OPEN SOURCE AND CODE REUSE EXCEPTIONS - 4984.2

(Revised: 12/2024)

 

Legal Authority

Government Code 11545 and 11546

Definitions

Reference SAM 4819.2

Policy

As part of the Open Source and Code Reuse policy, each state entity shall:

1. Evaluate, as part of the Project Approval Lifecycle alternatives analysis, existing state software solutions for all reportable and non-reportable IT projects. Alternatives analysis shall give preference to the use of existing state software solutions.
2. If alternatives analysis concludes that existing state software solutions cannot efficiently and effectively meet the needs of the state entity, the state entity must explore whether its requirements can be satisfied with an appropriate commercial off the shelf (COTS) software solution or open-source solution.
3. Make sure that custom-developed code, documentation, and other associated materials are compliant with application development best practices, IT security, and code quality standards.
4. Create and maintain a centralized enterprise code inventory that includes all new State of California custom-developed software applications, utilities and related information and make this information available to all state entities on an ongoing basis. See code.ca.gov, the California Department of Technology’s open-source code portal, for additional information.
5. Make custom-developed code broadly available for reuse across state government and make their code inventories discoverable through code.ca.gov, pursuant to the limited exceptions outlined in SAM Section 4984.2.
6. Maintain and frequently update all custom-developed code available in the code repository to ensure code integrity, quality, and security.
7. Whenever possible, secure the rights necessary to make code, developed by the State of California available to the public as Open Source Software (OSS), pursuant to the limited exceptions outlined in SAM Section 4984.2. Each state entity’s Chief Information Officer (CIO), with consultation from the state entity’s Information Security Officer (ISO), is responsible for determining if the state entity’s custom-developed code will be shared with the public as OSS and controlling public access through the Department of Technology’s code repository. State entities must attribute Copyleft licenses (e.g. GPL v.3) to all custom-developed code made OSS to prohibit the creation of proprietary derivative software.

Understand that, as a consumer of shared code, the entity that consumes open-sourced code is solely responsible for use and associated risks of the shared code.