Open source policies in UK universities and colleges – what’s changed over the past 10 years?

As a result of the OSS Watch National Software Survey, we now have 10 years of survey data on open source in universities and colleges in the UK, so we can look at some long term trends. Today I’ve been looking at institutional IT policies.

Back in 2003, most IT policies in colleges and universities in the UK didn’t mention open source at all, while today that position is reversed.

We’ve also seen the demise of policies that prohibit open source; while at the same time policies that state a preference for open source also seem to be on the way out.

policies

So, are universities and colleges moving towards a “level playing field” approach to open source and setting “equal consideration” policies? Perhaps; though IT policies are only a part of that equation.

We also have survey data from 2008-2013 for what types of software are being considered for procurement and deployment in practice:

effects

So, equal consideration of open source software is on the increase, but there is still a long way to go; and if the rate of change over the past five years is anything to go by, we’ll never get there!

Perhaps what we’re seeing is a lag between changes in policy filtering through into changes to processes and practices – or perhaps its not filtering through at all.

For more information on open source policies and procurement processes, read our briefing note Decision factors for open source software procurement.

The full results of the 2013 OSS Watch National Software Survey will be published in January

Is Open Source Insecure?

tl;dr: Open Source is inherently no more or less secure than closed source software.

banksy stencil with security camera

For a more thorough answer to this question, we’ve just updated our briefing note, “Is Open Source Software Insecure? An Introduction To The Issues” where we look at some of the ways in which software is considered secure, and look at some of the common claims both for and against the security of Free & Open Source Software.

On the whole there are no significant differences in security between closed and open source software as a category. The key differences are between individual products, and the governance processes around security – something which applies to both closed and open source software.

Claims that Open Source is inherently insecure – or, conversely, that it is inherently more secure – are unfounded and should be challenged, particularly in the process of selecting and procuring software. Accepting such a generalisation may actually be increasing security risks for the organisation, by excluding the most fit-for-purpose solutions from consideration.

Photo by nolifebeforecoffee of a stencil by banksy.

Running open source virtual machines… on Microsoft Windows Azure? Welcome to the VM Depot

Last week I gave a talk on open source as part of a Microsoft Azure for Education day at UCL in London. I was sharing the stage with Stephen Lamb from Microsoft, who gave a great overview of the various open source projects that Microsoft are engaged in, including Node.js and PHP for Windows. But the main highlight was VM Depot.

cloud

VM Depot is a way to upload, share, and deploy virtual machine images on Microsoft’s Windows Azure cloud platform. For example, you can easily find common open source packages such as Drupal and WordPress on various Linux operating systems available as VMs, so that you can create and run your own instances.

This makes it very easy to get started with open source packages, as all the dependencies and related components and configuration are all set up and ready to use – for many packages this means just doing your customisation for things like your own web domain and personalising the user interface.

As well as the usual suspects such as Drupal, the VM Depot can host all kinds of other software; for example, you can deploy the Open Data portal platform CKAN. This opens up possibilities for using the service for more niche requirements, for example you could create a VM image of your research software and dataset to make it easier for reviewers to run your experiments. Or you can modify an existing image to include extensions and enhancements that may target a more specialist audience, for example you could create a WordPress image with templates and add-ons to run as an overlay journal rather than a regular blog.

So why is Microsoft doing this?

Well, it seems to fit as part of the drive towards Microsoft being less of a software company and more of a device manufacturer and cloud services provider. When it comes to offering  cloud services, its less important what your customers choose to run on them, so much as making sure they can run whatever they need. For most organisations that usually means a mixture of closed source and open source packages; by offering the VM Depot, Microsoft can serve these customers as part of an existing relationship, rather than force them to go with other service providers for running open source products.

Microsoft have certainly come a long way since the infamous “cancer” remark.

For more on Microsoft and Open Source, check out Microsoft Open Technologies.

Open Source and Open Standards key to future of public sector IT

Last week Open Source, Open Standards 2013 took place in London, an event focussed on the public sector. Naturally these being two topics we’re very keen on here at OSS Watch I went along too.

Overall the key message to take away from the event was just how central to public sector IT strategy these two themes have become, and also how policy is being rapidly turned into practice, everywhere from the NHS to local government.

Tariq Rashid, the Open Source policy lead for the UK Government, spoke of the need for IT to be focussed on user needs, and to deliver sustained value, by moving from “special” software procured for the public sector, to services delivered using commodified IT.

Even where services are unique to the public sector, Rashid and other speakers at the event made the case that most elements of such services can be delivered by building on commodified IT. For example, the open source CMS Drupal is used for delivering increasing numbers of public sector IT services, and the Government Digital Service builds its services from open source components.

The two strategies of Open Source and Open Standards are necessary as they create the ‘competitive tension’ needed to drive down cost and improve sustainability.

Mark Bohannon of Red Hat gave an overview of the global landscape of Open Source in government, in the US and UK, and identified the UK policies as being particularly forward looking. Mark positioned Cloud and Big Data as two key areas where Open Source and Open Standards were critical, calling out OpenStack and Hadoop as particular cases, and also provided some great case studies on open source from the military and from space exploration.

Mark made the point that Open Source and Open Standards underpin a more fundamental change in IT, away from big IT projects towards IT that is agile, modular and responsive to user needs.

Ian Levy of CESG dispelled some myths around security and Open Source (“If anyone in UK government says CESG has banned open source send their name to me and I’ll have them killed”) and made the case for a common sense approach to security, whether the software or service is open source or closed source.

Mark Taylor from Sirius has long been an advocate for open source in the public sector, and it was good to be at a point where the message has been heeded! He began with a nice Schopenhauer quote:

All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident.

In the talk he provided lots of practical advice for public sector organisations on putting Open Source into practice, which include calling on those writing tenders to focus on user needs instead of naming technology solutions. Mark also gave a workshop later in the day where he continued this theme, expanding on how public sector organisations and companies had made transitions to open source. Its not very easy to summarise here in a post, but I found the information very practical and useful; for example, when transitioning IT, to start with the systems furthest away from users, such as backend services and infrastructure, to avoid sparking the usual neophobia when you change technologies for users.

Inderjit Singh gave an overview of the NHS standards-based approach to IT, with some nice background on which approaches had been tried and where the current strategy is going. The current approach has been to use a programme of change projects involving SMEs that have engaged 40 new suppliers, and which is accelerating the take up of the standards.

Singh asserted that standards and fundamental for enabling an open architecture, and that open source and open standards go hand in hand in delivering value for users.

After some workshop sessions, we had Alasdair Mangham from the London borough of Camden giving us a look into how they’ve been building services using open source software in collaboration with SMEs. This involved a major shift in contracting – rather than write an huge set of requirements in a tender document, they disaggregated the project and bought in specialist capabilities (in usability, service design, SOA etc) as needed in smaller chunks of time using an agile process.

Graham Mellin gave an overview of the Met Office’s new space weather system built using open standards and using open source software; for their own specialist systems they decided to go down the route of making it Open Source rather than the private partner sharing route as result of an exploitation planning process.

I met with a lot of people at the event, from suppliers, local government, NHS and national government departments, and it was good to get a sense of how the public sector is moving – whatever the pace in individual areas – towards this vision of more affordable, sustainable and user focussed IT, and better utilising the capabilities of UK SMEs and startups.

We pointed out recently in our post in the Guardian, Higher Education in particular is in a strong position in this area as a result of past investments in Open Source and Open Standards, and we now need to think about how we take that forwards.

As Mark Taylor pointed out in his talk, the public sector accounts for over half of IT spend in the UK – and we can choose to either unite and use that market power to shape the future, or be divided up and conquered.

Open Source meets Open Standards

OSS Watch Briefing Paper: Open Standards and Open Source

Open source software and open standards are two of the key interventions in technology policy, whether that policy is made by governments, public sector organisations, or companies.

Open standards can ensure interoperability and assist portability, allowing the switching of solutions and avoiding vendor lock-in. Standards can also help to create new markets, and can also encourage innovation within markets by imposing useful constraints.

Open source software offers benefits of greater flexibility and the potential for reduced development costs and better software quality through collaboration and reuse.

Together, open source and open standards provide the basis for solutions that offer interoperability, cost reduction, and flexibility; no wonder they are seen as such a powerful tool for technology policy!

However, whats often less clear is how the two interact in practice. There is, for example, a fairly widely-held view that open source software is somehow inherently more likely to support open standards. However, in practice this is not necessarily the case, and there are a number of barriers that can actually make it less likely for open source projects to implement standards than their closed-source counterparts.

Open source and open standards should complement one another - but can also counteract each others benefits if policies are developed without paying attention to the way they interact

For example, implementation of a standard requires access to documentation; in many cases this involves payment for access, or paid membership of a consortium – something that open source projects may have difficulty with unless a benefactor or sponsor does this  on their behalf. Also, if a project wishes to publicly claim that it implements a standard, this may involve a formal conformance process requiring paying fees for testing and accreditation.

So for policy makers and CIOs, the selection of standards, and the standards setting organisations they originate from, can have a significant impact on the availability of open source solutions to meet their requirements.

Mandating standards that involve patent licensing fees, mandatory expensive conformance testing and assurance, and restricted access to documentation will exclude many potential solutions and providers. This will have the impact of increasing costs, and potentially eliminating the benefits of standardisation altogether if organisations have little practical prospect of switching suppliers.

Conversely, if standards are selected that provide a low barrier to entry to open source then this can be good not just for individual solution procurement, but for interoperability as a whole.Unlike closed-source solutions, with open source it is possible to inspect the implementation of standards and to conduct independent interoperability and conformance testing rather than rely principally on vendor claims. The presence of open source implementations can also influence uptake of a standard; either by making open source libraries available for use within other products, or by providing a good target for interoperability testing for other entrants.

Open source and open standards are key components in technology policy; but its important to know how they can work together – and potentially work against each other.

A new OSS Watch briefing paper provides an overview of the main issues facing implementation of standards for open source projects and developers; for more information see Open Standards and Open Source.

 

UK Government mandates preferential selection of open source

While the UK government has for some time now been taking measures to level the playing field for open source software in the public sector, for example by pointing out open source options for proprietary systems, the new Government Service Design Manual goes one step further – mandating a preference for open source for government digital services.

An article in Computer Weekly pulls out some of the key paragraphs of the manual, which state that open source should be preferred “in particular for operating systems, networking software, web servers, databases and programming languages” and that proprietary products should only be used in some specific cases – and in those cases to use open standards to avoid lock-in.

A recent article on the new DCMS intranet service exemplifies the new approach to government web services, with the WordPress-based system costing 90% less than the one it replaces.

(Note that the Design Manual applies to creating government digital services, rather than for procuring software in general.)

OSS Watch releases Open Source Options for Education

We’ve written several times recently about the UK Cabinet Office’s Open Source Procurement Toolkit, and the Open Source Options document that forms part of it.

The original document lists open source alternatives for common proprietary solutions that might be used in government and public sector organisations.  The types of software solutions listed are mostly generic packages such as operating systems and office productivity suites that would be of use to most organisations.  While it contains some software for specialist areas, the document is designed to be broad so doesn’t go into the detailed needs of each area.

With OSS Watch’s focus on open source within education, we’ve produced a document entitled Open Source Options for Education to complement the cabinet office’s which focuses solely on open source alternatives to proprietary solutions used in educational establishments.

Working with the educational community and with the communities around many of the featured projects, we have compiled a list covering various areas of administration and content production that are specific to education, as well as tools that may be used for teaching specific subjects.  Where possible, we’ve included real-world examples of their usage.

As the document has the same goals as the cabinet office’s, the guidance we wrote on making use of theirs applies here too.

While some of the tools we’ve included may be generic packages that are included as such in the cabinet office’s document, we’ve looked at them specifically in the context of their application to an educational situation, such as using an office package to author e-books.

OSS Watch would like to thank all of those who contributed to this first version of this document.  If you feel that you have a contribution to add, be it an open source alternative to a common piece of proprietary educational software, or an example of one of those pieces of software listed being used in an educational context, you can add your contribution on the publicly editable version of the document, or get in touch with us directly.

O̶p̶e̶n̶ ̶S̶o̶u̶r̶c̶e̶ Software Policies

If you make decisions regarding software procurement in your institution or business, I’d highly recommend you read this article from Opensource.com. In it, Gunnar Hellekson of Red Hat shows that an “open source software policy” can be easily re-written to apply to all software, in a lot of cases by simple removing the phrase “open source”.

There’s always been a lot of FUD surrounding open source software, often produced by the marketing teams of its competitors. Taking the USA’s IRS open source policy as an example, Hellekson, rather than trying to debunk or gloss over the potential risks associated with adopting open source, shows that these risks apply to proprietary software in exactly the same way.

I’ll just take one of his examples from the document mentioned above:

Open source software, while it can be useful in many instances and appear to be cost effective, may present a security risk because open source developers don’t typically follow security best practices when developing their software.

It’s laughable to think that this should be exclusive to open source software. Assuming that it’s true the open source developers don’t typically follow the best security practices (Hellekson argues it’s not, as would I), the licence applied to a piece of software make no difference to the security practice of its developers.

If your developer isn’t security conscious, the fact that no-one outside the company can read the source code isn’t going to change that. When procuring any software, you should always be prepared to mitigate the risk that the software’s not secure.

I was going to finish this post by giving the UK Government’s open source guidelines the same treatment that Hellekson gave to the IRS’s, but it would be unwarranted. Reading though the guidelines, they serve to educate the reader that open source and proprietary software should be treated as one and the same when assessing systems. A flaky open source system shouldn’t be chosen over a robust and secure proprietary system, nor should a robust and secure proprietary system be chosen over a robust and secure open source system purely on the basis of the licence.

While it’s easy to see that the proprietary or open source licence applied to a solution shouldn’t affect whether or not you choose it, at OSS Watch we know it can be hard to assess open source solutions on a level playing field with proprietary ones. Proprietary software is often presented as a single package for you to assess, while an open source solution may consist of several parts from different commercial and community sources. If you’d like help assessing software solutions in an unbiased way, send us an email to info@oss-watch.ac.uk.