For those who haven’t heard the acronym before, OSPO stands for Open Source Program Office, and this year saw the second edition of the OSPOs for Good Symposium at the United Nations in New York on July 9 and 10.
At this stage, Open Source software has moved on from Linux and GCC with the difference it is making to productivity and the provisioning of services for everything from clean water to advanced health care is now being recognized. The purpose of the event was to further cultivate both private and public interest in supporting open source development as well as making use of it effectively.
As part of this, a fringe event, “What’s Next for Open Source?” was also held on July 11, which included workshops on the setup and management of OSPOs, as well as issues around dealing with generative AI, cybersecurity, and the sustainability of the open-source ecosystem. I was given the opportunity to talk on a panel organized by the Open Source Security Foundation at the fringe event. I also seized the opportunity to contribute and escape my frigid base in the Southern Hemisphere for a much warmer New York.
Primarily, I was there to talk about sustainability in open source development, but, as someone who has historically approached open source from a developer’s viewpoint I did gain appreciation for how useful a specific open source program office could be for both private and public organizations as a mechanism for being best able to work with and contribute to the open source ecosystem, ensuring both value for money, and that open source software and projects that were being relied on were sustainable and secure in the long term. The Linux Foundation has made many resources available on this, and for anyone interested in how best to apply open source to their organization I would recommend starting by looking at this link describing the business value of an OSPO.
Sustainability for me is still a lot about resourcing and recognizing that for projects to provide their full benefit to industry, things need to be done to ensure there is a tomorrow for a given effort, before the people responsible find themselves burning out or otherwise in trouble. I am pleased to relay that these issues are a lot better understood than they have been in the past and it was of no small significance that the release of M-24-14 “Administration Cybersecurity Priorities for the FY 2026 Budget” was also announced at the event. M-24-14 lists 5 pillars, or budget priorities for US federal government agencies.
While all sections touched on cybersecurity, the two most of interest to us at Keyfactor, and many of our customers, were pillar 1, “Defend Critical Infrastructure” which included a section titled “Improve Open Source Software Security and Sustainability” and pillar 4, “Invest in a resilient future”, which included a section titled “Prepare for the Post-Quantum Future”. As both concern areas that Keyfactor has been diligently working towards, it was rewarding, and inspiring, to see that the significance of these areas is now fully recognized across the US government.
Stay tuned for further news on this front as we are expecting the final release of the new post-quantum cryptography standards from NIST any day now.
If you would like more information about our current efforts around quantum readiness, please also have a look at https://www.keyfactor.com/post-quantum-cryptography-lab/.
And, check out the open source project pages:
