[HN Gopher] Public Money, Public Code ___________________________________________________________________ Public Money, Public Code Author : modinfo Score : 308 points Date : 2022-04-27 18:29 UTC (4 hours ago) (HTM) web link (publiccode.eu) (TXT) w3m dump (publiccode.eu) | didip wrote: | I hope this apply to patents as well. There are too many drug | research funded by the public but the IP ended up owned by | private companies. | 4khilles wrote: | Is this a case where 100% of a research effort is publicly | funded or more like 10%? If it's closer to 10%, why would a | company take the risk of putting up 90% of the capital when | they can just wait for their competitor's IP to become public? | Maybe the duration of a patent should depend on how much public | funding was received. | reillyse wrote: | Large consulting companies like Accenture have entire divisions | of their business devoted to "government". These divisions make | money by developing software for governments. It is very much | against their interest for this software to be open source | because 1) there is visibility into their performance and 2) they | can't sell very similar software to the same government if | everyone knows what software they've already built. | | These are the real vested interests preventing this code becoming | open source and why lots of government agencies who do their own | development are perfectly happy to release the code or access to | their APIs. | mt_ wrote: | The reason you pointed out why this won't gain traction is why | it needs to gain traction. | Zigurd wrote: | One reason why government software development is separated | from contract development work for private sector clients is | that private sector clients understand that they own the | results and can disclose that code if they want to. They are | relying on bamboozling government clients. All the more reason | for struct laws about disclosure of software developed for | governments. | krisoft wrote: | > These are the real vested interests preventing this code | becoming open source | | Absolutely. | | They are not going to do this by asking them nicely. That is | why it must become the law. Software developed for public money | must be released under a recognised open source licence. | puritanicdev wrote: | A few years ago, I did a consulting for an IT agency and had | insight into their code, including some projects done for the | government. It was a worst mess of spaghetti code I've ever | seen. For one of those projects they've hired people without | any or little experience for cheap, and sold them as seniors | for a crazy price. | RcouF1uZ4gsC wrote: | Why do software developers always shoot themselves in the foot | with regard to their economic value? | | Governments pay all the time for development of technology that | they buy, but that doesn't mean that the IP is released. For | example, the government paid Boeing to develop transport | aircraft. However, that does not mean that all the | drawings/plans/etc for the aircraft are made public. | | The government is buying a set of functionality with public | money. As long as they are getting that functionality, it doesn't | matter that the code is proprietary. | ceeplusplus wrote: | The government paying for software to be developed is quite a | bit different from a SaaS offering. If I pay some guy on Upwork | to build something for me I expect the source code. | | Of course the SaaS model is much better for developers to | realize their worth, because you are essentially creating | capital goods as a developer and being the owner of those goods | is much more profitable than selling them. | postalrat wrote: | What would be the expectation of source code ownership if you | hired consultants or a team of developers to produce a piece of | software for you? Do they keep it proprietary to themselves or | should it belong to you? | automatoney wrote: | Some of us value other things | (https://en.wikipedia.org/wiki/Open-source- | software_movement#...) more than additional compensation. These | ideas have roots in the original hacker culture that this site | was named for - this stuff is the foundation of a lot of | computer culture. | nonrandomstring wrote: | Increasingly I hear this expressed as "Technology In The | Public Interest", and is a movement I strongly affiliate with | because it is related to national security (as I have defined | it elsewhere) [0] as resilience and sustainability. See | writing [1] and institutional support [2][3] separate from | notions of software freedom as traditionally carried by | Stallman et al/EFF/GNU/FSF. | | [0] https://news.ycombinator.com/item?id=31108570 | | [1] https://www.schneier.com/essays/archives/2019/01/the_publ | ic-... | | [2] https://www.macfound.org/programs/technology/ | | [3] https://www.fordfoundation.org/news-and-stories/big- | ideas/pu... | bombcar wrote: | IIRC they actually can demand copies of the drawings/plans _for | their own records and use_ so that they can dig them up if the | B-52 needs to be extended another decade. | | Governments are better at keeping ancient records around than | most companies. | nickff wrote: | > _" However, that does not mean that all the | drawings/plans/etc for the aircraft are made public."_ | | The (US) government actually tried the approach of purchasing a | few initial runs and the plans for some missiles, but the | results were bad. Initial development costs were high, | reliability was low, and manufacturability was poor. | OkayPhysicist wrote: | Having private companies control the intellectual property of | our defense systems is a disaster that leads to aggressive | rent seeking by defense contractors. | | Now, missile guidance software may not want to be open | source, but the navy engineers down at China Lake should | definitely have unrestricted ability to read, modify, and | reproduce anything developed in their behalf. | nickff wrote: | I have long thought that missile and aircraft avionics | should be made into more of a standardized, modular system | (possibly open or government distributed source), for | better upgradability and maintainability. I am sure this | has been considered, and wonder why it hasn't been done. | sam_lowry_ wrote: | I signed up, but it gives me a stupid "20 requests per hour" | error page. | layer8 wrote: | While I generally agree, publishing code commonly requires | additional effort and diligence, such as checking the licensing | situation of third-party code used, possibly anonymizing the devs | involved, maintaining the public repository and credentials, | dealing with all the communication from the public caused by | publishing the code, and so on. | | Hence it also increases the cost for the taxpayers, and that | needs to be factored into the cost estimates of software | projects. It's not like they can just dump their git repository | into alt.binaries. | SparkyMcUnicorn wrote: | > Hence it also increases the cost for the taxpayers | | Isn't that just a short-term problem? Mid to long term, it | should decrease costs dramatically. | layer8 wrote: | How so? Because of external contributors? Most software | developed for the public sector is quite use-case specific | (and the use-cases are often quite boring), so I don't see | that happening for most projects. | SparkyMcUnicorn wrote: | Once a workflow is adopted, it becomes normal and the | hassles start to go away. That 3rd party library with an | incompatible license now has a good alternative, code re- | use is higher, handing off to new developers is easier, and | identifying development teams that are highly inefficient | (or incompetent) becomes possible. | | I feel like there's too many benefits to even list. Having | seen some of the proprietary code developed for 3 letter | agencies, it's shocking how bad some of it is (and there's | even projects that have better open source alternatives | that solve every use-case) and adding transparency can only | be a good thing... in my opinion. | bombcar wrote: | Over time the use-cases will grow, and if done right you'll | start being able to "borrow" from similar use-cases in | other areas/governments. | | It WOULD likely require massive retooling as much | "government code" is more like "black box machine that does | X" than "fancy new web-app". | layer8 wrote: | In my experience, that doesn't happen much even between | projects within a single software company, because | requirements are too diverse and change too frequently. | Pushing for synergies also tends to create all sorts of | internal political dynamics. At best it's a long shot, | with high risk of not amortizing the cost. The rest of | the world, including the open-source world, also isn't a | promising role model, with the constant churn, | fragmentation and evolution of languages, frameworks, | libraries and tooling. | bombcar wrote: | Yeah, I suspect most people are thinking "government | code" is like Chrome or something, whereas most | government code; most business code, hell, most code in | the world is random business logic/glue code which often | doesn't have much portability or usefulness. | giobox wrote: | I've often wondered if we need to radically change the State's | relationship with the software it produces. As Robert Lessig | famously observed, "code is law" in a world controlled by | computers. There is increasingly a strong argument I feel in | States directly employing software engineers much like they | typically employ armies of civil servants to implement policy. | | Why is software treated as something to be outsourced to a | private sector company? Why can't we have "civil programmers" who | contribute to an ever growing body of public code just as the | legislative process contributes to an ever growing body of laws. | This body of civil programmers (terrible name but hey) could also | work hand in hand with the open source community, letting | stakeholders (citizens) contribute too. | rozularen wrote: | I think it's mainly because of money? Sure if there were any | existing public open source infrastructure people would be more | willing to contribute for free. | | I think this brings the open source developers income issue to | the table which is getting better but at its own pace. | jmole wrote: | Code is only half of the problem here. The other half is | operations. Applications don't just run on their own; they need | deployment, maintenance, backup, recovery, new feature | requests, etc. etc. | | Unlike the majority of infrastructure in the world, software | literally isn't set in stone. This makes it much more powerful | in some senses, but also much more fragile. | | Look at Hoover Dam - a project designed to last a hundred years | with a pretty singular purpose. The operation and maintenance | burden is clear, and basically unchanging throughout the | lifetime of the dam. | | I agree with you in general here, but I think the actual work | involved with your proposal is more akin to what the IT | departments at agencies like the IRS or DMV are already doing. | Specing systems for internal processes, and managing dataflow | from old systems to new ones. | bombcar wrote: | Mainly because the government has no expertise in the area, so | you have to convince politicians (who have no expertise in the | area) that it is important, against those who DO have funding | and will fight it as being "insecure" and various other | buzzwords. | | Governments often don't even employ the armies of civil | servants anymore, lots and lots of stuff is contracted out. | | The way around this might be to convince some of the smaller | "tech wannabe" states to enact something, and let it grow from | there. | squinta wrote: | Italian Digital public administration code (CAD - Codice | amministrazione digitale, art. 68 and 69) requires software | created with public money to be open sourced and made accessible | for reuse by everyone. https://developers.italia.it/en/reuse | | Formerly it was accessible only to other public administrations. | That provision didn't generate any meaningful outcomes as it was | not avalable to other developers, just to public administrations | in-house developers. With the last reform of the CAD in 2016, it | was open to everyone and development of digital public services | accelerated. | yoru-sulfur wrote: | There are a few groups doing public open source that I'm aware | of: | | - 18F https://github.com/18f | | - GDS https://github.com/alphagov | | - CDS https://github.com/cds-snc | | I do agree with the sentiment, it's absurd that any software | developed through public means is not available to the public. | sublimefire wrote: | Interesting comments throughout but.. | | - Selling to public sector is a costly and lengthy process. Not | to mention the lack of competence from the public sector | partners. | | - Usually, the money is made by making sure the entity will | subscribe for as long as possible, and it should be possible to | repackage the same software and sell to somebody else with little | effort. | | - Open sourcing puts the company into a position where it's own | code could be reused by the competitor without investing as much. | | - Furthermore, the projects are usually short lived due to the | nature of procurement, budgeting and changing regulations. | | - It is a risky business that requires complicated solutions to | complicated problems, not much of it is reusable outside of the | specific domain. | | I was developing such software for years. Better ask yourself why | huge IT departments are doing barely anything despite their | funding. | _trackno5 wrote: | Question for HN: How could this possibly work with software | developed for the military? | nonrandomstring wrote: | Kerckhoff-Shannon principle. Unless I can assume that my enemy | has total access to knowledge of my mechanisms, but is in no | way advantaged with respect to my operations, it is not an | effective weapon. | krisoft wrote: | Freedom of information laws frequently have national security | interest exceptions. A similar carve out can be made from the | requirement of open sourcing public funded software. | [deleted] | AlbertCory wrote: | Totally right. The same applies to publicly funded research | (goodbye, Elsevier), and even to court filings (goodbye, Pacer). | | As for postalrat's comment: there is a certain bureaucratic | mindset that wants "their" stuff secret. Even when there's no | possible justification. "You can't get in trouble for saying No" | is their philosophy. | | Example: on Nextdoor (home of the dumbest people on the web), I | stopped getting my daily email digest. Since this happens to be | my ideal way to get Nextdoo, I emailed Support, and their person | insisted that they _were_ going out, and I should contact my | email provider (they were not going to Spam, if that 's your | guess). | | I asked "how do you know? did you look in the Sent folder?" and | he/she said "we're unable to share any information about our | internal tools." | | Ooh, it's a SECRET! I went through Twitter and found out they | were running an experiment. | [deleted] | inChargeOfIT wrote: | The US is getting better about it, some more than others, but a | few off the top of my head.. | | https://github.com/department-of-veterans-affairs | https://github.com/nationalsecurityagency https://github.com/GSA | https://github.com/CMSgov https://github.com/CDCgov | Maxburn wrote: | If I was the software developer forced into this I'd just raise | my price knowing I can no longer sell it elsewhere, IF I even | agreed to it. That's going to hurt tax payers. It's a catchy | title but just doesn't take more than a moments thought to see | how it's going to backfire. | Zigurd wrote: | If you tried that with a private sector customer you would get | nowhere. | archontes wrote: | If you develop the software completely at your own expense, and | then sell the product to the government, fine. | | If the government is paying for the development, the government | should own the product of that work. | postalrat wrote: | What do you mean? If you are a software developer working for a | state or city you expect to sell the software you develop for | them and collect the money yourself? | Maxburn wrote: | Good point, I was only thinking about outside contractors. | postalrat wrote: | Contractors are no different. Typically you don't get to | sell the software someone else paid for. | | If you want to sell it then develop it on your own. | WaitWaitWha wrote: | Right, and I am all for that to remain. | | This reads way broader, as you describe it "develop it on | your own", but can sell it only once to public sector. | WaitWaitWha wrote: | If I develop software specific to the public sector and sell | it to the government, it is "publicly financed software | developed for the public sector". | | What is my incentive to develop any software at all for | public sector, since potential client no. 2 will just take | the code that I released? | | The ask does not state employed by... it just says: | | "Implement legislation requiring that publicly financed | software developed for the public sector be made publicly | available under a Free and Open Source Software licence." | | I would be fine with | | "Implement legislation requiring that publicly financed | software developed by employees of public sector, for the | public sector be made publicly available under a Free and | Open Source Software licence." | rapind wrote: | This is already very common in the private sector. Most | businesses that require custom software will insist (via | contract terms) that they "own" the software. | | There's also licensed deals and subscription services etc. | sure, but there's a ton of custom proprietary software that | consultants build (which often contain proprietary business | logic). | | Custom always costs more of course, but this isn't a new | model by any stretch of the imagination. | [deleted] | postalrat wrote: | Your incentive is that you are being paid. | WaitWaitWha wrote: | Imagine "Microsoft Office"-complexity software developed | specifically for public sector. | | Then, sold to public sector once, then everyone else is | free to use it. | | Would Microsoft still develops Office? Unlikely. | tapland wrote: | The money is in the maintenance agreements. | yxhuvud wrote: | What would happen then is that the next public sector | organization would want to pay someone to either fix bugs | or to specialize the program to fit their needs better. | And the more installations, the more this would happen. | Maintenance is not free and the public sector would still | have to pay the bill for it. | Rygian wrote: | Why would that be unlikely? If Microsoft's business model | was to get paid to develop Office, then of course they | would. | | (Obviously, Microsoft's actual business model is to | capture and lock in, that's what makes your example look | odd.) | Beltalowda wrote: | I mostly want the code to public as a matter of | transparency. I'd be fine if it was released under a | fairly restrictive license which would prevent this kind | of re-use. | EMIRELADERO wrote: | I believe this is directed more towards government-developed | software, not explicitly contractors. | Findecanor wrote: | Although, where I live (in a well-off EU country dominated by | socio-liberal politics) I've never heard of a governmental | organisation developing their own code (outside of the | defence department). | | When there is a need for a system, there is a public | procurement process wherein contractors submit bids, and the | "best" bid wins. ("best" by some criteria, usually price) | richardwhiuk wrote: | If it only applies to that case, it's possible there will be | a perverse incentive for the public sector to outsource the | code development. | Maxburn wrote: | I stand corrected. | sophacles wrote: | Go ahead, take your toys and go home. I don't care if the rent- | seekers stop trying to waste my tax dollars - in fact contrary | to your implication, this is a feature! | Maxburn wrote: | Seriously, dealing with government entities is a PITA. Life | is much easier in private sector. | AlotOfReading wrote: | You can still sell the code, you just have to use something | like the Red Hat subscription model after the first contract. | This is how a substantial part of the tech market already | operates. How does it 'backfire' here? | Maxburn wrote: | Why would I change my entire business model to deal with | this? Just skip this customer and move on. | AlotOfReading wrote: | Because "this customer" would presumably be the government. | If you're a government contractor bidding on RFPs, not | meeting the basic requirements is probably a bad way to | stay in business. No one's forcing you to do it, though. | simion314 wrote: | You are bidding for a contract that asks you to release the | code, bid accordingly, if you have super secret code then | don't bid at all or increase your bid. The hope is the | public will get some open source code they can fix in | future if there is a need and not have to beg you years | later to please fix stuff or add a new feature. | | As I private person I can offer a programming projects but | demand access to the source code , you are free not to bid | for my project but I think I am the sane one that wants the | code so i am not locked into a corner. | marcodiego wrote: | AFAIK, most devs contracted to develop proprietary have much | less rights about the code they write than FLOSS devs. | jdrc wrote: | I am more interested in public _government_ code being shared | with other EU countries. EU funds a lot of government software | projects , but they never end up becoming EU-wide projects. EU is | all about enabling common standards across countries. And what | better way to enforce them than by using common software across | the EU states. | layer8 wrote: | The EU actually has some open source programs, see for example | https://github.com/ConnectingEurope. | [deleted] | openthc wrote: | Many States in the USA have implemented a "track-and-trace" | program for their cannabis. The States use this information for | enforcement. These programs have many bugs -- | observable/repeatable bugs. Then enforcement uses the data from | the buggy software to cite businesses for failures of their | "track-and-trace" requirements. (eg: the system magically | restores weight to zero-weight lots, or marks dead trees as | alive). | | In Washington State they started with BioTrackTHC; couldn't share | the code cause it's a proprietary and a security risk; however | they were dumping parts of the database as CSVs so folk could | check that (and confirm some bugs!). Then WA switched to LeafData | (MJ Freeway) and wouldn't share that code either; continued to | share similar data-dumps. Now WA has moved to just uploading CSVs | to the State system in code they wrote themselves -- and still | won't share the code (and now are doing even less to share the | data). | | It's frustrating when viable open source solutions exist and are | actively ignored by the State agencies (we were blocked from even | participating in workgroups about the future of T&T (which don't | really matter, they didn't even follow the recommendations of | their own workgroups)) | gr33nq wrote: | I work in the public sector (US), and I have been advocating for | something like this since I started my career. | | The ERP we use for HR/Payroll, Accounts Payable/Receivable, | Utility Billing, etc. costs an exorbitant amount of money each | year, and the quality of both the software and the technical | support we receive is comical. And this is new deployment, too. | We upgraded from an IBM AS/400-based system a couple of years ago | which I honestly long to go back to now and again out of | frustration. | | Let me give you just one an example of how we are held hostage to | a private software vendor - collecting payment for utility bills. | We are forced to use one credit card processor because it's the | only "partner" that the ERP vendor has for payment processing. I | guarantee you that you've never heard of them before. Their | software is abysmal, and last time I checked, the ERP vendor gets | a flat rate for each payment they collect (in addition to the | standard credit card processing % + flat fee that goes to the | merchant services company). There's no alternative. It's a | Windows Service that has a tendency to crash several times a day | without logging anything to Event Viewer. It's known to charge a | credit card, but not return a success code to back the ERP, | meaning the money was collected but their bill doesn't show as | being paid. It's a problem I've documented clearly and created | tickets on for over seven months at this point, and it's still | not been resolved. Why? They have zero motivation. It's a beast | to migrate to a new ERP (multiple years and $1M+), and they treat | us as if we have no leverage in pushing for prompter support or | better quality software. So luckily we are still on-premise with | full access to the SQL database. I have written procedures to | update the payment status manually each time this happens, post | the transaction to the ERP, update reference numbers, and do a | few other various things that should happen automatically when it | works correctly. We were scolded for digging around ourselves and | doing this, but if we open a support case, it takes 2-14 days to | get a response back and that's simply not feasible when these | payments need to post before EOB. | | There's also no open API available. We have the in-house | expertise to develop integrations and try to tie systems together | in ways that make sense for our environment. Nope. Whatever few | integrations that exists costs tens of thousands of dollars up- | front, have very lackluster support, are infrequently updated, | and are very rigid in their capabilities. I've asked how we can | gain access to a sandbox environment or get documentation on an | API so we can test and create the integrations that these sacred | "partners" are able to -- radio silence. I've even reached out to | individuals who work at the company on LinkedIn asking a similar | question of how an independent developer can integrate with their | ERP ecosystem -- left on read, no response. | | Need a customization or change? Let's schedule a series of | meetings and get it quoted out. $5,000 and two months later, we | now have one new line of text displayed on our water bills about | the drought. This is the level of control they maintain and use | to line their pockets at our expense. | | And now I've noticed that over the past year or so, there's been | a very aggressive push to move to a SaaS environment. Meaning | we'd lose direct access to SQL, lose access to logs and other | tools I use to debug/diagnose, and be reliant on (read: held | hostage by) the vendor even more. Good luck getting access to any | of our raw data at that point. It's vendor lock-in to an extreme. | | We (the agency, but more so the tax payers by extension) are | victims. And we take it willingly without any pushback because | there's no alternative. If anyone reading this is interested in | helping fight against this or develop an open source alternative | specific to government agencies, please reach out to me (email in | profile here). I'm very passionate about this, having suffered so | much aggravation over the years, and would love to work on | bringing about some sort of solution. | tommyage wrote: | Im currently working as a software architect for the government. | The software we are developing is not beneficial to any citizen. | Additionally, there is no staff to review and merge improvements. | And merges need to get tested by regression as well, so bringing | it to production would be cumberstone. Nonetheless, if we use | another piece of software, we are preferring solutions where the | code is open sourced. There needs to be enterprise support, | though. And most of our colleagues are also pushing to pay our | consultancies to improve these pieces of software. | | Our use cases with these solutions are kind of essential, so | there are no possibilties to "give back". | | Any federal agency is supposed to cover one aspect of the | government services. Developing individual software, which cover | national laws. | | Also note that our software is almost 90% legacy code. And new | solutions need to work around these quirks. | redocneknurd wrote: | Isn't this quite hard to implement? How do you distinguish | between Saas, software and custom services. Will this implicate | that Microsoft office needs to be open source just because some | government is buying that software? | colonwqbang wrote: | You cannot actually buy Office, only license it from Microsoft. | | Here the author seems to be talking about software that was | originally written by the government. Or, one supposes, where | development is chiefly funded by the government. | productceo wrote: | I don't think it'll be technically possible to release code to | the taxpayers and no one else. | | It may be the case that code should be released publicly. But | their reasoning does not seem applicable. | figassis wrote: | I'm wondering. If the govt pays you to build software, and you | use include proprietary libraries in order to build a custom | solution, so that the solution is owned by the government, should | you open source everything incl. the proprietary components? I | get the feeling that is what contractors are trying to avoid so | they can keep their competitive advantages. That and hiding | horrible code. | phoronixrly wrote: | Bulgaria's laws on the matter require you to provide a shim so | that the software can be built without the functionality | provided by the proprietary closed-source dependency. | sonicggg wrote: | Exact same story with publicly financed research going behind | paywalled journals. If we're paying for it, we should have | access. | | Maybe time to have an equivalent of SciHub for code as well, | although it will probably be harder to source that. | NGRhodes wrote: | I know off the top of my head 2 examples where code can be | stored for research: | | Zenodo: https://about.zenodo.org/ OSF: https://osf.io/ | b20000 wrote: | I know of several situations where entrepreneurs in europe put | substantial money on the table in projects which were funded by | grants from the government. It would be really bad for | entrepreneurship in europe if it would be required to make | software open source the moment some grant money is involved. | Let's imagine you spend 500K of your savings, and the government | gives you a 50K grant. Now you need to open source your software, | and your competitors can run off with your 500K investment! the | grant money offsets the insanely high taxes and should be no | strings attached to stimulate entrepreneurship. | Rexxar wrote: | This doesn't require open source for everything that receive a | grant. The text of the open letter is _"Implement legislation | requiring that publicly financed software developed for the | public sector be made publicly available under a Free and Open | Source Software licence."_ | | It's more like if the tax office build a software to compute | taxes, you can use it to compute your taxes, add a simplified a | gui for basic users or incorporate it in your ERP. | b20000 wrote: | i understand, but the next step is what i wrote. | BolexNOLA wrote: | I can't tell based on the information on the site, but there | may be some nuance to the threshold where this becomes a | requirement. I imagine it will not be an all or nothing | situation, but I am not sure ultimately. | | Also, if there was a bunch of public code available because of | grant funding, that means - in theory - many people might not | have to invest their own money (or quite as much) because there | is more out there they can use due to this law. | | Ultimately it boils down to the language of the law and the I | social scenario. | b20000 wrote: | ah yes, in good european fashion, there will be all kinds of | complicated and time consuming rules and processes. that is | what the countries in the EU and the commission do best. make | it nearly impossible for small bootstrapped companies to be | competitive and get their shit done. | | and if I as an entrepreneur put money into something, I | expect to own it. even if a grant was involved. after all, I | already paid taxes to make those grants possible in the first | place. | BolexNOLA wrote: | Frankly it sounds like you're prematurely grinding your | axe. We don't have enough details to really form an opinion | like that. As a fellow entrepreneur I am excited at the | idea of more open collaboration/resources for people | writing code. Hell imagine a world without GitHub. | | I'm curious to see the nitty gritty here myself. | b20000 wrote: | the reason why i react like this is that i have seen a | proposal like what i describe a few years ago in a | country in europe. | victorvosk wrote: | I mean as nice as this sounds, our money is spent on all sorts of | things we know nothing about. Should we all be provided with the | schematics for F-35s? | atx42 wrote: | Exactly! Where do you draw the line? Does CIA/NSA have to drop | their shorts? | dragonwriter wrote: | Any hypothetical obligation-to-make-code-public act could | probably be guided by the thinking that went into the | parameters of FOIA exemptions, since code is, after all, | information. | postalrat wrote: | The state I lived in developed one of those covid tracking apps. | I asked for the source code and was told it wasn't available and | would never be. I talked to people working on other software | developed for the state and they all think that software | shouldn't be public. | | It seems crazy to me that taxpayers pay for this software but it | doesn't belong to them. | | Knowing what I do know I gotta wonder if it's just about those | developers being ashamed how bad their software is and don't want | others to see it. | hamandcheese wrote: | Open sourcing code safely also isn't free. So unless something | was developed in the open from the outset, I doubt it ever will | become open source (unless mandated by law). | machinerychorus wrote: | I was tangentially related to the covid app stuff so I can | offer some insight there: most of those apps weren't built by | the state. Google provided an open-source "base app" that could | be customized by the states, but most states hired third-party | contractors to build an app for them. | | I've worked in public sector and this is typical. the states | can't open source it because they don't own it, they just pay a | third-party to build+operate it for them. This is touted as | "small govt", but it really just makes things less efficient. | The total number of people involved stays the same. | dhosek wrote: | Government outsourcing is the new patronage. And it has the | advantage that you can focus the benefits directly to your | powerful supporters and from the contractor's side, it gives | them a line into government funding that doesn't get cut off | as easily if their guy gets voted out as old-style patronage | jobs did. | ISL wrote: | Third parties can build/operate open-source software. | worik wrote: | > but most states hired third-party contractors to build an | app for them. | | So the states paid the bills so can license the result any | way they want. | | How can they pay for something and not own it? | | Sounds to me like there are deep corruption problems | bartvk wrote: | I don't see what corruption has to do with it. I'm a | subcontractor and usually the contractual terms are | dictated by my clients. If I get the chance however, I put | forth my terms and these say that I'm the author of the | code and thus the copyright holder. | HideousKojima wrote: | When I've done freelance work and have been able to write | the contract, I include a clause that the client receives | "a perpetual, worldwide, non-exclusive, royalty-free, | irrevocable license to reproduce, prepare derivative | works of, publicly display, publicly perform, and | distribute the work and such derivative works, and to | sublicense any or all of the foregoing rights to third | parties," effectively giving them unlimited rights to use | my code how they please while still retaining my own | copyright. | bombcar wrote: | Would that let them GPL or even MIT the code? It would | seem so. | HideousKojima wrote: | Indeed it would, I borrowed the phrasing from Microsoft's | contributor license agreement. | slaymaker1907 wrote: | It's a good idea so you don't need to worry about | accidentally copying some code from one project to | another. If you weren't the owner, they could | theoretically come after you for copyright violation. | tuvan wrote: | There are lots of things you pay for that you don't own. | ygjb wrote: | > How can they pay for something and not own it? | | Have you ever purchases software? Any media, recorded | performance, or book? | | I don't mean to be rude here, but this question shows a | complete lack of awareness of the problem space. | | There are a number of contributing factors to why most | government software is not open source, but here are some | of my direct observations as a consultant to government | departments, an employee of government departments, a | purchaser of products and services at multiple | corporations, and a manager of contract software | development as an employee of a corporation, and the owner | of small business. | | 1. Stakeholders building software, using either directly | employed, or contracted resources, have a desire to develop | the software for the lowest cost possible. Generally this | means preferring buying over building for many cases, and | building on commercial (paid, free, or open source) stacks | that promise easier development and efficiency. This often | results the project being encumbered by licenses that | complicate the potential release of software as open | source. | | 2. Many government initiated software development projects | are done directly in pursuit of supporting legislation that | is tightly bound to the jurisdiction of the legislation; | even if the legislation is meant to ratify | state/provincial, federal, international or other | standards, laws, and regulations, there will be regional | variations that require at minimum configuration, and most | likely real code changes to meet requirements. This often | results in software that is tightly coupled to a particular | jurisdiction in terms of both legislation and regulations, | but also in terms of the ecosystem the software is | developed in. The encumbrances created by these couplings | often have dependencies on closed and proprietary systems | which is a great deal of friction for releasing open source | projects. | | 3. Despite the passage of many international rules related | to economic development agreements like the former NAFTA | and the newer USMCA which provide provisions to allow fair | competition for government contracts within the regions | affected (and I believe EU and other trade blocs have | similar legislation), the opportunity to award software | development contracts to local firms (at any level of | locality across municipal, state, and federal | jurisdictions) is a strong temptation for politicians to | curry favor with voters and business communities. This is | often pitched as economic benefits by creating jobs | locally, while bolstering local businesses and making them | more competitive; if these projects are subsequently | released as open source projects, the perception from | decision makers is that the value of the investment in the | local community is lost. This is where a significant | opportunity for what you bill as corruption is identified - | I haven't seen a procurement process in government that | can't be subverted by suitably motivated buyers and | sellers. | | 4. Releasing open source software can be a public relations | nightmare - bug reports, public review and criticism of | design or implementation choices generally land on the | desks of whatever passes for a service desk for that | jurisdiction, who are usually ill equipped to deal with | these technical issues, and also are generally understaffed | for their core responsibilities. Eventually those reports | and criticisms make their way up through different paths | and land on the desk of high level bureaucrats and elected | officials, who then have to deal with these issues as | public relations items. Have to deal with HeartBleed2022? | If it's internally developed and open source, the buck | stops with the politicians and how they let it happen, time | for a public inquiry! If it's an off the shelf product, "We | are disabling the service until a patch becomes available." | [1, specifically log4j] , and people can grumble about | purchasing choices, but it's much harder to criticize the | actual implementation. | | Alot of folks in government (including me when I was there) | wanted to release our stuff as OSS, but there is only so | far you can go with opensourcing modules that depend on SAP | code, IBM code, or systems that are supplied by the federal | government. | | [1] https://www.canada.ca/en/revenue- | agency/services/e-services/... | tablespoon wrote: | > How can they pay for something and not own it? | | They license it. | | Renting everything seems to be the fad in business | management, and governments often ape business. | chaostheory wrote: | > How can they pay for something and not own it? | | Cloud SAAS e.g. Salesforce apps | _jal wrote: | > Sounds to me like there are deep corruption problems | | I consider this to be a flavor of corruption, too, but it | isn't, legally. It is the desired outcome for many, and for | many more, maybe not the outcome they wanted, but the | logical outcome of what they asked for. | | There has been a decades-long process in the US of | pressuring governments to do less, to outsource more, to | privatize, to move to "public-private partnerships" or | whatever new buzzword means socialize losses and privatize | profits. | | And this is what you get - government that doesn't have the | capabilities it needs to do what people ask of it. Which | makes it look bad, which encourages another cycle of | privatization... | | If you want functional government, stop electing people who | promise to break it. | dragonwriter wrote: | > How can they pay for something and not own it? | | Actually, quite easily, and it's cheaper that way | (especially if they pay to acquire it, and it wasn't | exclusively developed for them.) | | Which is also _why_ they would do that. | [deleted] | Zigurd wrote: | Contract software development is nearly always work-for-hire. | To not own the result of what is in common practice work-for- | hire is terrible contract management. Imagine a road paving | company claiming the state doesn't own the road they just | paved. | atx42 wrote: | I think it's called a toll road. Around me they are owned | by some French company. | lou1306 wrote: | Uhhh the Italian app wasn't developed by the state either, | but the government acquired and open-sourced most (all?) of | the code [1]. It's not that hard really. | | [1] https://github.com/orgs/immuni-app | ldoughty wrote: | This is the kind of issue that causes all that government | bloat... | | If I was a state employee and I wrote the app, and I had to | release the source code, then I'm making it very easy for a bad | actor to find a vulnerability and exploit it to leak the data | of citizens. | | One might respond: "Well software shouldn't have those holes! | Just because it's closed source, doesn't mean that won't happen | anyway | | Also true, in an ideal world, the software should be free from | such vulnerabilities. | | However security by obscurity is a layer of defense... And | there might be other controls in place too to help.. e.g. a git | repo behind SSO... | | If I accidentally check in a CSV of a data dump, or my access | Keys, etc... It doesn't immediately become a data leak/issue.. | I have at least some time to reconcile that.. but if the repo | is publicly accessible, the moment it hits the wire someone can | copy that data... | | One might follow up: "Well, they should not make the code if | they are not competent enough to write it and host it" | | Would be nice as well! But sadly there is only so many | developers that can do this kind of work with a very high level | of security and competence... By requiring governments to make | this code freely available, you could basically assume two | outcomes: nothing the government has on you will be secret, | including sealed records and private information. In addition, | IT workers would be paid 7-figures with 5-10 years of | experience, as every government project that touches software | now needs 5+ highly trained workers to avoid gigantic | lawsuits.. and no one could get an entry level job in | government because one bad commit could cause an 8-figure | lawsuit | | And just to throw in a silly extrapolation... I would love an | M109 Paladin tank... my tax dollars pay for them :-) | Kinrany wrote: | The price increase required by the higher quality of software | is roughly a fixed factor. The benefits that come from code | reuse are exponential. | | If a government can't afford to release the sources in public | right away, a gradual transition is possible: vendors that | offer open source software have their prices multiplied by | 0.1 during bidding. And this factor of preference for open | source can be increased or decreased state-wide depending on | the budget. | dragonwriter wrote: | > If I was a state employee and I wrote the app, and I had to | release the source code, then I'm making it very easy for a | bad actor to find a vulnerability and exploit it to leak the | data of citizens. | | I have spent a lot of time in public sector IT and I've | rarely seen a management or information security team that | didn't subscribe to this kind of security through obscurity | thinking for internal code, including the management teams | that were completely behind _using_ open source code for | cost, robustness, and avoiding vendor risk. | [deleted] | fsflover wrote: | > However security by obscurity is a layer of defense... | | It's not: https://en.wikipedia.org/wiki/Security_through_obsc | urity#Cri.... | | See also: | https://en.wikipedia.org/wiki/Kerckhoffs's_principle. | xboxnolifes wrote: | > Security by obscurity _alone_ is discouraged and not | recommended by standards bodies | | A layer, not the only layer. | | > System security should not _depend_ on the secrecy of the | implementation or its components. | | It is not depending on it. It is just an additional layer | to delay or reduce impact. | InvertedRhodium wrote: | This was the proposed scenario that the GP put forward: | | > If I was a state employee and I wrote the app, and I | had to release the source code, then I'm making it very | easy for a bad actor to find a vulnerability and exploit | it to leak the data of citizens. | | Which doesn't seem to suggest any mitigation other than | the lack of published source code. | atx42 wrote: | I find it bizarre that anyone familiar with software | development would think this is a good idea. | | I mean if gov't creates a useful API (eg. weather), or | creates some reusable useful module (eg. something like | hibernate), that would be nice. But, just generally | publishing everything? REALLY BAD IDEA. | UncleEntity wrote: | > And just to throw in a silly extrapolation... I would love | an M109 Paladin tank... my tax dollars pay for them :-) | | If they give you a tank they have one less tank to do stuff | with but if they give you a copy of software they still have | the ability to do stuff with the software. | | There's a whole bunch of software out there that has been | open sourced by government agencies like nasa and you don't | see satellites falling out of the sky on a regular basis. | gehwartzen wrote: | I'm not in software so maybe my viewpoint is just different | but I also wouldn't expect NASA to give me the mechanical | blueprints for a rocket, or even a concrete launch pad nor | would I expect the local government to give me the the | electrical schematics for the stop light systems, even | though doing so would in no way prevent them from | continuing to use these systems/items | munk-a wrote: | Honestly, why not? It's quite likely there has been a | decent amount of information passing back and forth | between NASA and various private space companies - there | isn't a sane reason to require everyone to make the same | mistakes that you've already learned from. Additionally | while releasing rocket specifications probably won't | result in any at-scale replicas it's a good way to feed | the hobbiest community and possibly get some neat ideas | back. | | There are some components of rocketry that deserve | careful consideration in sharing (i.e. rocket fuels) but | a lot of those have mostly leaked at this point and the | government has other reasons to limit their production | and thus limits the supply of chemical components. | | Much like with software there are going to be some secret | components related to communication and the like - but | those can be cherry picked from the information and | deliberately hidden... similar to how most software teams | don't check all their private SSH keys into public repos | (usually). | 6510 wrote: | > However security by obscurity is a layer of defense... | | In your example it would be _the_ layer of defense. But then | we still have to wonder who is the attacker? The assumption | made on the web page is that the developer is the attacker. | The obscurity then becomes a major issue rather than _the_ | defense. | | Yes, we will have to pay what it costs and we will have to | add extra developers. We all know the difference? | | I could write any government app or software but it would be | a slow process, it would be hostile to further development | and the security of it would be laughable. But from the GUI | you wouldn't notice the difference. Mine might actually be | nicer. | [deleted] | EMIRELADERO wrote: | I don't know if it exists for where you live, but you might be | able to make use of a public information law (FOIA-like) | HideousKojima wrote: | My most recent job was for a local government, and even though | I made a push for open sourcing our code, I never made much | headway. Plus, literally all of the other devs on my team | repeatedly committed secure credentials to git no matter how | many times I tried to teach them how to use a .gitignore file, | so it could have been a bit disastrous if my efforts had | actually made any headway | pooper wrote: | > Plus, literally all of the other devs on my team repeatedly | committed secure credentials to git no matter how many times | I tried to teach them how to use a .gitignore file | | Why do they even need to have access to production secure | credentials during development? Why not let them fall into | the "pit of success" so local development never talks to a | production server anywhere? | HideousKojima wrote: | >Why do they even need to have access to production secure | credentials during development? Why not let them fall into | the "pit of success" so local development never talks to a | production server anywhere? | | Because most local governments are 10 to 20 years behind on | anything remotely approaching best practices. It wasn't my | choice to run things that way. | slaymaker1907 wrote: | I'm not surprised. Even great devs sometimes slip up and when | you have enough people, someone is always slipping up. The | only real solution IMO is to have safeguards in place like | credential scanning (ideally both locally and on the server). | It's not foolproof, but it can help avoid or minimize a lot | of incidents. | KarlKemp wrote: | The German version is at https://github.com/corona-warn-app. | | It was expensive (18 million Euros I believe, but may be | wrong). But other than that, it was excellent from start to | finish. First release a few weeks after the API was available. | The source was divided into logical components of more or less | perfect size, it was straightforward, well commented, | responsive to PRs, worked, and had no security issues as far as | I remember. | jahewson wrote: | Define "belong". | goatcode wrote: | Any public money should bind the recipient to following public | laws that govern government, including access to information. | Don't like it as a corporation? Don't take public money. | j_leboulanger wrote: | https://code.gouv.fr/ | aeharding wrote: | Likewise, free public apis (for non-sensitive info, at least). | | I appreciate NOAA's api.weather.gov, rucsoundings.noaa.gov, and | other free public APIs. | | Also good to see the FAA dipping their toes in free public APIs | (api.faa.gov). | bumper_crop wrote: | Suppose you are on a committee where you are evaluating 3 | different offers to build a website for your city. Bid A is for | $10m, Bid B is for $9.5m, and Bid C is for $9m. The company that | made offer B knows that they will likely lose the contract so | they counter. "If you let us keep the source code and it remains | private, we will bid $8.5m for the contract". Since all three | vendors are offering equivalent service, and vendor B is offering | a hefty $500,000 discount, how can you reasonably spend far more | or your city's money? That money could have gone to improve | schools or roads or make more competitive offers for city | employees. How can you justify spending a half million more on | software principle when there are other more pressing needs? | | Expecting software to be open source is nice when there is an | army of 10s of thousands of FAANG employees to constantly keep it | up to date, but less so when there's limited people. Sure, it | hypothetically could be kept up to date by the generous and | capable people of the city after the fact, but that's farfetched. | It isn't realistic or practical for a budget-conscious software | company to open them selves up to scrutiny, participate in the | open source community, accept bug fixes, do code reviews from | strangers, etc. It's _more_ expensive to do OSS, not less. | | (As an example, the Linux Kernel is mainly made by large | companies with lots of expensive employees. Pick your 10 favorite | GitHub project with more than 10k stars and see who the primary | contributors are.) | rasulkireev wrote: | Well, making it open source is not the same as making regular | citizens/programmers to work on it. | | You still pay the company to develop and maintain the software. | Same way as open source developers get "sponsored". The reason | is that anyone who wants to see the code and suggest on how to | make it better, or to report a bug, then that would be | possible. Furthermore, that work can be reused by other parts | of the government. | | That last point is why some companies wouldn't want to do it, | or would charge more. However, to your point, I think the | increased cost is worth it in this case. | | Sure, there are going to be less better roads/schools by 500k, | but the problem with that money is that there are rarely big | projects for that amount, so it's not like they would be put to | best use without being "lost" in the process of relocation. | dusted wrote: | Wow, nice one, Facebook! I'm trying to share the link, and I get: | | "Posts that look like spam according to our Community Guidelines | are blocked on Facebook and can't be edited." | yboris wrote: | Confirming - I'm unable to post to my Facebook wall! ___________________________________________________________________ (page generated 2022-04-27 23:00 UTC)