By Mike Gifford

February 3, 2009

I attended an excellent talk last night about GCPedia that was presented by Jeff Braybrook, Deputy Chief Technology Officer for Canada at a Third Tuesday Ottawa Gathering. It was excellent to hear more about the history of the adoption of the open source tool Mediawiki within the Government of Canada. Jeff described Canada's CTO office as being "Hawkish about open source", and wanting to use it as much as possible. At a time when procurement officers and IT departments are still questioning whether or not open source can be used within government, this was great news.

His view that wiki's would become as integrated in the government workplace as the phone and email were very refreshing too. Grabbing notes off of Joseph Thornley's Tweet, "Jeff Braybrook wants to open source not just because it is cheap - but also for its mentality: participation; cooperation; standards." Doug wrote up a detailed post about the event here in his blog.

After writing this post I've been sent a number of interesting links that I thought were very important to point out. The US Department of Defense has set up a Forge.mil project to promote open source development within the US military. When looking at procurement of open source within the government, we really have to look at Europe. Three really solid sites that the Canadian government should be looking towards are previously OSOR.eu - supporting and encouraging the re-use of publicly-financed Open Source Software developments, FLOSSPOLS - Free/Libre/Open Source Software: Policy Support, and Public Sector OSS - the European Commission's DG Information Society and Media

On a related note, a client of ours pointed us to the MERX listing that PWGSC added to gather information on how to obtain open source in Government. I'm not sure how many people will see it, as lots of open source folks don't use MERX, but do have an interest in seeing the government apply this well (even just as tax payers). I pulled the relevant questions out of the 7 page PDF and created a simpler questionnaire about government adoption of no charge licensed software. There is also a wiki response that folks can contribute to.

There's an Appendix to this document that I'd also like to see feedback on. Please address comments on this Appendix directly to this post.

Appendix B – DRAFT Guidelines - Decision Process for acquiring 
No Charge Licensed Software 

Draft proposed Process description 

The process begins with a request from an application delivery 
group or end user to use a particular piece of software. 
Depending on the nature of the acquisition (specifically, 
whether or not the acquisition involves a cost greater than $0), 
the process proceeds either through a conventional procurement 
workflow (not detailed here) or through the "No Charge" 
acquisition process. 

The No Charge process consists of five concurrent streams of 
activity, each of which is critical to the successful 
acquisition, management and integration of the software within 
the GC or departmental environment. 
These five streams consist of the following:

1. Architectural Review and Approval – This involves the 
applicable Enterprise Architecture group reviewing the product 
to ensure that it: 
- Is appropriate for the use specified in the request 
- Works well within the technical environment 
- Does not violate or overlap with any existing standards.

2. Financial Risk Assessment – Per Treasury Board Secretariat 
direction, the use of No Charge Software (particularly Free and 
OPEN SOURCE Software) requires the completion of a financial 
risk assessment. The financial risk assessment must consider the 
risk exposure per year against the financial benefit. Depending 
on the level of risk involved, approval of the risk assessment 
will be required by: 
-The applicable Senior Financial Officer or delegate – for 
substantive risk 
-The business owner of the impacted or system – where risk is 
non-substantive

3. Justification of No Charge Acquisition - A Procurement 
Officer must review the justification for acquisition of No 
Charge Software, for clarification and as due diligence for the 
validity of reasons and that they will stand possible future 
scrutiny.

4. Investigation of Security Risks – Given the potentially 
heightened security risk of downloadable No Charge Software, the 
appropriate IT Security Officer must investigate and approve No 
Charge Software before it is approved for use. In particular, 
the security assessment will assure that the product does not 
contain viruses, malware or other means for an attacker to 
compromise the GC or departmental environment.

5 Software License Review – Due to the diverse nature of license 
models associated with No Charge Software, a review must be 
conducted to identify potential legal/policy impediments for the 
GC in agreeing to a particular license agreement. The intent is 
to accumulate a list of acceptable licenses (including popular 
ones such as GPL, LGPL, Apache etc.) so that a particular 
license model would only have to be examined once across the 
entire GC. 

Some of the most significant legal/policy concerns would 
include: 
- No warranty or limitation of liability, the imposition of 
flow-through obligations to 3rd parties, and obligations that the 
Crown indemnify licensors or 3rd parties. 
- ownership of data manipulated/stored with the product 
- limitations on the use of the product conflicting with GC or 
departmental intent 
-instances where the Government of Canada could be obliged to 
pay the creator.

If all five approvals are received, then the software can be 
installed on the appropriate environment(s), be they servers or 
desktops. The same change management and deployment processes 
apply as to software that has been acquired through conventional 
procurement.