[linux-elitists] Digital Software Security Act

Eugen Leitl eugen@leitl.org
Mon Aug 12 14:04:24 PDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


http://www.redhat.com/opensourcenow/bill_opensource.html

PREAMBLE

The State of California seeks to improve the security, interoperability 
and quality of its software while lowering the cost and invigorating 
competition among suppliers. To guarantee the succession and permanence of 
public software and data, it is necessary that the usability and 
maintenance of the software be independent of the goodwill of the 
suppliers, or on the monopoly conditions imposed by them. California's 
software integrity and security is jeopardized by proprietary software 
systems whose security and product enhancements are provided solely by the 
software's vendor. In these situations, vendor caprice, instability or 
bankruptcy subject the State of California to incalculable risk that its 
computer systems may be vulnerable to attacks by malefactors whose actions 
can be prevented only by the vendor. Further, vendors having exclusivity 
to provide security maintenance for their proprietary software systems 
have the ability to charge monopoly prices. For these reasons, the State 
seeks systems the development and maintenance of which can be guaranteed 
in absence of magnanimity of its suppliers and despite its malfeasance.

California finds that open source software that can be examined by the 
vendor of California's choosing for security and maintenance will 
stimulate competition and reduce vendor dictated obsolescence. Proprietary 
software that can only be upgraded by the vendor creates an incentive for 
vendors to cease maintenance of older products for the purpose of forcing 
their customers to buy new products. Therefore, the State of California 
seeks open source software that can be read, revised and upgraded by any 
software vendor under the licensing of California's choosing.

To guarantee the security of the State, it is required that systems not 
allow control from a distance or the undesired transmission of information 
to third parties. Systems must be open and allow inspection by the State 
itself, its employees and contractors and by the citizens to enable the 
State to audit its security and integrity. These goals necessitate that 
the encoding of data is not tied to a single provider. The use of standard 
and open formats in open source software gives a guarantee of this 
security and integrity access.

This law is limited to establishing the conditions under which the State 
and its agencies will obtain software in the future, that is, in a way 
compatible with these basic principles. Once passed:
The law does not forbid the production of proprietary software;
The law does not forbid the sale of proprietary software;
The law does not dictate which software to use;
The law does not dictate the supplier from whom software will be bought; 
and
The law does not limit the terms under which software can be licensed.

The legislative intent is that for software to be acceptable to the State 
it is not enough that it is technically capable of fulfilling a task, but 
that the contractual conditions for purchase and/or licensing must satisfy 
a series of requirements regarding the license. Without such requirements 
the State cannot guarantee its citizens adequate processing of its data, 
watching over its integrity, confidentiality, and accessibility throughout 
time, as these are very critical aspects for the software's normal 
functioning.
Section 1 - Objective of the law

This law has three objectives; security and open standards, obtaining the 
greatest value for funds spent and stimulation of competition within 
software development, support and implementation.
Section 2 - Scope of Application

For all new software acquisitions, the State of California and all of its 
agencies and branches shall acquire software meeting the requirements of 
Section 3.

Nothing in this act shall require the State to change or modify any 
current software. All future software purchased, developed by or for the 
State or in any way acquired, that is used to enhance, replace, upgrade or 
implement shall comply with the terms of this Act.
Section 3 - Source Requirements

All software developed for use or used by the State or its agencies shall 
have:

   1. Unrestricted use of the program for any purpose.
   2. Unrestricted access to the respective source code.
   3. Exhaustive inspection of the working mechanisms of the program.
   4. Use of the internal mechanisms and arbitrary portions of the 
software, to adapt them to the needs of the user.
   5. Freedom to make and distribute copies of the software.
   6. Modification of the software and freedom to distribute said 
modifications of the new resulting software, under the same license of the 
original software.

Section 4. - Responsibilities

The highest administrative authority and the technical and information 
technology authority of each agency of the State assumes the 
responsibility for the fulfillment of this law.
Section 5. - Implementation

The executive branch of the government will establish, within a 180 day 
deadline, the conditions, deadlines and forms in which the current status 
quo will be changed to one which satisfies the conditions of this law, and 
will guide, in that sense, all future contracts, negotiations and software 
development.
Section 6. - Glossary of terms

Program or Software - Any sequence of instructions used by a digital data 
processing system to carry out an specific task or to solve a given 
problem. Execution or use of a program, as the act of using it on any 
digital data processing system to carry out a function.

User - That natural or legal person who makes use of the software.

Source code, or source code program - The complete set of instructions and 
digital source files created or modified by those who programmed it, plus 
all the digital support files such as data tables, images, specifications, 
documentation, and any other element that is necessary to create the 
executable program. As an exception, all those tools that are usually 
available as open source software in other media may be excluded, for 
example: compilers, operating systems and libraries.

Open source software or program - That which guarantees the user, without 
further cost, the following:

   1. Unrestricted use of the program for any purpose.
   2. Unrestricted access to the respective source code.
   3. Exhaustive inspection of the working mechanisms of the program.
   4. Use of the internal mechanisms and arbitrary portions of the 
software, to adapt them to the needs of the user.
   5. Freedom to make and distribute copies of the software.
   6. Modification of the software and freedom to distribute said 
modifications of the new resulting software, under the same license of the 
original software.

Proprietary software (closed source software) - That which does not 
fulfill all the requirements listed in Open Source.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9WCLbqlgOiYPlygIRAsSZAJ9/Cm11Mj0sZKh0KryYIEIYzgf9KwCeLgum
4V69R3saq0tGYxTcrrf46JM=
=qw52
-----END PGP SIGNATURE-----




More information about the linux-elitists mailing list