European public services should actively contribute to the long-term sustainability of the open source software they use, by supporting long-term maintenance projects rather than purely focusing on new projects. This is one of the key findings of the FOSSEPS Critical Software Study Report published today.
Public administrations use open source software extensively, not only in their data centres but also via business applications that fulfil civic functions. Some of this software is deemed “critical” – whose failing could have significant impact on public services. This happens due to problems such as a lack of long-term upkeep, evolution and maintenance.
The FOSSEPS Critical Software study was launched in November 2021 to identify (and suggest ways to fix) the critical software in use at European Public Services. The study team led by Deloitte (supported by Inno3, a specialist open source company from Paris), received 21 responses from survey questionnaires sent to over 191 European public services. Separately, 13 open source sustainability and security experts were also interviewed. The authors write that the low response-rate from public services "reflects the complexity of the subject, rather than a lack of effort or enthusiasm". "It emerged that public services do not have adequate technology tools to establish open source software dependencies."
The researchers compiled a list of 30 critical software, open source projects. Examples include Curl, software for interacting with web content, M2crypto, a Python wrapper for OpenSSL, and Libxml2, a library for parsing XML documents. Development of these projects involve about a handful of developers or less. These projects have a low 'bus factor”; there are high risks for information and capabilities not being shared among team members in case "they get his by a bus".
In the study, the Commission emphasises not to wish to create alarm on any of the examples listed.
Bills of materials
In addition, the authors recommend public services financially and technically support the use of open source tools that show transitive dependencies and generate reliable software bills of materials (SBOM), and support community initiatives to define metrics and methodologies to identify open source projects in need of external help for maintenance.
The study was widely welcomed by European Public Services, with several commending this effort on sustainability of critical open source software by the European Commission. According to the report, public services "have a high awareness of security issues, and now, they are increasingly aware of sustainability."
The study is part of the European Commission's Free and Open Source Software Solutions for European Public Services project, or FOSSEPS. The EUR 500,000 project is an initiative of the European Parliament. Find out more. The FOSSEPS team can be contacted via the EC OSPO email id DIGIT-OSPO@ec.europa.eu.