Public Code and SBOM
Public money funds public code, not private property
The "Public Money, Public Code" principle states that software financed with tax money should be made available to the public as Open Source. This promotes reuse, reduces redundant development, and strengthens the digital sovereignty of the state.
Complementing this, the Software Bill of Materials (SBOM) is the necessary security standard to gain transparency about the components used and their security status.
Anti-Patterns: The Blackbox Administration
Many authorities use proprietary software whose functionality cannot be verified. This leads to dependencies on individual service providers, makes interoperability between different agencies more difficult, and harbours unrecognised security risks in the software supply chain. Without SBOM, in the event of a newly discovered vulnerability (such as Log4j), it is nearly impossible to quickly determine which systems are affected.
Transparency by Default
- Open Source as the Standard: For the federal administration, EMBAG requires software developed by or for it to be published as open source by default (with exceptions for third-party rights or security reasons). Cantons and municipalities are not automatically covered, though many adopt the principle voluntarily. We recommend developing new projects under a free licence (e.g. AGPL or Apache 2.0).
- SBOMs in Procurement: Where the contract or regulation requires it, we ask software vendors for a machine-readable list of all included libraries and licences (e.g. in CycloneDX or SPDX format). As good practice, we recommend making this a standard requirement in tenders.
- Central Repositories: Building federated code platforms (such as opencode.de) to facilitate exchange between cantons and municipalities.
- Security Audits: Public code enables independent security reviews by the community and subject-matter experts.
- EMBAG Requirements: For the federal administration and EMBAG-adjacent procurement, we support implementing the statutory disclosure duty; cantons and municipalities are not automatically covered, but can adopt it as an open-government commitment.
The Advantage: Federal Efficiency
One canton develops a solution for building permit management. Other cantons can adopt, adapt, and improve this code instead of reinventing the wheel each time.
FAQ
Are we not giving away valuable intellectual property by opening the code?
No, we are investing in shared infrastructure. The value lies in the functioning process and the data, not in the lines of code themselves. By sharing, maintenance costs decrease for everyone.
Does publishing the code not increase the risk of cyberattacks?
No. True security is based on robust architecture, not on secrecy. Security through obscurity does not protect against professional attackers. Transparency, on the other hand, enables faster patches.
References
- FSFE Public Money, Public Code. The European initiative for Open Source in public administration. (2017). publiccode.eu
- CISA SBOM Guide. The US cybersecurity agency's guide to the Software Bill of Materials. (2021). www.cisa.gov/topics/information-communications-technology-supply-chain-security/sbom
- OSS-Studie Schweiz Open Source in Switzerland. Current data on the use of OSS in Swiss authorities. (2024). www.oss-studie.ch
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.