Public administration: call for clear criteria for open source procurement

The Open Source Business Alliance (OSBA) working group responsible for procurement has proposed an approach to prevent price dumping in the public sector in relation to support for free software and to promote the selection of sustainable projects. To this end, it presented a catalog of tender criteria on Tuesday. It is intended to ensure that the further development and maintenance of open source applications is secured. Further goals of the initiative: In addition to the client, all participants in the open source ecosystem should benefit and programs should be securely available in the long term.

"Public administration in Germany is striving for digital sovereignty," the paper states. Open source is increasingly important for this. The business models behind this work in a fundamentally different way to proprietary software: with the latter, the manufacturer participates in every license sold, even if it is issued by a third-party provider. In the case of software with freely available source code, on the other hand, supplementary services are usually offered.

However, this also makes it possible for third parties to "outdo the actual software manufacturer in the awarding process by means of dumping offers", explains the OSBA. The open source manufacturer is thus left empty-handed and cannot invest sufficiently in further development and maintenance as a result. This undermines the reuse potential of free software, which is particularly important for the digitization of public administration. The IT security of the solutions is also jeopardized. The association points to examples, such as the procurement of school software and video conferencing systems, where third-party providers undercut the manufacturers and those responsible in the administration only realized the associated challenges later.

Forks can be problematic

According to the OSBA, the pure price evaluation method is generally not suitable for the procurement of standard software on an open source basis. This is because the maintenance and further development of the application is not automatically included in every offer. The authors of the paper therefore recommend that the contracting authority should pay particular attention to whether the service provider can demonstrate a relationship with the software manufacturer or the open source community. This is the only way to best secure the supply chain and break down the components contained in the product via a software bill of materials (SBOM) in accordance with the requirements of the Cyber Resilience Act.

The OSB also calls for the administration to focus on receiving security updates and upgrades, for example through patches. This would also allow missing functions to be integrated. If these changes are not fed back "upstream" into the central code, the modified version is a fork. In the long term, this creates the problem of maintenance for the client. As this often involves millions of lines of code, "unaffordable and uneconomical expenses" quickly arise.

Involving original manufacturers in the business

According to the catalog, the public sector should also ensure that quality support is guaranteed by third parties. For example, it should be clarified whether the provider can guarantee "expertise with the source code of the specific product" or support from the manufacturer. It is also advisable to check whether there is a suitable certification that proves the quality of the provider.

The cheapest offer is often not the most economical, Birgit Becker and Claus Wickinghoff, spokespersons for the working group, point out. If the software is still to be secure and further developed in several years' time, the actual manufacturer must also be involved in the business.

(mack)