
Bulgaria Passes a Law Requiring Open Source - bozho
https://medium.com/@bozhobg/bulgaria-got-a-law-requiring-open-source-98bf626cf70a#.np5mz0heu
======
bluetomcat
You wouldn't know the background motivating this decision unless you have been
a frustrated user of the nearly non-functional software of Bulgarian state
institutions.

Ludicrous amounts of money are paid by the government to a selected niche of
companies for developing all kinds of useless websites which barely work under
load and have abysmal implementations with blatant security holes. This law
can act as a safeguard against such "epic failures", so that the taxpayers can
be aware of what they are actually paying for. 300k euros for a static
website? Let's hope it's over.

~~~
netcan
I hope it helps, but it doesn't seem like a sure thing on the face of it. To
the extent these big, expensive government projects are similar to smaller
“dumb-customer” projects, I don’t think this will help.

Anything that requires working with a hard to work with organization is
“expensive” in one way or another. You need to sell them the project, which
could take months or years. You need to figure out what they need, which will
be difficult and you’ll be wrong because no one knows, nevermind articulating
it . You’ll be forced to take numerous long cuts to meet unnecessary
requirements. There will be iterations, slow progress, long waits for client
input, training…

The companies who succeed at this are the ones who are experts in this
process. They sell well. They’re good at “managing the process” and winning
when a project is 3 years overdue, over budget, the spec is on iteration 46,
and no one can remember the original goal.

OTOH, if the government is developing software, why shouldn’t it be open
source. At the least, its good transparency.

~~~
bluetomcat
Yes, this is mostly about preventing taxpayer rip-off for trivial software.
Similar fraud schemes are exploited in almost every infrastructure development
project. The government would repave a road with 1/3 of the official budget
and the rest would be shared among the officials and shady business owners.

The Bulgarian government is unable to undertake a surveillance project of any
substantial scale simply because it lacks the technological expertise.

------
onestone
I remember the CEO of Information Services JSC (the de-facto Bulgarian
monopolist in governement software procurement), prof. Mihail Konstantinov,
making the ridiculous claim on TV that "We can't release the source code of
the elections counting software. Anyone who has the source can hack into the
system, even children know that. If you don't understand that, you should tear
your diploma". Glad to see that morons such as him will no longer have the
final say.

~~~
SyneRyder
If it makes you feel better, the Australian government said the same thing:

"Ronaldson refused to table any documents relating to the case, stating that
publishing the source code could lead to the EasyCount software being hacked.
"In relation to the source code for the Senate counting system, I am advised
that publication of the software could leave the voting system open to hacking
or manipulation," he said. "In addition, I am advised that the AEC classifies
the relevant software as commercial-in-confidence as it also underpins the
industrial and fee-for-service election counting systems."" [1]

Australia's federal senate vote count software is a Visual Basic application.
It was developed when an upgrade to Windows 2000 broke the previous COBOL
application. [2]

[1] [http://www.zdnet.com/article/government-blocks-aec-source-
co...](http://www.zdnet.com/article/government-blocks-aec-source-code-release-
on-hacking-fears/)

[2] [http://www.itnews.com.au/news/the-tech-behind-was-senate-
rec...](http://www.itnews.com.au/news/the-tech-behind-was-senate-
recount-360504)

~~~
onion2k
These politicians are right - simply opening the existing source, with all
it's flaws, bugs, and security holes, _would_ be dangerous. It would be a huge
help to any malicious party. I don't think they're suggesting open source is
worse from a security point of view; they're saying that you can't open up an
existing product without doing a lot of work first.

Where they are wrong is in the assumption that keeping the source closed makes
them safe from an attack.

~~~
kavalg
To some extent yes, but this is only good if you can make sure that not a
single malicious adversary has access to the source code. My assumption would
be that in the voting case, the ones in power do have access to the code,
which is actually worse than open sourcing it. Offtopic: IMHO, the only way to
fix the voting software issue is to deanonymize the voting process to some
extent, which is a hard problem by itself too.

------
emilecantin
> It means that whatever custom software the government procures will be
> visible and accessible to everyone. After all, it’s paid by tax-payers money
> and they should both be able to see it and benefit from it.

I've been thinking that way for a long time, nice to see I'm not alone. Let's
hope other jurisdictions follow suit.

------
chme
Would be nice if bigger nations like USA, UK/GB, Germany would adopt this
policy and have to open source the exploits and root kits that where develop
with tax payers money.

Open source XKeyscore, yay!

~~~
mlnox
The UK government's digital services implement Open Standards for most of the
code they develop. While this isn't something that third party vendors have to
do, GDS/PDS/MOJDS/HMRCDigital are all rapidly reducing the amount of work
external vendors do for government anyway.

[https://github.com/alphagov](https://github.com/alphagov)

~~~
bozho
Yes, in the linked presentation I mention GDS as a good example. The US also
has a lot of opensource projects.

------
stanislavb
"The fact that something is in the law doesn’t mean it’s a fact,
though."..."companies will surely try to circumvent it."

Yeah, this is very well said. Most laws in Bulgaria are either not enforced or
"avoidable" :)

------
breakingcups
This is very interesting, I wish more countries followed suit.

In my ideal fantasy world, at some point other countries might have a look at
one of the open source projects of Bulgaria and collaborate when the goals
align closely.

~~~
aorth
It would be cool to have a Bulgarian version of the US Government's 18F:

[https://18f.gsa.gov/](https://18f.gsa.gov/)

They have public standards for government websites, server HTTPS configs,
website user interfaces, etc. On GitHub!

[https://github.com/18F](https://github.com/18F)

------
lamarkia
It mentions "OpenOffice", which is now defunct.

In any case it is good. Future procurements will show how well the law is
applied.

~~~
garaetjjte
OpenOffice isn't defunct, it is still in development:
[https://www.openoffice.org](https://www.openoffice.org).

~~~
xvilka
It's nothing, compared with LibreOffice development pace.

~~~
garaetjjte
Yes, but it is still alive. And even LibreOffice copied feature introduced in
Apache OpenOffice by IBM(sidebar). But OpenOffice cannot copy code from LO due
to license incompatiblity.

------
donkeyd
I've personally seen the Dutch government spend millions implementing open
source software. This was something that could've been fixed for a fraction
using a closed source solution. After a couple of years, the project was
canceled and the closed source solution was implemented anyway.

I'm not saying that using OSS is a bad thing. I don't, however, think that
'OSS only' is the solution to the problem at hand.

~~~
lucb1e
More background please? Because unless they were cutting corners in a _huge_
way (probably security-wise), I don't see how open source would be so much
more expensive than closed source. The statement that "[it] could've been
fixed for a fraction using closed source" seems very weird since there are no
fundamental differences in how one writes open or closed source code.

~~~
donkeyd
They were implementing an ESB. There wasn't any internal knowledge on it, so
they had started a joint venture with a business that provided consultants.
For some reason (not exactly sure why), the project went past its deadline by
about 2 years. My own employer at the time also provided an ESB, though it was
closed source. We had a lot of experience with the product, and therefore
could've implemented it quickly and for a fraction of the price (like we'd
done before). Unfortunately, no information on this is available online, for
reasons I understand.

When they canceled the project, apparently they ended up hiring my employer
anyway.

------
leandot
That is great news, hope it works out well.

------
anaolykarpov
If facebook, google, twitter and others are able to run their world scale
software on OSS solutions without being hacked, I am sure that OSS can power
some national scale software as well.

~~~
kowdermeister
They ARE being hacked from time to time :) But they also know that and they
run bug-bounty programs.

------
blahi
Every law passed by Bulgarian parliament serves only one purpose - to put
pressure on somebody, so people in the shadows can get a slice.

edit: A new government agency is tasked with enforcing the law

Ah, I see now.

~~~
vminkov
I know the people who stand behind this and believe me, they have 0 (zero)
dependence on the oligarchy and moreover they are a team of experts who have
been in the private sector until recently. This law is one against the status
quo.

~~~
blahi
There have been plenty of experts with 0 dependency from the oligarchy. They
all either failed or started dancing to the tune. Even if they have pure
intentions, they will get manipulated, used and eventually thrown out while
the agency will serve as a means to block companies who don't know the right
people.

