Standard for Public Code

Contents

  1. Requirements
  2. How to test
  3. Public policy makers: what you need to do
  4. Managers: what you need to do
  5. Developers and designers: what you need to do
  6. Further reading

Code in the open

Coding in the open improves transparency, increases source code quality, makes the source code easier to audit, and enables collaboration.

Together, this creates more opportunities for citizens to understand how software and policy impact their interactions with a public organization.

Requirements

  • All source code for any software in use (unless used for fraud detection) MUST be published and publicly accessible.
  • All source code for any policy in use (unless used for fraud detection) MUST be published and publicly accessible.
  • The codebase MUST NOT contain sensitive information regarding users, their organization or third parties.
  • Any source code not currently in use (such as new versions, proposals or older versions) SHOULD be published.
  • Documenting which source code or policy underpins any specific interaction the general public may have with an organization is OPTIONAL.

How to test

  • Confirm that the source for each version currently in use is published on the internet where it can be seen from outside the original contributing organization and without the need for any form of authentication or authorization.
  • Confirm that the codebase files and commit history do not include sensitive information.
  • Check for the publication of source code not currently in use.

Public policy makers: what you need to do

  • Develop policies in the open.
  • Prioritize open and transparent policies.

Managers: what you need to do

  • Develop a culture that embraces openness, learning and feedback.
  • Collaborate with external vendors and freelancers by working in the open.

Developers and designers: what you need to do

  • As a reviewer, for each commit, verify that content does not include sensitive information such as configurations, usernames or passwords, public keys or other real credentials used in production systems.
  • Clearly split data and source code, in order to meet the requirement about sensitive information above.

Further reading