nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Uncle Sam needs you... to debug, improve Dept of Defense open-source software at code.mil

You don't hate freedom, do you? You love America, right?

By Thomas Claburn, 25 Feb 2017

The US Department of Defense wants you to contribute unclassified code to software projects developed in support of national security.

Toward that end, it has launched Code.mil, which points to a Github repository intended to offer public access to code financed by public money. But at the moment, the DoD's repo lacks any actual code.

Open source and free software represent industry best practices, the DoD said in a statement, even as it acknowledged the agency has yet to widely adopt it. Code.mil represents an attempt to change that dynamic.

On the project website, the DoD goes so far as to suggest that anything other than open source software puts lives at risk.

"US military members and their families make significant sacrifices to protect our country," the agency explains in its FAQs. "Their lives should not be negatively impacted by outdated tools and software development practices that lag far behind private sector standards."

And in case that isn't clear enough, the agency states, "Modern software is open sourced software."

But before open source can ride to the rescue, government programmers and whatever community coalesces around them will need to find a suitable software license to apply to DoD projects.

Because code written by federal government employees for the most part does not qualify for copyright protection, it cannot be protected by licenses that rely on copyright law.

But a Creative Commons Zero (CC0) license, which would put the code into the public domain, isn't quite the right fit. Outside the US, countries may not accept CC0 as a valid way to waive copyrights or may have different legal requirements, which makes contributions from those abroad problematic.

"Software constantly evolves with each contribution potentially having a different copyright and license status," the agency says. "Merely placing source code in the public domain with CC0 1.0 does not address how contributions will affect the openness of the project over time."

So rather than using a common open source license or creating a new one – something the DoD CIO discourages – the agency has drafted a proposed Defense Open Source Agreement (DOSA), which uses "contract law to attach licenses to our projects."

The DOSA lets the DoD require that contributors abide by an open source license despite its lack of copyright – the right by which a software license would typically be imposed. It also requires that contributors accept an agreement known as a Developer's Certificate of Origin, by which programmers attest that they have the right to any code they may contribute.

The DOSA thus provides a way for the DoD to accept code contributions from foreign contributors while minimizing the legal risk they might face from a local copyright claim.

Whether or not the DoD's DOSA is legal isn't entirely clear. Chaim Krause, whose Twitter account identifies him as a civilian employee of the US Army, through GitHub's Issues system questions the claim that the DoD can require software to be released under an arrangement other than public domain.

The US Army Research Laboratory (ARL) requires a Creative Commons Zero (CC0) license (public domain), in conjunction with an ARL Contributor License Agreement from every contributor to ensure contributed code can be contributed.

The DoD says its Defense Digital Service (DDS), which spearheaded Code.mil, has consulted with the Open Source Initiative and Free Software Foundation on its approach to licensing.

In a statement, DDS legal counsel Sharon Woods said: "We hope this agreement will serve as a bridge so we can use widely adopted open source licenses even without US copyright protections." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing