Comment by rebolek
21 hours ago
Maybe they should go open source from the start, then there's nothing to leak.
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
21 hours ago
Maybe they should go open source from the start, then there's nothing to leak.
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
When I worked for the government in Norway, it slowly changed to all code being developed in the open. 3k repos here now: https://github.com/orgs/navikt/repositories
When I started it was a big security theater. Had to develop on thin clients with no external internet access, for instance. Then they got some great people in charge that modernized everything.
Only drawback is when you quit, you have to make sure to unsubscribe from everything, hehe. When quitting a private company I was just removed from the github org. Here I was as well, but I was still subscribed to lots of repos, issues, PRs,heh.
Very cool! Do they accept external contributions, e.g. from Norwegian citizens? Also, was there any thought given to "digital souvereignty" (wondering because the repos are hosted on a US service)?
I'm also surprised that you were able to (or expected to?) use your private GitHub account for your work.
Not sure how it is now, but when I worked there ~8 years ago we weren't really equipped to accept contributions. Both from a licensing perspective (CLA), but also that we had our own timelines, projects and prioritizations in the team. So most applications were open source more in the sense of source available. Some utils (like generators for Norwegian mock data, or libraries handling Norwegian addresses or whatever) that were actively used by other companies could get some proper contributions once in a while, though.
Yeah. In these cases it's not like anyone is going to spin up their own instance and start competing with you.
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".