<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">John Newton</b> <span dir="ltr"><<a href="mailto:notifications@github.com">notifications@github.com</a>></span><br>Date: Mon, Apr 18, 2016 at 4:47 AM<br>Subject: Re: [WhiteHouse/source-code-policy] Email Comment: Department of Homeland Security Office of the Chief Information Officer and Components (#152)<br>To: WhiteHouse/source-code-policy <<a href="mailto:source-code-policy@noreply.github.com">source-code-policy@noreply.github.com</a>><br>Cc: misdemeaner <<a href="mailto:turnerbrentm@gmail.com">turnerbrentm@gmail.com</a>><br><br><br><p>A more useful alternative to closing off everything because it may include vulnerabilities is to make secure code the exception. This is not too different from open source companies releasing enterprise features that are not open source. Or indeed, the difference between Classified and Unclassified information. Just as records must be declared Classified in order to have stricter access controls, code could be declared Classified with a similar fileplan process.</p>
<p>Information created by the government is inherently unclassified in the interests of the people and transparency. Code should be no different. The examples of rules for anti-fraud detection is a good example, but by exception rather than by rule. This code could be classified and extended under protected rules. But why should the code such as general purpose libraries, simple user interfaces, connections to common unclassified systems be closed by default. 80-90% of code probably has no impact on the security of any system. This seems very much like a bygone age where much of what some agencies used to do was classified by default, even lunch menus.</p>
<p>In the end, the code is being funded by the people, not the department, and the people have the right to get the most out of their investment in the code, just as they have a right to the information that has been created in their name.</p>
<p style="font-size:small;color:#666">—<br>You are receiving this because you commented.<br>Reply to this email directly or <a href="https://github.com/WhiteHouse/source-code-policy/issues/152#issuecomment-211343711" target="_blank">view it on GitHub</a><img alt="" height="1" src="https://github.com/notifications/beacon/ARo1iH3skB9thzj8JjGVm9KeNoOxCfN_ks5p429KgaJpZM4IEtuW.gif" width="1"></p>
<div>
<div>
</div>
</div>
</div><br></div>