Private repositories can create a false sense of security.
Making code private is not an appropriate mitigation for lack of ownership, patching capability, or operational assurance, so systems that cannot be safely maintained should be remediated or retired.
Moving code from public to private as a substitute for investment in secure-by-design delivery, ownership and remediation is a warning sign because it reduces sharing and scrutiny, can slow coordinated improvement across government and suppliers, and does not remove the underlying weaknesses in a running service.
— Government Digital Service
It looks to me like a small group within NHS England have received a report showing some potential vulnerabilities discovered by Mythos. Rather than following their own internal guidance, they’ve over-reacted and slapped a blanket ban on coding in the open.
I fervently hope that this new guidance will encourage DHSC to bring NHS England into line with best practice. If not, perhaps GDS ought to reassert itself as the technical authority with power to veto a department’s incomprehensible decisions?
— Terrence Eden (ex-GDS) in GDS weighs in on the NHS’s decision to retreat from Open Source
I just love the role GDS has had in the UK digital infrastructure. Nowadays, government digital services are a critical infrastructure. Protecting it is a national responsibility and should be done with the proper resources.
In Portugal, I do not see a push towards open-source. There are a few exceptions but, in general, Portugal is lacking in developing in the open. I would love to spend time fixing bugs in the software I have to use.
We need this to come from the top. And proper resources to be spent in our infrastructure, which means paying competitive wages and hiring top talent to spread good practices to the rest of the government, like GDS did in the UK.