Zwar nur ein Tropfen auf den heißen Stein, aber trotzdem ein erster kleiner Erfolg von Julia Reda, EU-Abgeordnete der Piraten in der Grünen-Fraktion:
26 03 77 02 Pilot project — Governance and quality of software code – Auditing of free and opensource software
Was sinnvoll wäre: Wenn es dafür viel mehr Geld von Regierungen und Wirtschaft geben würde, um die kritischsten Infrastrukturen zu reviewen. Davon hätten alle was und das Netz würde sicherer.
Im Haushaltsentwurfdokument steht es wie folgt: (Seite 732)
Recent discoveries of vulnerabilities in critical information infrastructure have drawn the broader public’s attention to the need to understand how governance and quality of the underlying software code relates to basic safety and public trust in applications that are used on a day-to-day basis. As both the general public and the EU institutions regularly use free and open-source software – from end- user device applications to server systems – the need for coordinated efforts to ensure and maintain the integrity and security of that software has been highlighted by the European Parliament itself. This pilot project will offer a systematic approach to achieving a goal to which the EU institutions themselves can contribute, namely ensuring that widely used critical software can be trusted.
The pilot project has three parts:
Part one comprises a comparative study and a feasibility study. The comparative study will analyse and compare the Debian Free
Software Guidelines and social contract[0] compliance decisions in Debian[1] with current code sharing practices and compliance
determinants within the activities of the Commission’s vulnerability test centre and CITnet’s Application Lifecycle management
system relating to projects which are currently funded by ISA and published on JoinUp[2]. This study will also make a general
assessment of the Commission’s current code governance models and identify processes similar to processes within Debian. The aim is to develop best practices with regard to code review and code quality assessment for the purpose of mitigating security threats, in particular in activities relating to free software and open standards funded by the European Union. The feasibility study will identify agents and stakeholders, estimate time frames and funding models, determine deliverables and long-term impacts in, of and for projects where such best practices could be applied.
The second part of the pilot project will cover the development of a unified inventory methodology for the Commission and
Parliament in particular and the compilation of a full inventory of free software and open standards in use within all the EU
institutions. The inventory will provide a basis for determining where the results of the first part of the pilot project could be successfully applied.
The third part will involve an exemplary code review of software and software libraries that are in active use both by the general European public and by EU institutions. This part of the pilot project will identify and focus in particular on software or software components whose exploitation could lead to a severe disruption of public or EU services and unauthorised access to personal data, forming the basis for a public tender on this matter.
[0] https://www.debian.org/social_contract
[1] http://cfnarede.com.br/sites/default/files/infographic_debian-v2.1.en.png
[2] https://joinup.ec.europa.eu/
Legal basis
Pilot project within the meaning of Article 54(2) of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the
Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation
(EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012, p. 1).
Sehr gute Sache! Noch wichtiger ist es EU-weit eine Verpflichtung von staatlichen Stellen zur Nutzung Freier Software zu erwirken. Das Jahr für Jahr Geld für minderwertige proprietäre Software ausgegeben wird ist ein Unding.