The EU-FOSSA community pages provide information on the status and results of EU-Free and Open Source Software Auditing project. EU-FOSSA will offer a systematic approach for the EU institutions to ensure that widely used critical software can be trusted. The project will help reinforcing the contribution of EU institutions to ensure and maintain integrity and security of key open source software.
EU-FOSSA is managed by the European Commission's Directorate General of Informatics (DIGIT), and implements the European Parliament's Pilot Project "Governance and quality of software code – Auditing of free and open source software".
Recent discoveries of vulnerabilities in critical information infrastructure have drawn the broader public's attention to the need to understand how governance and quality of the underlying software code relates to basic safety and public trust in applications that are used on a day-to-day basis. As both the general public and the EU institutions regularly use free and open-source software - from end-user device applications to server systems - the need for coordinated efforts to ensure and maintain the integrity and security of that software has been highlighted by the European Parliament itself. This pilot project will offer a systematic approach to achieving a goal to which the EU institutions themselves can contribute, namely ensuring that widely used critical software can be trusted.
The supporters of this pilot project believe that learning from best practices in free and open source software development, well-defined processes, goals and responsibilities for code review within the institutions could improve the situation. This would also set a precedent allowing the institutions to contribute to the development of a common set of trustworthy software building blocks and thereby a more secure future throughout the IT landscape. The FOSSA pilot project has three parts:
- Comparative study of the European institutions' and free and open source communities’ software development practices and a feasibility study on how to perform a code review of free and open source projects for European institutions.
- Definition of a unified methodology to obtain complete inventory of free and open source software and technical specifications used within the European Parliament and the European Commission and the actual collection of data.
- Sample code review of selected free and open source software and/or library, particularly targeting critical software, whose exploitation could lead to a severe disruption of public or European services and/or to unauthorized access.
More information on how the project is implemented is available here.