open-source-logiciel-libre icon indicating copy to clipboard operation
open-source-logiciel-libre copied to clipboard

Published 20 hours ago verified publisher icon canada-ca

Documentation or transparency on the use of open source?

Open NoureenS opened this issue 6 years ago • 8 comments

Should there be a publish and record of all open source libraries being used across GC? As an example, sharing how this is currently maintained for Microsoft projects: https://3rdpartysource.microsoft.com/

NoureenS avatar Nov 28 '18 20:11 NoureenS

That's partially what https://github.com/canada-ca/ore-ero is, but license disclosure is a little different

nschonni avatar Nov 28 '18 20:11 nschonni

Getting to something like this would be great for both open source disclosure purposes as well as overall security wins. 👍

obrien-j avatar Dec 11 '18 15:12 obrien-j

Maintaining such a list would be a huge undertaking. Also that list shows the open source that is apckaged with their released, not the development dependencies used.

LaurentGoderre avatar Dec 12 '18 18:12 LaurentGoderre

Valid points, I think we really are looking at a pilot project for now to manually point to GC projects or indeed packaged OSS in use one the GC.

From a disclosure perspective, we have more work to do either per department or from a government as a whole to figure out the most automated and least intrusive way of doing so.

gcharest avatar Dec 18 '18 12:12 gcharest

GitHub has a dependency graph for dependencies that are defined in a package manager manifest. That could be a good place to start for an automated solution.

LaurentGoderre avatar Dec 18 '18 13:12 LaurentGoderre

However that doesn’t factor GitLab and Git in general. Also very often misleading... as many projects only post final project on these social coding sites (which I suspect many departments will do as part of thier Open Source code) and which in turn falsely report who did the commits and the intervals or frequency. Also does not factor the fact that Drupal does not live on GitHub, and it’s certainly one of the most popular and active GC open Source adoption. (At least the DrupalWxT initiative is here, but that doesn’t reflect work being done at Source from a Drupal standpoint as an example)

rgalipeau avatar Dec 18 '18 15:12 rgalipeau

@rgalipeau the fact that the automated github approach doesn't cover everything should stop us from potentially using it. ALso for many Drupal distro, the composer file might be just as useful.

LaurentGoderre avatar Dec 18 '18 16:12 LaurentGoderre

It is important that as we choose our tools, platforms and solutions for our move to a more open government, we do so in line with our own policy direction.

Whatever we choose to do in the next steps has to be interoperable, substitutable and support innovation for all the teams that will have to work with these.

Also, we do have legislation and policies to abide by and avoiding them because "it's too much work" is not the right approach. Validating the constraints, updating them when required and streamlining whatever processes (even automating) is the best way to ensure that we don't get stopped midway in our adoption of OSS.

gcharest avatar Dec 19 '18 18:12 gcharest