"And FOSS can't be outlawed. To re-engineer infrastructure and applications to exclude it would be unthinkably expensive and undoubtedly vastly destabilizing for cybersecurity resilience."
I was involved in a procurement, made by an international organisation on behalf of the European Commission. One of the requirements demanded by the EC was that no FOSS would be included in any of the deliverables. There were two reasons for this:
- by the end of the project, all deliverables were to be transferred to the EC, to include ALL intellectual property rights and licences;
- the regulator (another EC body) for this system demanded traceability/accountability for all elements of the system and that includes individual software modules.
The prime contractor decided to use FOSS in a particular area, despite protestations form us (their client) and the availability of well known and relatively inexpensive COTS. In an attempt to avoid issues with OS licence contamination, they were engaged in an exercise of identifying "acceptable" licences in older versions of various OS modules. My time time on this project ended with COVID, so I don't know how this is panning out for the prime contractor but I would not be at all surprised if the EC were to reject their deliveries in a few years time.
Biting the hand that feeds IT
