Skip to main content

Removing Barriers to the Uptake of Open Source Software - Open Source Public Sector Procurement Service - "Software Custodian as a Service"

Removing Barriers to the Upta…

Anonymous (not verified)
Published on: 18/06/2016 News Archived

Please see idea proposal here to aid adoption to professional re-usable software at:


Public sector procurement organisations such as Crown Commercial Services in the UK are guiding public sector organisations to facilitate the procurement of Open Source Software based solutions. However there is little or no guidance of how to negotiate contracts and measure the effectiveness of open source software solutions compared to proprietary solutions.

The "Custodian as a Service" proposed is a guidance and tookits to educate organisations of the commercial models of open source software supplier and what metrics to include to evaluate these solutions. Wrapped around this service are a set of services to govern to independently validate the solutions.

Toolkit for procurement to provide guidance in contractual requirements when purchasing an Open Source Solution 

  • Practical resources to help take the pain out of the decision making process
  • Support and maintenance terms
    • Security vulnerability management
    • SLAs on security patching
  • Transparency of what is in the code
  • Open source sotware  licensing and implications related to licensing
  • Training program for procurement managers


Create a marketplace of open source software solutions where the by default the code created becomes a virtual library of assets which can be reused to evolved a build other solutions

The custodian model will create a self sustaining ecosystem of suppliers who deliver services to ensure the quality of solutions delivered to end customers meets the QA levels as set out by the custodian ;

The custodians have defined a governance model for open source projects operating under its auspice based on the creation of a Custodian organisationt hat will manage the project on behalf of the broader community involved in the model

The custodian will be reponsible:

  • Creation and maintainenance of a version of that software (“the Gold Distribution”) suitable for use in the community associated with the solutions that meets appropriate standards in terms of quality, safety and security for use operationally
  • Create and support  a community of  users and other stakeholders to guide and participate in the design and development of the Gold ;
  • Encourage the development of a vibrant market of organisations able to provide products and services related to the Gold Distribution.

In addition the Custodian will:

Consider options to allow it or others provide limited warranties in relation to the Gold Distribution similar to those offered by vendors of proprietary systems

Take steps to ensure its own sustainability independent of central funding from the public sector.

The custodian will define an open source policy which suppliers of services have to meet to be approved solutions. The custodians will define a code of conduct which will be independently reviewed and will measure effectivness of technical services suppliers and will be shared transparently to end customers and the suppliers

Each gold release will have a time stamped report itemising all open source components use in the application itemising for each component

  • Security vulnerabilities
    • security vulnerabilities contained within Open Source components including the level of security


  • Open Source License Compliance in line with Apperta’s Open Source Policy
    • OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks


  • Community support
    • Determines component risk to developer activity and resulting component viability based on commit history


  • Remediation Status
    • Outstanding issues that have already been reported but not resolved


  • Software maintenance reporting
    • Quality of code maintenance for each project
      • Time to resolve issues
      • Responsiveness

The open source policy should mandate the use of the European Union Public Licence EUPL to ensure all code is open and transparent.

Once the initial code review is complete and documented the source code will be monitored for on-going issues. On-going a monthly digest (or any other frequency request)ed of new vulnerabilities. Monitoring for high risk level security vulnerabilities will be real time and an alerts to stakeholder sin the public sector organisations and the named project stakeholders will happenimmediately. The alert procedure and Alerts will be defined and managed in full cooperation with the public sector bdy.

Reporting will include the status of vulnerabilities and the time taken to remediate issues in the monthly digest. All components flagged, as ‘requiring remediation’ in the source code will be included. If the public sector organisation have defined service level agreements for maintenance, thesewill highlight vulnerabilities that have not been remediated within the required timeframe defined in the SLA.

City/Location: London