Open Source legal compliance and public administrations [EOLE 2023]

Context

International annual conference cycle, the European Open Source & Free Software Law Event (EOLE) aims to promote the share and dissemination of legal knowledge related to free software, as well as the development and promotion of good practices. Initiative born in 2008 from practitioners’ needs, EOLE has for purpose to develop a legal doctrine dedicated to the dissemination of neutral and qualitative information. This year, the event will be divided into 4 webinars and will take place from May 2023 to November 2023. The event will end with an in person event the 7th of December in Paris, France.

The 3rd workshop of the 14th edition of EOLE

Abstract of the workshop

Public Administrations have different problems than private entities in managing the legal compliance of free software / Open Source: they have different rules to comply with (e.g. on the selection of service providers, spending rules, etc.).

But Public Administrations also have a different position (and culture) with respect to the generation of common goods and specific rules that favour collaboration and sharing.

Nevertheless, Public Administrations lag behind in organising and coordinating themselves and have much to learn in the legal management of free software / open source, although the need for improvement is increasingly felt, especially by the most innovative Public Administrations.

The seminar aims at exploring how Public Administrations can work together, linking Open Source Public Offices (OSPOs), to foster open management of free software legal compliance (verifying licence compatibility, etc.) and community generation to foster the development, distribution and use of free software.

Synthesis of the event

For this third event, the main issue was to discuss open source compliance practices in public administrations. In order to respond to this issue, the speakers were invited to give their feedback and to share their experiences on this topic. The focus was on the challenge of compliance in the development of tools and the use of processes that promote collaboration in compliance, especially in public administration.

The main issue was to understant what have to do public administration in order to foster collaboration regarding legal compliance when relying on the use of Open Source and free software.

The event was organised in a series of presentations with a round table discussion at the end. This summary follow the agenda of the meeting.

To beging with and to understand better the topic, some first questions were raised and shared : What’s special to public sector making software ? What are the specific conditions that tells appart the general market ? The answer is complex and rely on specific (general interest) concerns:

• Public administrations means public money so code should be public,
• There are reuse obligations / resharing obligation and special conditions for copyright,
• Public sector is not free to purschase softwar because of procedures and binding rules for purchases (during tenders),
• You have to keep in mind that when you distribute software, you have an impact and the environnement / market software and the platforms,
• The data protection and the impact of the infrastructure are two main subject regarding software in public administration.

What is compliance and how can we do it ?

What is compliance ?
Carlo Piana, IT Lawyer at Array, defines compliance as something that is not an option for the public sector. But they don’t know how to do it properly and what the concept of compatibility really is. More importantly, incompatibilities can come from the incoming or the outgoing conditions.
You can think of compliance as a chain and it can be done upstream or downstream or by you.

Note that it’s not just a software composition analysis, it also includes sBOMs and must include the necessary compliance artefacts.

• Upstream: If compliance is done upstream, it’s easier for you to maintain in the long run.

When do you do compliance?
Normally, you start thinking about open source compliance when you start distributing it. However, the public sector is obliged to enforce and distribute the software.
So you should think about compliance from the beginning. It’s never too early to think about compliance. Compliance is an inherent part of open source development, not an afterthought.

You need to have continious compliance, you start early even before the development begins.

Carlo Piana

Compliance as a contractual issue

Compliance can start when the software is put up for tender. It must be clear and include :

• Warranties,
• Commitments,
• Technical points to comply with, as it’s an assurance that this is something inside and verifiable by the customer.

A specific licence should be used:

• It must be an OSI approved one,
• A popular one, widely used,
• A compatible one.

Establish standards to do compliance by using common tools

Here are some examples / some projects that help to do compliance:

• Open Chain is an ISO standard that provides compliance and artifacts,
  • It provides compliance artefacts, requires process, clear definition of roles, adequate training,
  • Main purpose: to prove that you are compliant.
• SPDX is a standard for describing the licence applicable to software components in a machine-readable way,
  • describing dependencies,
  • sBOM.
• Developers Italia is a community that proposes resources and helps public administrations to use software already used by other administrations.
• Digital Public Goods Alliance DPG Registry
  • The goal of the DPGA and its registry is to promote digital public goods to create a fairer world.

Good practices and main goals

Morena Ragone and Agostino Palmitessa shared their feedback on open source compliance at a regional level. Here are some of their insights:

• Encourage collaboration,
• Encourage reuse of the system among local authorities,
• Dissemination,
• Leadership: be a point of reference,
• Sharing.

Laura Garbati shared the processes already in place at CSI Piemonte:

• Legal checks : BOM analysis and licence compatibility assessment (« done by hand » and now « with help »). The aim is to do our best to be transparent and to do what we can to release in open source.
• Technical checks : security check, code cleanup, header, script, copyright.
• Configuration tasks : File editing and document creation

Building an Open Source Program Office (OSPO)

What is an Open Source Program Office (OSPO) ?

OSPOs are built with different skills and expertise, mainly technical and legal, but it can also welcome management and finance to build and structure this organisation.

Leonardo Favario, from the OSPO of PagoPA (a company involved in the digital transformation of Italy, in particular by building a national payment method) presented PagoPA’s definition of an OSPO: it’s a multidisciplinary team that can be difficult to insert into an organised organisation. This team can be quite difficult to integrate into an organisation. That’s why, at PagoPA, it has been set up as an internal consultancy layer with people from different areas of the company.

At CSI Piemonte, the OSPO was created in June 2022, as Laura Garbati explained during this interview, with the aim of creating a consortium around openness. She agreed on the fact that an OSPO can’t be an office, because different skills are needed, technical and legal. In some cases, business teams can also be involved to create a broad team called DAB Open Source.

OSPOs provide support on open source issues thanks to a cross-functional team and expertise. OSPOs allow to be a point of reference when Open Source is mentioned in different sectors:

• Acquisition with business cases by presenting open source alternatives to colleagues, bearing in mind that not all open source alternatives are the same,
• Controlled use: compliance is a continuous process and you need to manage different aspects,
• Development and publication: The OSPOs in CSI Piemonte provide support to develop and publish software in Open Source.

What is the goal of an OSPO

As Leonardo Favario says, it’s not about solving every problem one by one, but about helping people by making them aware of the problem and how to solve it.
It’s a way of adding value.
The most important thing is to involve as many colleagues in the organisation as possible by asking questions.

We want to spead as much as possible the sense of the engagement. We provide some learning path. We won’t provide the answers immediatly but we will give tools to solve it. We try to let people solve their problems by helping and awaring them.

Leonardo Favario

It’s a continuous, integrated process that helps with alignment.

Laura Garbati added that OSPO needs to be a reference inside and outside public administrations to raise awareness and help people understand what open source is and why it’s important.

Dissemination of knowledge is a grant of any effective activity and action. If you talk to people, they don’t know what open source is. You have to be a promoter and raise awareness. Publication administrators have habits, going outside that parameter can be a risk for them. But open source is not a risk, it’s an opportunity.

Laura Garbati

Futur challenges for the OSPO

Leonardo Favario mentioned some of the challenges they face with PagoPA, and more broadly outside of PagoPA.

• Licensing, dealing with dependencies and community,
• Building supply chain ownership and asking some important questions:
  • What do we use?
  • What do we publish? Sbom is one way to understand this, but it’s only the beginning.
  • What is the cost to the business? Or are we defining an ecosystem strategy?
  • Is there a give-back policy?
  • How much can we risk?
  • How much do we use dependencies? Can we optimise the use of these packages to be better players?
• Leading the community: try to face the needs of the business and, from the other side, the needs of the community.
  • It has to be a bridge between two worlds : the company and the outside world (citizens).
  • OSPO must allow a flow from the outside in and form the inside out.

It’s not a problem of solving a problem way but to create common awareness. How to optimise the impact that we have on you own ecosystem.

Leonardo Favario

One example of Open Source Compliance in Public administration – Fuss Project

Paolo Dongilli shared his feedback on the FUSS project as a coordinator of the project born in 2004 in the Autonomous Province of Bolzano.

Presentation of the project

He presented FUSS as a way to create public value with public money. To this end, Paolo Dongilli and his team (technicians, professors, teachers) aim to distribute open source software in public schools and public administrations, but also to help companies to use free software.

The distribution of this software is based on Debian with pieces of software to make the installation in schools easier for teachers. This is built with free software compatible equipment, with computers with Linux pre-installed. A shared nextcloud is also available to retrieve files.

Results

Paolo Dongilli talked about an important issue for him, which is digital sustainability. You’re not only going to use free open source software, but you’re also going to use open source standards to facilitate communication in public administration.
The main issue is also to promote collaboration between teachers and teaching methods and to invite students and teachers to participate in the development.

We prefer to show students the recipe and let them look under the hood of the machines.

Paolo Dongilli

FUSS has been recognised as a project of public value by institutions such as Republicca Digitale, Developpers Italia or Publiccode.eu and has recently been declared a Digital Public Good by the Digital Public Good Alliance and added to the Digital Public Goods Alliance DPG Registry.

Conclusions

The last minutes of the meeting was a moment for each person to talk about what can be done to ensure compliance and have common practices. Here are some insights, challenges and issues that were reported :

• It’s important to look at post-publication compliance. That means you have to get contributions.
  • The challenge is then to develop a real community, first locally and then globally.
• Spreading awareness by creating forums and places to discuss / share experiences at national and then international level,
  • Efforts can be made at EU level,
  • People, projects, can easily feel alone at national level.
• Consortium community: create a community and have citizens, public administration and companies on board:
  • Do more networking and find better ways to communicate among each other,
  • Contact other associations such as Xnet, based in Spain, to compare work done together.
• Make sure that Open Source is safe and easy to use, so that people know they can use something clear,
• List organisations with OSPOs and a network of lawyers doing open source,
  • OSPOs need to be cross-linked and forces need to be joined,
  • How to deal with public administrations is still an open challenge. But not all public administrations have an OSPO or know what it is.
• Create a catalogue of reusable solutions
• Write contracts.