Bulgaria Got a Law Requiring Open Source

Less than two years after my presentation titled “Open source for the government”, and almost exactly one year after I became advisor to the deputy prime minister of Bulgaria, with the efforts of my colleagues and the deputy prime minister, the amendments to the Electronic Governance Act were voted in parliament and are now in effect. The amendments require all software written for the government to be open-source and to be developed as such in a public repository.

The text of the Electronic governance act can be found here. The particular article is 58a:

Art. 58a. (New — SG. 50 of 2016, effective 01.07.2016) Upon preparation of technical and functional assignments for public procurement to develop, upgrade or implement information systems and e-services, administrative authorities must include the following requirements:

1. when the subject of the contract includes the development of computer programs:

a) computer programs must meet the criteria for open source software;

b) all copyright and related rights on the relevant computer programs, their source code, the design of interfaces and databases which are subject to the order should arise for the principal in full, without limitations in the use, modification and distribution;

c) development should be done in the repository maintained by the Agency in accordance with Art. 7c pt. 18;

That does not mean that the whole country is moving to Linux and LibreOffice, neither does it mean the government demands Microsoft and Oracle to give the source to their products. Existing solutions are purchased on licensing terms and they remain unaffected (although we strongly encourage the use of open source solutions for that as well).

It means that whatever custom software the government procures will be visible and accessible to everyone. After all, it’s paid by tax-payers money and they should both be able to see it and benefit from it.

As for security — in the past “security through obscurity” was the main approach, and it didn’t quite work —numerous vulnerabilities were found in government websites that went unpatched for years, simply because a contract had expired. With opening the source we hope to reduce those incidents, and to detect bad information security practices in the development process, rather than when it’s too late.

A new government agency is tasked with enforcing the law and with setting up the public repository (which will likely be mirrored to GitHub).

The fact that something is in the law doesn’t mean it’s a fact, though. The programming community should insist on it being enforced. At the same time some companies will surely try to circumvent it.

But in general, I think this is a good step for better government software and less abandonware and I hope other countries follow our somewhat “radical” approach of putting it in the law.