Case Study - Opening Your Source Code

[rjmajma]

Agencies have indicated that it's difficult to know how to do certain things like opening your source code without a clear example of how others have done it. Providing an example of how an agency/office opened the source code on a particular project will help arm folks in government with the tangible information necessary to advocate and execute on opening their source code. Things that would be helpful to include:

• What led to you opening your source code? A first or new release? End of the development cycle?
• What security measures did you undertake throughout the development of the tool and prior to release? Were there concerns? How were they overcome?
• Did you do any scrubbing (e.g., going through old comments? Taking out sensitive information)?

I'm sure other things could be included too, but this is a start.

[ascott1]

CFPB defaults to starting projects in public, but there have been times when we need to release code that was initially developed in a private repository. When doing so, we follow this checklist. It's not a case study, but does answer how we deal with the last two questions.

• Has PII been removed?
  • Use Clouseau for scanning source code.
  • For an Open Source Release, attach the Clouseau output.
  • If there are images, visually inspect each image to ensure there is no CFPB-specific information.
• Have security vulnerabilities been remediated?
  • Use the OWASP Top 10
  • National Vulnerability Database
  • SANS Swat Checklist
• Are we including any other open source products? If so, is there any conflict with our public domain release?
• Is our TERMS.md included?
• Is a CHANGELOG.md present and does it contain structured, consistently formatted recent history?
  • See https://github.com/cfpb/qu and https://github.com/cfpb/hmda-explorer
  • Some Inspiration: http://keepachangelog.com/
• Are instructions for contributing included (CONTRIBUTING.md)?
• Are installation instructions clearly written in the README and tested on a clean machine?
• Are all dependencies described in the README, requirements.txt, and/or buildout.cfg?
• Are the API docs generated?
• Are there unit tests?
• If applicable and possible, is it set up in TravisCI?
• Have multiple people reviewed the code?
• Is there a screenshot in the README, if applicable?

[rjmajma]

This is soooooo good. Yes. This is exactly what I needed.

Hey @awong-dev, I know a few weeks ago you asked me for something (I believe) like this. Is this still relevant? Helpful?

[awong-dev]

@rjmajma Yes!

I think having a blessed set of template docs to dump into the top-level repo would be nice.

[gbinal]

https://pages.18f.gov/open-source-program/pages/case_study_list/

[robinsonns508pm]

At what point in the process do you perform a review for IT Accessibility Standards (Section 508 specifically; WCAG Level AA or equivalent)? Assuming an agline approach, do you manage those as defects and put them on the backlog and or do you request your team puts them in a feature requests?