On Wednesday, the European Parliament agreed to a follow-up to the European Commission’s ‘EU Free and Open Source Software Auditing’ project (EU-Fossa). The plan for the next phase is included in the EU 2017 budget agreed by the European Parliament.
EU-Fossa is a one-year, EUR 1 million pilot project by the European Commission and the European Parliament. The project, which ends in December, is creating a formal process to let the European institutions contribute the results of software security reviews back to the open source communities. As a pilot, the EU-Fossa project checked the code for two open source projects, the Apache HTTP server and KeePass, a password manager.
For the next phase, MEPs Julia Reda, Max Andersson (both Greens/EFA), and Marietje Schaake (ALDE) have asked for the budget to be doubled. They also want to create an EC/EP bug bounty programme. The exact budget for the new project will be decided in November by the Council and the Parliament, Reda explains on her website.
On her blog, Reda quotes Dirk-Willem van Gulik, founder of the Apache Software Foundation: “There is great value (and need!) in building both capacity and capability in society to maintain key open source infrastructure code while also training the next cadre of developers. We need support for these communities in the long term, and that also means devoting significant resources to this.”
Meeting earlier this week, the EU-Fossa project team discussed the feedback that it had received from the Apache and KeePass developers. Some of these comments will probably end up as changes to the ‘open source code review methodology’, a detailed description of the planning, the actual code review and reporting of the results. This methodology was published on the EU-Fossa project website in July.