Please see idea proposal here to aid adoption to professional re-usable software at: http://ow.ly/xk7M301ooji
Public sector procurement organisations such as Crown Commercial Services in the UK are guiding public sector organisations to facilitate the procurement of Open Source Software based solutions. However there is little or no guidance of how to negotiate contracts and measure the effectiveness of open source software solutions compared to proprietary solutions.
The "Custodian as a Service" proposed is a guidance and tookits to educate organisations of the commercial models of open source software supplier and what metrics to include to evaluate these solutions. Wrapped around this service are a set of services to govern to independently validate the solutions.
Toolkit for procurement to provide guidance in contractual requirements when purchasing an Open Source Solution
- Practical resources to help take the pain out of the decision making process
Support and maintenance terms
- Security vulnerability management
- SLAs on security patching
- Transparency of what is in the code
- Open source sotware licensing and implications related to licensing
- Training program for procurement managers
Create a marketplace of open source software solutions where the by default the code created becomes a virtual library of assets which can be reused to evolved a build other solutions
The custodian model will create a self sustaining ecosystem of suppliers who deliver services to ensure the quality of solutions delivered to end customers meets the QA levels as set out by the custodian ;
The custodians have defined a governance model for open source projects operating under its auspice based on the creation of a Custodian organisationt hat will manage the project on behalf of the broader community involved in the model
The custodian will be reponsible:
- Creation and maintainenance of a version of that software (“the Gold Distribution”) suitable for use in the community associated with the solutions that meets appropriate standards in terms of quality, safety and security for use operationally
- Create and support a community of users and other stakeholders to guide and participate in the design and development of the Gold ;
- Encourage the development of a vibrant market of organisations able to provide products and services related to the Gold Distribution.
In addition the Custodian will:
Consider options to allow it or others provide limited warranties in relation to the Gold Distribution similar to those offered by vendors of proprietary systems
Take steps to ensure its own sustainability independent of central funding from the public sector.
The custodian will define an open source policy which suppliers of services have to meet to be approved solutions. The custodians will define a code of conduct which will be independently reviewed and will measure effectivness of technical services suppliers and will be shared transparently to end customers and the suppliers
Each gold release will have a time stamped report itemising all open source components use in the application itemising for each component
- security vulnerabilities contained within Open Source components including the level of security
Open Source License Compliance in line with Apperta’s Open Source Policy
- OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks
- Determines component risk to developer activity and resulting component viability based on commit history
- Outstanding issues that have already been reported but not resolved
Software maintenance reporting
Quality of code maintenance for each project
- Time to resolve issues
- Quality of code maintenance for each project
The open source policy should mandate the use of the European Union Public Licence EUPL to ensure all code is open and transparent.
Once the initial code review is complete and documented the source code will be monitored for on-going issues. On-going a monthly digest (or any other frequency request)ed of new vulnerabilities. Monitoring for high risk level security vulnerabilities will be real time and an alerts to stakeholder sin the public sector organisations and the named project stakeholders will happenimmediately. The alert procedure and Alerts will be defined and managed in full cooperation with the public sector bdy.
Reporting will include the status of vulnerabilities and the time taken to remediate issues in the monthly digest. All components flagged, as ‘requiring remediation’ in the source code will be included. If the public sector organisation have defined service level agreements for maintenance, thesewill highlight vulnerabilities that have not been remediated within the required timeframe defined in the SLA.