2014, in reaction to the so-called “heartbleed” bug in OpenSSL, the Parliamentarians Max Andersson and Julia Reda initiated the pilot project “Governance and quality of software code – Auditing of free and open source software”. Which is now managed and realised by the European Commission’s Directorate General of Informatics (DIGIT) as the „Free and Open Source Software Auditing“ (EU-FOSSA) project. FOSSA is aiming at improving the security of those Free Software programs that are in use by the European Commission and the Parliament. To achieve this goal, the FOSSA project has three parts:
- Comparative study of the European institutions’ and free and open source communities’ software development practices and a feasibility study on how to perform a code review of free and open source projects for European institutions.
- Definition of a unified methodology to obtain complete inventory of free and open source software and technical specifications used within the European Parliament and the European Commission and the actual collection of data.
- Sample code review of selected free and open source software and/or library, particularly targeting critical software, whose exploitation could lead to a severe disruption of public or European services and/or to unauthorized access.
In addition, FOSSA states that the “project will help improving the security of open source software in use in the European institutions. Equally important, the EU-FOSSA project is about contributing back to the open source communities.“ Initially, one million dollar have been assigned to FOSSA.
After its first publication of a comparative study about the development methods and security concerns in 14 open source communities with those of 14 software projects in the European Commission and European Parliament, it is time now for the first code review. On this occasion, the EU started a public survey about which software should be the first to be audited by FOSSA. There is a choice among 18 programs given, but it is also possible to propose another one.
It is to expect that such an audit gives important prominence towards existing and new users of the selected Free Software program. Additionally, in such an audit is a lot of work included. If this is done externally, means that existing developers can better spent their time in improving and further developing the program itself. Finally, every active participant in the survey shows to the Parliament the importance and public reception of FOSSA. And more participation might help in the final evaluation, so that this pilot project might hopefully become institutionalised. Hence, please take part! (just takes 1-4 minutes, no account needed)
This is a translation of my article in netzpolitik.org (German)