GDS weighs in on the NHS's decision to retreat from Open Source
Summary
The Government Digital Service (GDS) has published guidance titled "AI, open code and vulnerability risk in the public sector" on May 14th, advocating for an "open by default" approach to public sector code. This guidance implicitly critiques the NHS's recent decision to restrict access to its open-source repositories following vulnerability reports from Project Glasswing. GDS emphasizes that making code private incurs additional delivery and policy costs, while also reducing opportunities for reuse and external scrutiny. The GDS stance suggests that closure should be a rare and deliberate exception, not the default, signaling a significant public disagreement within the UK Civil Service regarding open-source policy.
Key takeaway
For public sector technology leaders evaluating code management strategies, your teams should adhere to an "open by default" policy for software development. Restricting access to code repositories, even in response to security concerns, introduces unnecessary costs and diminishes opportunities for collaborative improvement and external security review. Prioritize robust vulnerability disclosure programs over blanket privatization to maintain transparency and foster trust.
Key insights
Public sector code should remain open by default to foster scrutiny and reuse, avoiding costs of privatization.
Principles
- Openness reduces costs and increases scrutiny.
- Closure should be a deliberate exception.
In practice
- Maintain public code repositories.
- Prioritize external security audits.
Topics
- NHS Open-Source
- Government Digital Service
- Project Glasswing
- Vulnerability Management
- Open by Default Policy
Best for: CTO, VP of Engineering/Data, Director of AI/ML, Policy Maker, IT Professional, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.