Code in the open
- All source code for any policy and software in use (unless used for fraud detection) MUST be published and publicly accessible.
- Contributors MUST never upload sensitive information regarding users, their organization or third parties to the repository. Examples of sensitive information include configurations, usernames and passwords, public keys and other real credentials used in the production system.
- Any source code that is not currently in use, such as new versions, proposals or older versions SHOULD be published.
- The source code MAY provide the general public with insight into which source code or policy underpins any specific interaction they have with your organization.
Why this is important
- Improves transparency
- Increases code quality
- Facilitates auditing processes
What this does not do
- Make source code or policy reusable
- Make the codebase and the code inside it understandable to as many people as possible
How to test
- The source for any version currently in use is published on the internet where it can be seen from outside the original contributing organization and without the need for any form of authentication
Policy makers: what you need to do
- Develop policies in the open
- Prioritise open and transparent policies
Management: what you need to do
- Develop a culture that embraces openness, learning and feedback
- Collaborate with external vendors and freelancers through working in the open
Developers and designers: what you need to do
- Clearly split data and code, in order to meet the requirement about sensitive information above.
- Coding in the open by the UK Government Digital Service
- When code should be open or closed by the UK Government Digital Service
- Security considerations when coding in the open by the UK Government Digital Service
- Deploying software regularly by the UK Government Digital Service
- How GDS uses GitHub by the UK Government Digital Service