Documentation or transparency on the use of open source?

[NoureenS]

Should there be a publish and record of all open source libraries being used across GC? As an example, sharing how this is currently maintained for Microsoft projects: https://3rdpartysource.microsoft.com/

[nschonni]

That's partially what https://github.com/canada-ca/ore-ero is, but license disclosure is a little different

[obrien-j]

Getting to something like this would be great for both open source disclosure purposes as well as overall security wins. 👍

[LaurentGoderre]

Maintaining such a list would be a huge undertaking. Also that list shows the open source that is apckaged with their released, not the development dependencies used.

[gcharest]

Valid points, I think we really are looking at a pilot project for now to manually point to GC projects or indeed packaged OSS in use one the GC.

From a disclosure perspective, we have more work to do either per department or from a government as a whole to figure out the most automated and least intrusive way of doing so.

[LaurentGoderre]

GitHub has a dependency graph for dependencies that are defined in a package manager manifest. That could be a good place to start for an automated solution.

[rgalipeau]

However that doesn’t factor GitLab and Git in general. Also very often misleading... as many projects only post final project on these social coding sites (which I suspect many departments will do as part of thier Open Source code) and which in turn falsely report who did the commits and the intervals or frequency. Also does not factor the fact that Drupal does not live on GitHub, and it’s certainly one of the most popular and active GC open Source adoption. (At least the DrupalWxT initiative is here, but that doesn’t reflect work being done at Source from a Drupal standpoint as an example)

[LaurentGoderre]

@rgalipeau the fact that the automated github approach doesn't cover everything should stop us from potentially using it. ALso for many Drupal distro, the composer file might be just as useful.

[gcharest]

It is important that as we choose our tools, platforms and solutions for our move to a more open government, we do so in line with our own policy direction.

Whatever we choose to do in the next steps has to be interoperable, substitutable and support innovation for all the teams that will have to work with these.

Also, we do have legislation and policies to abide by and avoiding them because "it's too much work" is not the right approach. Validating the constraints, updating them when required and streamlining whatever processes (even automating) is the best way to ensure that we don't get stopped midway in our adoption of OSS.