Public sector purchasing and procurement organisations such as Crown Commercial Services in the UK are guiding public sector organisations to facilitate the purchasing of open source software based solutions. However there is little or no guidance of how to negotiate contracts and measure the effectiveness of open source software solutions compared to proprietary solutions.
The "Custodian as a Service" is a combination of guidance and tookits that will educate public sector organisations of the commercial models of open source software suppliers and what metrics to include to evaluate these solutions. Wrapped around this service are a set of services to govern and independently validate the solutions.
The toolkit for FOSS Purchasing will provide guidance in contractual requirements when purchasing an open source software solution including:
- Practical resources to help take the pain out of the decision making process
- Support and maintenance terms
- Security vulnerability management
- SLAs for security patching
- Transparency of what is in the source code
- Open source software licensing and implications related to licensing
- Training program for procurement and purchasing managers
This will enable a viable marketplace of open source software solutions where by default the code created becomes a virtual library of assets which can be reused and evolved to build other related solutions.
The custodian model will create a self sustaining ecosystem of suppliers that deliver services to ensure the quality of solutions offered to end customers meets the QA levels as set out by the custodian.
The custodians define a governance model for open source projects operating under its auspice based on the creation of a custodian organisation that will manage the project on behalf of the broader community involved in the model
The custodian will be responsible:
- Creation and maintenance of a version of that software suitable for use in the community associated with the solutions that meets appropriate standards in terms of quality, safety and security for use operationally
- Create and support a community of users and other stakeholders to guide and participate in the design and development of the solution
- Encourage the development of a vibrant market of organisations able to provide products and services related to the solution
In addition the Custodian will:
Consider options to allow it or others provide limited warranties in relation to the solution similar to those offered by vendors of proprietary systems.
Take steps to ensure its own sustainability independent of central funding from the public sector.
The custodian will define an open source policy which suppliers of services have to meet to be approved solutions. The custodians will define a code of conduct which will be independently reviewed and will measure effectiveness of technical services suppliers and will be shared transparently to end customers and the suppliers
Each gold release will have a time stamped report itemising all open source components use in the application itemising for each component
- Security vulnerabilities
- security vulnerabilities contained within Open Source components including the level of security
- Open Source License Compliance in line with the overall Open Source Policy
- Open source software licence analysis, legal obligations as well as potential intellectual property (IP) risks
- Community support
- Determines component risk to developer activity and resulting component viability based on commit history
- Remediation Status
- Outstanding issues that have already been reported but not resolved
- Software maintenance reporting
- Quality of code maintenance for each project
- Time to resolve issues
- Quality of code maintenance for each project
The open source policy should mandate where possible the use of the European Union Public Licence EUPL to ensure all code is open and transparent.
Once the initial code review is complete and documented the source code will be monitored for on-going issues. On-going a monthly digest (or any other frequency request)ed of new vulnerabilities. Monitoring for high risk level security vulnerabilities will be real time and an alerts to stakeholder sin the public sector organisations and the named project stakeholders will happen immediately. The alert procedure and Alerts will be defined and managed in full cooperation with the public sector body.
Reporting will include the status of vulnerabilities and the time taken to remediate issues in the monthly digest. All components flagged, as ‘requiring remediation’ in the source code will be included. If the public sector organisation have defined service level agreements for maintenance, these will highlight vulnerabilities that have not been remediated within the required time frame defined in the SLA.