Public sector procurement organisations such as Crown Commercial Services in the UK are guiding public sector organisations to facilitate the procurement of open source software based solutions. However there is little or no guidance of how to negotiate contracts and measure the effectiveness of open source software solutions compared to proprietary solutions.
The "Custodian as a Service" is a combination of guidance and toolkits that will educate public sector organisations of the commercial models of open source software suppliers and what metrics to include to evaluate these solutions. Wrapped around this service are a set of services to govern and independently validate the solutions.
The toolkit for procurement will provide guidance in contractual requirements when purchasing an open source software solution including:
This will enable a viable marketplace of open source software solutions where by default the code created becomes a virtual library of assets which can be reused and evolved to build other related solutions.
The custodian model will create a self sustaining ecosystem of suppliers that deliver services to ensure the quality of solutions offered to end customers meets the QA levels as set out by the custodian.
The custodians define a governance model for open source projects operating under its auspice based on the creation of a custodian organisation that will manage the project on behalf of the broader community involved in the model
The custodian will be responsible:
In addition the Custodian will:
Consider options to allow it or others provide limited warranties in relation to the solution similar to those offered by vendors of proprietary systems.
Take steps to ensure its own sustainability independent of central funding from the public sector.
The custodian will define an open source policy which suppliers of services have to meet to be approved solutions. The custodians will define a code of conduct which will be independently reviewed and will measure effectiveness of technical services suppliers and will be shared transparently to end customers and the suppliers
Each gold release will have a time stamped report itemising all open source components use in the application itemising for each component
The open source policy should mandate where possible the use of the European Union Public Licence EUPL to ensure all code is open and transparent.
Once the initial code review is complete and documented the source code will be monitored for on-going issues. On-going a monthly digest (or any other frequency request)ed of new vulnerabilities. Monitoring for high risk level security vulnerabilities will be real time and an alerts to stakeholder sin the public sector organisations and the named project stakeholders will happen immediately. The alert procedure and Alerts will be defined and managed in full cooperation with the public sector body.
Reporting will include the status of vulnerabilities and the time taken to remediate issues in the monthly digest. All components flagged, as ‘requiring remediation’ in the source code will be included. If the public sector organisation have defined service level agreements for maintenance, these will highlight vulnerabilities that have not been remediated within the required time frame defined in the SLA.