going to backfire.
| Zigurd wrote:
| If you tried that with a private sector customer you would get
| nowhere.
| archontes wrote:
| If you develop the software completely at your own expense, and
| then sell the product to the government, fine.
|
| If the government is paying for the development, the government
| should own the product of that work.
| postalrat wrote:
| What do you mean? If you are a software developer working for a
| state or city you expect to sell the software you develop for
| them and collect the money yourself?
| Maxburn wrote:
| Good point, I was only thinking about outside contractors.
| postalrat wrote:
| Contractors are no different. Typically you don't get to
| sell the software someone else paid for.
|
| If you want to sell it then develop it on your own.
| WaitWaitWha wrote:
| Right, and I am all for that to remain.
|
| This reads way broader, as you describe it "develop it on
| your own", but can sell it only once to public sector.
| WaitWaitWha wrote:
| If I develop software specific to the public sector and sell
| it to the government, it is "publicly financed software
| developed for the public sector".
|
| What is my incentive to develop any software at all for
| public sector, since potential client no. 2 will just take
| the code that I released?
|
| The ask does not state employed by... it just says:
|
| "Implement legislation requiring that publicly financed
| software developed for the public sector be made publicly
| available under a Free and Open Source Software licence."
|
| I would be fine with
|
| "Implement legislation requiring that publicly financed
| software developed by employees of public sector, for the
| public sector be made publicly available under a Free and
| Open Source Software licence."
| rapind wrote:
| This is already very common in the private sector. Most
| businesses that require custom software will insist (via
| contract terms) that they "own" the software.
|
| There's also licensed deals and subscription services etc.
| sure, but there's a ton of custom proprietary software that
| consultants build (which often contain proprietary business
| logic).
|
| Custom always costs more of course, but this isn't a new
| model by any stretch of the imagination.
| [deleted]
| postalrat wrote:
| Your incentive is that you are being paid.
| WaitWaitWha wrote:
| Imagine "Microsoft Office"-complexity software developed
| specifically for public sector.
|
| Then, sold to public sector once, then everyone else is
| free to use it.
|
| Would Microsoft still develops Office? Unlikely.
| tapland wrote:
| The money is in the maintenance agreements.
| yxhuvud wrote:
| What would happen then is that the next public sector
| organization would want to pay someone to either fix bugs
| or to specialize the program to fit their needs better.
| And the more installations, the more this would happen.
| Maintenance is not free and the public sector would still
| have to pay the bill for it.
| Rygian wrote:
| Why would that be unlikely? If Microsoft's business model
| was to get paid to develop Office, then of course they
| would.
|
| (Obviously, Microsoft's actual business model is to
| capture and lock in, that's what makes your example look
| odd.)
| Beltalowda wrote:
| I mostly want the code to public as a matter of
| transparency. I'd be fine if it was released under a
| fairly restrictive license which would prevent this kind
| of re-use.
| EMIRELADERO wrote:
| I believe this is directed more towards government-developed
| software, not explicitly contractors.
| Findecanor wrote:
| Although, where I live (in a well-off EU country dominated by
| socio-liberal politics) I've never heard of a governmental
| organisation developing their own code (outside of the
| defence department).
|
| When there is a need for a system, there is a public
| procurement process wherein contractors submit bids, and the
| "best" bid wins. ("best" by some criteria, usually price)
| richardwhiuk wrote:
| If it only applies to that case, it's possible there will be
| a perverse incentive for the public sector to outsource the
| code development.
| Maxburn wrote:
| I stand corrected.
| sophacles wrote:
| Go ahead, take your toys and go home. I don't care if the rent-
| seekers stop trying to waste my tax dollars - in fact contrary
| to your implication, this is a feature!
| Maxburn wrote:
| Seriously, dealing with government entities is a PITA. Life
| is much easier in private sector.
| AlotOfReading wrote:
| You can still sell the code, you just have to use something
| like the Red Hat subscription model after the first contract.
| This is how a substantial part of the tech market already
| operates. How does it 'backfire' here?
| Maxburn wrote:
| Why would I change my entire business model to deal with
| this? Just skip this customer and move on.
| AlotOfReading wrote:
| Because "this customer" would presumably be the government.
| If you're a government contractor bidding on RFPs, not
| meeting the basic requirements is probably a bad way to
| stay in business. No one's forcing you to do it, though.
| simion314 wrote:
| You are bidding for a contract that asks you to release the
| code, bid accordingly, if you have super secret code then
| don't bid at all or increase your bid. The hope is the
| public will get some open source code they can fix in
| future if there is a need and not have to beg you years
| later to please fix stuff or add a new feature.
|
| As I private person I can offer a programming projects but
| demand access to the source code , you are free not to bid
| for my project but I think I am the sane one that wants the
| code so i am not locked into a corner.
| marcodiego wrote:
| AFAIK, most devs contracted to develop proprietary have much
| less rights about the code they write than FLOSS devs.
| jdrc wrote:
| I am more interested in public _government_ code being shared
| with other EU countries. EU funds a lot of government software
| projects , but they never end up becoming EU-wide projects. EU is
| all about enabling common standards across countries. And what
| better way to enforce them than by using common software across
| the EU states.
| layer8 wrote:
| The EU actually has some open source programs, see for example
| https://github.com/ConnectingEurope.
| [deleted]
| openthc wrote:
| Many States in the USA have implemented a "track-and-trace"
| program for their cannabis. The States use this information for
| enforcement. These programs have many bugs --
| observable/repeatable bugs. Then enforcement uses the data from
| the buggy software to cite businesses for failures of their
| "track-and-trace" requirements. (eg: the system magically
| restores weight to zero-weight lots, or marks dead trees as
| alive).
|
| In Washington State they started with BioTrackTHC; couldn't share
| the code cause it's a proprietary and a security risk; however
| they were dumping parts of the database as CSVs so folk could
| check that (and confirm some bugs!). Then WA switched to LeafData
| (MJ Freeway) and wouldn't share that code either; continued to
| share similar data-dumps. Now WA has moved to just uploading CSVs
| to the State system in code they wrote themselves -- and still
| won't share the code (and now are doing even less to share the
| data).
|
| It's frustrating when viable open source solutions exist and are
| actively ignored by the State agencies (we were blocked from even
| participating in workgroups about the future of T&T (which don't
| really matter, they didn't even follow the recommendations of
| their own workgroups))
| gr33nq wrote:
| I work in the public sector (US), and I have been advocating for
| something like this since I started my career.
|
| The ERP we use for HR/Payroll, Accounts Payable/Receivable,
| Utility Billing, etc. costs an exorbitant amount of money each
| year, and the quality of both the software and the technical
| support we receive is comical. And this is new deployment, too.
| We upgraded from an IBM AS/400-based system a couple of years ago
| which I honestly long to go back to now and again out of
| frustration.
|
| Let me give you just one an example of how we are held hostage to
| a private software vendor - collecting payment for utility bills.
| We are forced to use one credit card processor because it's the
| only "partner" that the ERP vendor has for payment processing. I
| guarantee you that you've never heard of them before. Their
| software is abysmal, and last time I checked, the ERP vendor gets
| a flat rate for each payment they collect (in addition to the
| standard credit card processing % + flat fee that goes to the
| merchant services company). There's no alternative. It's a
| Windows Service that has a tendency to crash several times a day
| without logging anything to Event Viewer. It's known to charge a
| credit card, but not return a success code to back the ERP,
| meaning the money was collected but their bill doesn't show as
| being paid. It's a problem I've documented clearly and created
| tickets on for over seven months at this point, and it's still
| not been resolved. Why? They have zero motivation. It's a beast
| to migrate to a new ERP (multiple years and $1M+), and they treat
| us as if we have no leverage in pushing for prompter support or
| better quality software. So luckily we are still on-premise with
| full access to the SQL database. I have written procedures to
| update the payment status manually each time this happens, post
| the transaction to the ERP, update reference numbers, and do a
| few other various things that should happen automatically when it
| works correctly. We were scolded for digging around ourselves and
| doing this, but if we open a support case, it takes 2-14 days to
| get a response back and that's simply not feasible when these
| payments need to post before EOB.
|
| There's also no open API available. We have the in-house
| expertise to develop integrations and try to tie systems together
| in ways that make sense for our environment. Nope. Whatever few
| integrations that exists costs tens of thousands of dollars up-
| front, have very lackluster support, are infrequently updated,
| and are very rigid in their capabilities. I've asked how we can
| gain access to a sandbox environment or get documentation on an
| API so we can test and create the integrations that these sacred
| "partners" are able to -- radio silence. I've even reached out to
| individuals who work at the company on LinkedIn asking a similar
| question of how an independent developer can integrate with their
| ERP ecosystem -- left on read, no response.
|
| Need a customization or change? Let's schedule a series of
| meetings and get it quoted out. $5,000 and two months later, we
| now have one new line of text displayed on our water bills about
| the drought. This is the level of control they maintain and use
| to line their pockets at our expense.
|
| And now I've noticed that over the past year or so, there's been
| a very aggressive push to move to a SaaS environment. Meaning
| we'd lose direct access to SQL, lose access to logs and other
| tools I use to debug/diagnose, and be reliant on (read: held
| hostage by) the vendor even more. Good luck getting access to any
| of our raw data at that point. It's vendor lock-in to an extreme.
|
| We (the agency, but more so the tax payers by extension) are
| victims. And we take it willingly without any pushback because
| there's no alternative. If anyone reading this is interested in
| helping fight against this or develop an open source alternative
| specific to government agencies, please reach out to me (email in
| profile here). I'm very passionate about this, having suffered so
| much aggravation over the years, and would love to work on
| bringing about some sort of solution.
| tommyage wrote:
| Im currently working as a software architect for the government.
| The software we are developing is not beneficial to any citizen.
| Additionally, there is no staff to review and merge improvements.
| And merges need to get tested by regression as well, so bringing
| it to production would be cumberstone. Nonetheless, if we use
| another piece of software, we are preferring solutions where the
| code is open sourced. There needs to be enterprise support,
| though. And most of our colleagues are also pushing to pay our
| consultancies to improve these pieces of software.
|
| Our use cases with these solutions are kind of essential, so
| there are no possibilties to "give back".
|
| Any federal agency is supposed to cover one aspect of the
| government services. Developing individual software, which cover
| national laws.
|
| Also note that our software is almost 90% legacy code. And new
| solutions need to work around these quirks.
| redocneknurd wrote:
| Isn't this quite hard to implement? How do you distinguish
| between Saas, software and custom services. Will this implicate
| that Microsoft office needs to be open source just because some
| government is buying that software?
| colonwqbang wrote:
| You cannot actually buy Office, only license it from Microsoft.
|
| Here the author seems to be talking about software that was
| originally written by the government. Or, one supposes, where
| development is chiefly funded by the government.
| productceo wrote:
| I don't think it'll be technically possible to release code to
| the taxpayers and no one else.
|
| It may be the case that code should be released publicly. But
| their reasoning does not seem applicable.
| figassis wrote:
| I'm wondering. If the govt pays you to build software, and you
| use include proprietary libraries in order to build a custom
| solution, so that the solution is owned by the government, should
| you open source everything incl. the proprietary components? I
| get the feeling that is what contractors are trying to avoid so
| they can keep their competitive advantages. That and hiding
| horrible code.
| phoronixrly wrote:
| Bulgaria's laws on the matter require you to provide a shim so
| that the software can be built without the functionality
| provided by the proprietary closed-source dependency.
| sonicggg wrote:
| Exact same story with publicly financed research going behind
| paywalled journals. If we're paying for it, we should have
| access.
|
| Maybe time to have an equivalent of SciHub for code as well,
| although it will probably be harder to source that.
| NGRhodes wrote:
| I know off the top of my head 2 examples where code can be
| stored for research:
|
| Zenodo: https://about.zenodo.org/ OSF: https://osf.io/
| b20000 wrote:
| I know of several situations where entrepreneurs in europe put
| substantial money on the table in projects which were funded by
| grants from the government. It would be really bad for
| entrepreneurship in europe if it would be required to make
| software open source the moment some grant money is involved.
| Let's imagine you spend 500K of your savings, and the government
| gives you a 50K grant. Now you need to open source your software,
| and your competitors can run off with your 500K investment! the
| grant money offsets the insanely high taxes and should be no
| strings attached to stimulate entrepreneurship.
| Rexxar wrote:
| This doesn't require open source for everything that receive a
| grant. The text of the open letter is _"Implement legislation
| requiring that publicly financed software developed for the
| public sector be made publicly available under a Free and Open
| Source Software licence."_
|
| It's more like if the tax office build a software to compute
| taxes, you can use it to compute your taxes, add a simplified a
| gui for basic users or incorporate it in your ERP.
| b20000 wrote:
| i understand, but the next step is what i wrote.
| BolexNOLA wrote:
| I can't tell based on the information on the site, but there
| may be some nuance to the threshold where this becomes a
| requirement. I imagine it will not be an all or nothing
| situation, but I am not sure ultimately.
|
| Also, if there was a bunch of public code available because of
| grant funding, that means - in theory - many people might not
| have to invest their own money (or quite as much) because there
| is more out there they can use due to this law.
|
| Ultimately it boils down to the language of the law and the I
| social scenario.
| b20000 wrote:
| ah yes, in good european fashion, there will be all kinds of
| complicated and time consuming rules and processes. that is
| what the countries in the EU and the commission do best. make
| it nearly impossible for small bootstrapped companies to be
| competitive and get their shit done.
|
| and if I as an entrepreneur put money into something, I
| expect to own it. even if a grant was involved. after all, I
| already paid taxes to make those grants possible in the first
| place.
| BolexNOLA wrote:
| Frankly it sounds like you're prematurely grinding your
| axe. We don't have enough details to really form an opinion
| like that. As a fellow entrepreneur I am excited at the
| idea of more open collaboration/resources for people
| writing code. Hell imagine a world without GitHub.
|
| I'm curious to see the nitty gritty here myself.
| b20000 wrote:
| the reason why i react like this is that i have seen a
| proposal like what i describe a few years ago in a
| country in europe.
| victorvosk wrote:
| I mean as nice as this sounds, our money is spent on all sorts of
| things we know nothing about. Should we all be provided with the
| schematics for F-35s?
| atx42 wrote:
| Exactly! Where do you draw the line? Does CIA/NSA have to drop
| their shorts?
| dragonwriter wrote:
| Any hypothetical obligation-to-make-code-public act could
| probably be guided by the thinking that went into the
| parameters of FOIA exemptions, since code is, after all,
| information.
| postalrat wrote:
| The state I lived in developed one of those covid tracking apps.
| I asked for the source code and was told it wasn't available and
| would never be. I talked to people working on other software
| developed for the state and they all think that software
| shouldn't be public.
|
| It seems crazy to me that taxpayers pay for this software but it
| doesn't belong to them.
|
| Knowing what I do know I gotta wonder if it's just about those
| developers being ashamed how bad their software is and don't want
| others to see it.
| hamandcheese wrote:
| Open sourcing code safely also isn't free. So unless something
| was developed in the open from the outset, I doubt it ever will
| become open source (unless mandated by law).
| machinerychorus wrote:
| I was tangentially related to the covid app stuff so I can
| offer some insight there: most of those apps weren't built by
| the state. Google provided an open-source "base app" that could
| be customized by the states, but most states hired third-party
| contractors to build an app for them.
|
| I've worked in public sector and this is typical. the states
| can't open source it because they don't own it, they just pay a
| third-party to build+operate it for them. This is touted as
| "small govt", but it really just makes things less efficient.
| The total number of people involved stays the same.
| dhosek wrote:
| Government outsourcing is the new patronage. And it has the
| advantage that you can focus the benefits directly to your
| powerful supporters and from the contractor's side, it gives
| them a line into government funding that doesn't get cut off
| as easily if their guy gets voted out as old-style patronage
| jobs did.
| ISL wrote:
| Third parties can build/operate open-source software.
| worik wrote:
| > but most states hired third-party contractors to build an
| app for them.
|
| So the states paid the bills so can license the result any
| way they want.
|
| How can they pay for something and not own it?
|
| Sounds to me like there are deep corruption problems
| bartvk wrote:
| I don't see what corruption has to do with it. I'm a
| subcontractor and usually the contractual terms are
| dictated by my clients. If I get the chance however, I put
| forth my terms and these say that I'm the author of the
| code and thus the copyright holder.
| HideousKojima wrote:
| When I've done freelance work and have been able to write
| the contract, I include a clause that the client receives
| "a perpetual, worldwide, non-exclusive, royalty-free,
| irrevocable license to reproduce, prepare derivative
| works of, publicly display, publicly perform, and
| distribute the work and such derivative works, and to
| sublicense any or all of the foregoing rights to third
| parties," effectively giving them unlimited rights to use
| my code how they please while still retaining my own
| copyright.
| bombcar wrote:
| Would that let them GPL or even MIT the code? It would
| seem so.
| HideousKojima wrote:
| Indeed it would, I borrowed the phrasing from Microsoft's
| contributor license agreement.
| slaymaker1907 wrote:
| It's a good idea so you don't need to worry about
| accidentally copying some code from one project to
| another. If you weren't the owner, they could
| theoretically come after you for copyright violation.
| tuvan wrote:
| There are lots of things you pay for that you don't own.
| ygjb wrote:
| > How can they pay for something and not own it?
|
| Have you ever purchases software? Any media, recorded
| performance, or book?
|
| I don't mean to be rude here, but this question shows a
| complete lack of awareness of the problem space.
|
| There are a number of contributing factors to why most
| government software is not open source, but here are some
| of my direct observations as a consultant to government
| departments, an employee of government departments, a
| purchaser of products and services at multiple
| corporations, and a manager of contract software
| development as an employee of a corporation, and the owner
| of small business.
|
| 1. Stakeholders building software, using either directly
| employed, or contracted resources, have a desire to develop
| the software for the lowest cost possible. Generally this
| means preferring buying over building for many cases, and
| building on commercial (paid, free, or open source) stacks
| that promise easier development and efficiency. This often
| results the project being encumbered by licenses that
| complicate the potential release of software as open
| source.
|
| 2. Many government initiated software development projects
| are done directly in pursuit of supporting legislation that
| is tightly bound to the jurisdiction of the legislation;
| even if the legislation is meant to ratify
| state/provincial, federal, international or other
| standards, laws, and regulations, there will be regional
| variations that require at minimum configuration, and most
| likely real code changes to meet requirements. This often
| results in software that is tightly coupled to a particular
| jurisdiction in terms of both legislation and regulations,
| but also in terms of the ecosystem the software is
| developed in. The encumbrances created by these couplings
| often have dependencies on closed and proprietary systems
| which is a great deal of friction for releasing open source
| projects.
|
| 3. Despite the passage of many international rules related
| to economic development agreements like the former NAFTA
| and the newer USMCA which provide provisions to allow fair
| competition for government contracts within the regions
| affected (and I believe EU and other trade blocs have
| similar legislation), the opportunity to award software
| development contracts to local firms (at any level of
| locality across municipal, state, and federal
| jurisdictions) is a strong temptation for politicians to
| curry favor with voters and business communities. This is
| often pitched as economic benefits by creating jobs
| locally, while bolstering local businesses and making them
| more competitive; if these projects are subsequently
| released as open source projects, the perception from
| decision makers is that the value of the investment in the
| local community is lost. This is where a significant
| opportunity for what you bill as corruption is identified -
| I haven't seen a procurement process in government that
| can't be subverted by suitably motivated buyers and
| sellers.
|
| 4. Releasing open source software can be a public relations
| nightmare - bug reports, public review and criticism of
| design or implementation choices generally land on the
| desks of whatever passes for a service desk for that
| jurisdiction, who are usually ill equipped to deal with
| these technical issues, and also are generally understaffed
| for their core responsibilities. Eventually those reports
| and criticisms make their way up through different paths
| and land on the desk of high level bureaucrats and elected
| officials, who then have to deal with these issues as
| public relations items. Have to deal with HeartBleed2022?
| If it's internally developed and open source, the buck
| stops with the politicians and how they let it happen, time
| for a public inquiry! If it's an off the shelf product, "We
| are disabling the service until a patch becomes available."
| [1, specifically log4j] , and people can grumble about
| purchasing choices, but it's much harder to criticize the
| actual implementation.
|
| Alot of folks in government (including me when I was there)
| wanted to release our stuff as OSS, but there is only so
| far you can go with opensourcing modules that depend on SAP
| code, IBM code, or systems that are supplied by the federal
| government.
|
| [1] https://www.canada.ca/en/revenue-
| agency/services/e-services/...
| tablespoon wrote:
| > How can they pay for something and not own it?
|
| They license it.
|
| Renting everything seems to be the fad in business
| management, and governments often ape business.
| chaostheory wrote:
| > How can they pay for something and not own it?
|
| Cloud SAAS e.g. Salesforce apps
| _jal wrote:
| > Sounds to me like there are deep corruption problems
|
| I consider this to be a flavor of corruption, too, but it
| isn't, legally. It is the desired outcome for many, and for
| many more, maybe not the outcome they wanted, but the
| logical outcome of what they asked for.
|
| There has been a decades-long process in the US of
| pressuring governments to do less, to outsource more, to
| privatize, to move to "public-private partnerships" or
| whatever new buzzword means socialize losses and privatize
| profits.
|
| And this is what you get - government that doesn't have the
| capabilities it needs to do what people ask of it. Which
| makes it look bad, which encourages another cycle of
| privatization...
|
| If you want functional government, stop electing people who
| promise to break it.
| dragonwriter wrote:
| > How can they pay for something and not own it?
|
| Actually, quite easily, and it's cheaper that way
| (especially if they pay to acquire it, and it wasn't
| exclusively developed for them.)
|
| Which is also _why_ they would do that.
| [deleted]
| Zigurd wrote:
| Contract software development is nearly always work-for-hire.
| To not own the result of what is in common practice work-for-
| hire is terrible contract management. Imagine a road paving
| company claiming the state doesn't own the road they just
| paved.
| atx42 wrote:
| I think it's called a toll road. Around me they are owned
| by some French company.
| lou1306 wrote:
| Uhhh the Italian app wasn't developed by the state either,
| but the government acquired and open-sourced most (all?) of
| the code [1]. It's not that hard really.
|
| [1] https://github.com/orgs/immuni-app
| ldoughty wrote:
| This is the kind of issue that causes all that government
| bloat...
|
| If I was a state employee and I wrote the app, and I had to
| release the source code, then I'm making it very easy for a bad
| actor to find a vulnerability and exploit it to leak the data
| of citizens.
|
| One might respond: "Well software shouldn't have those holes!
| Just because it's closed source, doesn't mean that won't happen
| anyway
|
| Also true, in an ideal world, the software should be free from
| such vulnerabilities.
|
| However security by obscurity is a layer of defense... And
| there might be other controls in place too to help.. e.g. a git
| repo behind SSO...
|
| If I accidentally check in a CSV of a data dump, or my access
| Keys, etc... It doesn't immediately become a data leak/issue..
| I have at least some time to reconcile that.. but if the repo
| is publicly accessible, the moment it hits the wire someone can
| copy that data...
|
| One might follow up: "Well, they should not make the code if
| they are not competent enough to write it and host it"
|
| Would be nice as well! But sadly there is only so many
| developers that can do this kind of work with a very high level
| of security and competence... By requiring governments to make
| this code freely available, you could basically assume two
| outcomes: nothing the government has on you will be secret,
| including sealed records and private information. In addition,
| IT workers would be paid 7-figures with 5-10 years of
| experience, as every government project that touches software
| now needs 5+ highly trained workers to avoid gigantic
| lawsuits.. and no one could get an entry level job in
| government because one bad commit could cause an 8-figure
| lawsuit
|
| And just to throw in a silly extrapolation... I would love an
| M109 Paladin tank... my tax dollars pay for them :-)
| Kinrany wrote:
| The price increase required by the higher quality of software
| is roughly a fixed factor. The benefits that come from code
| reuse are exponential.
|
| If a government can't afford to release the sources in public
| right away, a gradual transition is possible: vendors that
| offer open source software have their prices multiplied by
| 0.1 during bidding. And this factor of preference for open
| source can be increased or decreased state-wide depending on
| the budget.
| dragonwriter wrote:
| > If I was a state employee and I wrote the app, and I had to
| release the source code, then I'm making it very easy for a
| bad actor to find a vulnerability and exploit it to leak the
| data of citizens.
|
| I have spent a lot of time in public sector IT and I've
| rarely seen a management or information security team that
| didn't subscribe to this kind of security through obscurity
| thinking for internal code, including the management teams
| that were completely behind _using_ open source code for
| cost, robustness, and avoiding vendor risk.
| [deleted]
| fsflover wrote:
| > However security by obscurity is a layer of defense...
|
| It's not: https://en.wikipedia.org/wiki/Security_through_obsc
| urity#Cri....
|
| See also:
| https://en.wikipedia.org/wiki/Kerckhoffs's_principle.
| xboxnolifes wrote:
| > Security by obscurity _alone_ is discouraged and not
| recommended by standards bodies
|
| A layer, not the only layer.
|
| > System security should not _depend_ on the secrecy of the
| implementation or its components.
|
| It is not depending on it. It is just an additional layer
| to delay or reduce impact.
| InvertedRhodium wrote:
| This was the proposed scenario that the GP put forward:
|
| > If I was a state employee and I wrote the app, and I
| had to release the source code, then I'm making it very
| easy for a bad actor to find a vulnerability and exploit
| it to leak the data of citizens.
|
| Which doesn't seem to suggest any mitigation other than
| the lack of published source code.
| atx42 wrote:
| I find it bizarre that anyone familiar with software
| development would think this is a good idea.
|
| I mean if gov't creates a useful API (eg. weather), or
| creates some reusable useful module (eg. something like
| hibernate), that would be nice. But, just generally
| publishing everything? REALLY BAD IDEA.
| UncleEntity wrote:
| > And just to throw in a silly extrapolation... I would love
| an M109 Paladin tank... my tax dollars pay for them :-)
|
| If they give you a tank they have one less tank to do stuff
| with but if they give you a copy of software they still have
| the ability to do stuff with the software.
|
| There's a whole bunch of software out there that has been
| open sourced by government agencies like nasa and you don't
| see satellites falling out of the sky on a regular basis.
| gehwartzen wrote:
| I'm not in software so maybe my viewpoint is just different
| but I also wouldn't expect NASA to give me the mechanical
| blueprints for a rocket, or even a concrete launch pad nor
| would I expect the local government to give me the the
| electrical schematics for the stop light systems, even
| though doing so would in no way prevent them from
| continuing to use these systems/items
| munk-a wrote:
| Honestly, why not? It's quite likely there has been a
| decent amount of information passing back and forth
| between NASA and various private space companies - there
| isn't a sane reason to require everyone to make the same
| mistakes that you've already learned from. Additionally
| while releasing rocket specifications probably won't
| result in any at-scale replicas it's a good way to feed
| the hobbiest community and possibly get some neat ideas
| back.
|
| There are some components of rocketry that deserve
| careful consideration in sharing (i.e. rocket fuels) but
| a lot of those have mostly leaked at this point and the
| government has other reasons to limit their production
| and thus limits the supply of chemical components.
|
| Much like with software there are going to be some secret
| components related to communication and the like - but
| those can be cherry picked from the information and
| deliberately hidden... similar to how most software teams
| don't check all their private SSH keys into public repos
| (usually).
| 6510 wrote:
| > However security by obscurity is a layer of defense...
|
| In your example it would be _the_ layer of defense. But then
| we still have to wonder who is the attacker? The assumption
| made on the web page is that the developer is the attacker.
| The obscurity then becomes a major issue rather than _the_
| defense.
|
| Yes, we will have to pay what it costs and we will have to
| add extra developers. We all know the difference?
|
| I could write any government app or software but it would be
| a slow process, it would be hostile to further development
| and the security of it would be laughable. But from the GUI
| you wouldn't notice the difference. Mine might actually be
| nicer.
| [deleted]
| EMIRELADERO wrote:
| I don't know if it exists for where you live, but you might be
| able to make use of a public information law (FOIA-like)
| HideousKojima wrote:
| My most recent job was for a local government, and even though
| I made a push for open sourcing our code, I never made much
| headway. Plus, literally all of the other devs on my team
| repeatedly committed secure credentials to git no matter how
| many times I tried to teach them how to use a .gitignore file,
| so it could have been a bit disastrous if my efforts had
| actually made any headway
| pooper wrote:
| > Plus, literally all of the other devs on my team repeatedly
| committed secure credentials to git no matter how many times
| I tried to teach them how to use a .gitignore file
|
| Why do they even need to have access to production secure
| credentials during development? Why not let them fall into
| the "pit of success" so local development never talks to a
| production server anywhere?
| HideousKojima wrote:
| >Why do they even need to have access to production secure
| credentials during development? Why not let them fall into
| the "pit of success" so local development never talks to a
| production server anywhere?
|
| Because most local governments are 10 to 20 years behind on
| anything remotely approaching best practices. It wasn't my
| choice to run things that way.
| slaymaker1907 wrote:
| I'm not surprised. Even great devs sometimes slip up and when
| you have enough people, someone is always slipping up. The
| only real solution IMO is to have safeguards in place like
| credential scanning (ideally both locally and on the server).
| It's not foolproof, but it can help avoid or minimize a lot
| of incidents.
| KarlKemp wrote:
| The German version is at https://github.com/corona-warn-app.
|
| It was expensive (18 million Euros I believe, but may be
| wrong). But other than that, it was excellent from start to
| finish. First release a few weeks after the API was available.
| The source was divided into logical components of more or less
| perfect size, it was straightforward, well commented,
| responsive to PRs, worked, and had no security issues as far as
| I remember.
| jahewson wrote:
| Define "belong".
| goatcode wrote:
| Any public money should bind the recipient to following public
| laws that govern government, including access to information.
| Don't like it as a corporation? Don't take public money.
| j_leboulanger wrote:
| https://code.gouv.fr/
| aeharding wrote:
| Likewise, free public apis (for non-sensitive info, at least).
|
| I appreciate NOAA's api.weather.gov, rucsoundings.noaa.gov, and
| other free public APIs.
|
| Also good to see the FAA dipping their toes in free public APIs
| (api.faa.gov).
| bumper_crop wrote:
| Suppose you are on a committee where you are evaluating 3
| different offers to build a website for your city. Bid A is for
| $10m, Bid B is for $9.5m, and Bid C is for $9m. The company that
| made offer B knows that they will likely lose the contract so
| they counter. "If you let us keep the source code and it remains
| private, we will bid $8.5m for the contract". Since all three
| vendors are offering equivalent service, and vendor B is offering
| a hefty $500,000 discount, how can you reasonably spend far more
| or your city's money? That money could have gone to improve
| schools or roads or make more competitive offers for city
| employees. How can you justify spending a half million more on
| software principle when there are other more pressing needs?
|
| Expecting software to be open source is nice when there is an
| army of 10s of thousands of FAANG employees to constantly keep it
| up to date, but less so when there's limited people. Sure, it
| hypothetically could be kept up to date by the generous and
| capable people of the city after the fact, but that's farfetched.
| It isn't realistic or practical for a budget-conscious software
| company to open them selves up to scrutiny, participate in the
| open source community, accept bug fixes, do code reviews from
| strangers, etc. It's _more_ expensive to do OSS, not less.
|
| (As an example, the Linux Kernel is mainly made by large
| companies with lots of expensive employees. Pick your 10 favorite
| GitHub project with more than 10k stars and see who the primary
| contributors are.)
| rasulkireev wrote:
| Well, making it open source is not the same as making regular
| citizens/programmers to work on it.
|
| You still pay the company to develop and maintain the software.
| Same way as open source developers get "sponsored". The reason
| is that anyone who wants to see the code and suggest on how to
| make it better, or to report a bug, then that would be
| possible. Furthermore, that work can be reused by other parts
| of the government.
|
| That last point is why some companies wouldn't want to do it,
| or would charge more. However, to your point, I think the
| increased cost is worth it in this case.
|
| Sure, there are going to be less better roads/schools by 500k,
| but the problem with that money is that there are rarely big
| projects for that amount, so it's not like they would be put to
| best use without being "lost" in the process of relocation.
| dusted wrote:
| Wow, nice one, Facebook! I'm trying to share the link, and I get:
|
| "Posts that look like spam according to our Community Guidelines
| are blocked on Facebook and can't be edited."
| yboris wrote:
| Confirming - I'm unable to post to my Facebook wall!
___________________________________________________________________
(page generated 2022-04-27 23:00 UTC)