What We Code In the Shadows OSS at NSA

What We Code in the Shadows

Open Source within NSA and the federal government

He ran RedHawk

Federal Source Code Policy M-16-21 - goverment policy that says we should be involved in OSS. - 2016

Challenges

Legal and Policy

• Copyright
• Early days - the policy is only 2 years old
• Mixed workforce

OSS Management

• How to manage a project
• Pre-pub review

Approach

• code.gov - GSA run
• 18F, USDS/DDS, & GSA
• publish at least 20% of new custom code as OSS

Culture

• What is OOS
• Isn't it less secure
• Can we do that?

Process

REDHAWK

• They wanted to open source
• took them 18 months

Newer oss projects:

code.nsa.gov

• nbGallery
• Walkoff
• Beergarden

NSA Approach

Contributions

• Example: OpenStack, Accumulo
• They have streamlined their approach and have it down to hours.

Releasing software

• Why are we releasing it? Don't just post it and walk away.
• release approval
  • what's the classification
  • legal, contracts
  • Intellectural property claims
• Post release
  • Communication - how to manage your OSS project
    • they didn't want to go through pre-pub to have to respond to any questions
  • Inbound IP
    • how they manage contributions to their projects?
    • DSS & code.mil - crowdsourced an approach to accepting contributions.
    • inbound == outbound. you accept a PR and it inherits the license.
  • Developer Certificate of Origin instead of a CLA. Sounds so much easier.
    • Signed off by: bob@blah.com
  • IP Artifacts
    • LICENSE
    • INTENT.md
    • CONTRIBUTING_IO.md/CONTRIBUTING_DCO.md
    • CONTRIBUTIRS.md
    • DISCLAIMER.MD

##Projects

SELinux

Kernel made it into linux, used in macos/ios. SEAndroid is now in latest builds too.

Walkoff

Integration and Automation workflow.

Beergarden

Plugin framework for command-and-control

beer-garden.io