Open Source Software (OSS) Transparency for DoD Acquisition

Caveat emptor, or let the buyer beware, is commonly attributed to open source software (OSS)-the onus is on the OSS consumer to ensure that it is fit for use in the consumer's context. OSS has been compared to an open market bazaar where consumers are free to browse all the source code and take a copy. In this paper, we observe challenges for the OSS consumer to obtain information about the process(es), project(s) used to produce a product and the protection(s) employed by those projects. We discuss the need for more transparency by OSS projects, where possible and introduce a framework for reasoning about those OSS projects and their products for use by the OSS consumer.