Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
The world runs on open source, which serves as the foundation for globally interconnected digital infrastructure. With an estimated 97% of codebases containing open source, both the private and public sectors depend on the maintenance of open source software (OSS), but governments have untapped potential as leaders in the OSS community. Currently, most engagement has centered around security. Earlier this year, GitHub attended the White House meeting on software security where participants discussed the unique value and security challenges of OSS. While securing OSS is an important concern, full stack federal OSS policy requires dialogue between policymakers, practitioners, and wonks. To this end, GitHub was proud to attend the June 8 roundtable discussion, From Procurement to Policy: Towards OSS Infrastructure, in Washington, D.C.
The event kicked off with a bold question posed by Harvard Business School professor, Frank Nagle: “What would a federal open source policy agenda look like?” Building off of his Brookings policy brief, Nagle proposed actionable steps the public sector could take to cultivate a thriving OSS ecosystem, from understanding and supporting the open source ecosystem to establishing a federal Open Source Program Office (OSPO). A federal OSPO could coordinate OSS efforts across agencies, including those among the thousands of government organizations around the world already using GitHub for government work. As the meeting progressed, speakers addressed the political and organizational challenges to federal open source publishing and discussed how renewed commitment to 18F and the Federal Source Code Policy could bolster US support for digital infrastructure.
Digital infrastructure is global, and US OSS policy should reflect the globally interconnected nature of OSS contributors while building domestic capacity. To that end, OpenForum Europe presented a survey of EU open source policy objectives and how governmental OSPOs can learn from the private sector. Explaining the architecture of Germany’s Sovereign Tech Fund, speakers argued that OSS policy is about more than simply public sector adoption, but also using strategic funding and legal mechanisms to support healthy and secure OSS. When it comes to OSS support, sustained funding is crucial. When support for the Open Technology Fund was at risk, GitHub joined the public call to renew support. Finally, the Digital Impact Alliance presented the Digital Public Goods Charter, a multistakeholder effort to enable developing countries to build safe, trusted, and inclusive digital public infrastructure at scale. GitHub affirms that OSS is a public good, and has launched research projects to define a list of platform usage metrics by country for international development, public policy, and economics disciplines, as well as measure the economic impact of open source.
Building off of the ideas posed by speakers, participants joined breakout sessions where they posed and led the topics of discussion. While the speakers posed bold questions, the participants discussed detailed solutions, from where to broker global cooperation on OSS policy to how to implement federal open source programs that survive changes of administration. The ideas posed by the roundtable were a rich background for bringing a diverse group of people–whether it be the founder of a startup or a lifelong policymaker–in one room to imagine the transformative potential of open source. GitHub intends to foster open source policy champions in all sectors and levels of government. We’ve advocated for open source collaboration to policymakers in Congress, at the US Copyright Office, and at events, including RightsCon and the Internet Governance Forum. These efforts continue with people getting together, thinking big, and talking it out, and on June 8, 2022, we did just that.
If you have ideas for the next roundtable, or want to be added to the mailing list, get in touch via the US Open Source Policy Google Group.