Code in the open
Requirements
- All source code for any policy in use (unless used for fraud detection) MUST be published and publicly accessible.
- All source code for any software in use (unless used for fraud detection) MUST be published and publicly accessible.
- Contributors MUST NOT upload sensitive information regarding users, their organization or third parties to the repository.
- Any source code not currently in use (such as new versions, proposals or older versions) SHOULD be published.
- Documenting which source code or policy underpins any specific interaction the general public may have with an organization is OPTIONAL.
Why this is important
Coding in the open:
- improves transparency
- increases code quality
- facilitates the auditing processes
These aspects together create more opportunities for citizens to understand how software and policy impact their interactions with a public organization.
What this does not do
- Make source code or policy reusable.
- Make the codebase and the code within it understandable to as many people as possible.
How to test
- Confirm that the source for each version currently in use is published on the internet where it can be seen from outside the original contributing organization and without the need for any form of authentication or authorization.
- Confirm that the codebase files and commit history do not include sensitive information.
- Check for the publication of source code not currently in use.
Policy makers: what you need to do
- Develop policies in the open.
- Prioritize open and transparent policies.
Management: what you need to do
- Develop a culture that embraces openness, learning and feedback.
- Collaborate with external vendors and freelancers by working in the open.
Developers and designers: what you need to do
- As a reviewer, for each commit, verify that content does not include sensitive information such as configurations, usernames or passwords, public keys or other real credentials used in production systems.
- Clearly split data and code, in order to meet the requirement about sensitive information above.
Further reading
- Coding in the open by the UK Government Digital Service.
- When code should be open or closed by the UK Government Digital Service.
- Security considerations when coding in the open by the UK Government Digital Service.
- Deploying software regularly by the UK Government Digital Service.
- How GDS uses GitHub by the UK Government Digital Service.