Support Request for Project tbsequencing.who.int

[sachalau]

1. Category of support requested:

• [x] Choosing an open source licensing (outbound)
• [ ] Open source license compliance (inbound)
• [ ] Building a community of contributors
• [ ] Open source governance for a project
• [ ] Managing open source contributions

2. Type of support proposed:

• [ ] Guides or available policies
• [x] Advice or accompaniment
• [ ] Direct input (may not always be possible)
• [ ] Other

3. Additional context or information about the project:

Dear WHO OSPO,

Thank you for creating the wealth of resources and leading the adoption of open source principles at the WHO.

I am a scientist working at FIND (www.finddx.org) and I have been developing in collaboration with the WHO Global Tuberculosis programme (https://www.who.int/teams/global-tuberculosis-programme) a portal designed for assisting the community into identifying new antimicrobial resistance markers from DNA sequencing data in tuberculosis (https://tbsequencing.who.int).

In alignment with our donor's philosophy, we would like to open source all code sustaining the resources, so that country and local health programmes that have expressed interest can replicate the set of tools that we have developed for their own needs. I have had previous meetings with colleagues at the WHO IMT to start the initial conversation and both WHO IMT and I had identified that the WHO OSPO could provide some guidance on a proper open sourcing of the resources.

Our resource is composed of different layers. Our infrastructure configuration is implemented using terraform (the solution relies on one of the main public cloud providers), our backend using Python Django and our frontend ReactJS.

Of course, one critical component to consider are the security implications, because open sourcing could provide attack surface(s) to antagonists. We have consulted with our partners maintaining the cloud resources and we have agreed on the following steps to complete before open sourcing:

• Creation of different repository remotes removing all git commit history data
• Removing of all CICD configuration files to protect near secrets, such as public cloud resources identification values
• Two pass reviews of infrastructure configuration files to check for remaining near-secrets

During development, we have tried to apply most recognized best practices regarding cybersecurity, and have been careful in never using hard coded secrets into our code. We have also used static code analysis to identify potential security concerns.

We have not yet chosen a license. One other thing I was wondering was whether our future remotes that will hold the cleaned out, validated code for our different repositories, could live at the WHO GitHub organization. At the moment, our remotes live in two different places, one being FIND's GitHub organization, and the other one being our partners maintaining the cloud resources' Bitbucket.