In an era of rapid digital transformation, open source software has become the backbone of technological innovation across industries. The Linux Foundation Europe is proud to partner with Enabling Linux in Safety Applications (ELISA) Project to support an initiative, aimed at addressing a critical challenge in the software ecosystem. As the demand for open source software into regulated and safety-critical systems increases (e.g. in aerospace, automotive, and medical industries), the need for a robust, standardized approach to evaluate its quality and security has never been more urgent. This initiative promises to reshape how we assess and integrate open source software into mission-critical environments. Learn more in this blog article authored by Philipp Ahmann (ETAS GmbH) and Gabriele Paoloni (Red Hat).
An innovative new project is underway to establish a standardized approach for evaluating the quality and security of open source software (OSS). The increasing reliance on OSS in regulated and standards-driven sectors (like aerospace, automotive, and medical industries ) necessitates a robust framework for determining OSS trustworthiness. This project aims towards just this.
Current quality standards are often inadequate to the unique development processes of OSS, creating a significant barrier to the adoption of OSS in regulated industries.
This initiative will address this gap by:
- analyzing existing OSS development practices
- identifying key performance indicators (KPIs), and
- creating a framework to evaluate how well OSS projects align in front of the objectives safety & security standards as well as regulations.
The evaluation will be based on the project’s (open source) development practices. Such a framework will be crucial for both quality management demanded by safety standards and the growing requests on software quality of cyber-resilience regulations (such as the Cybersecurity Resilience Act – CRA). The resulting standard will also support initiatives aimed at increasing the security and reliability of open-source operating systems.
Your Input is Crucial
To ensure this project accurately reflects the needs and realities of the OSS community, and the demands of regulated industries, we invite you to participate in a short survey. Your feedback will directly influence the development of this vital new standard. The survey will cover various aspects of OSS development, focusing on both safety and security, aiming to identify best practices and establish measurable KPIs. The deadline to submit your feedback is May 31, 2025.
About the Project:
The goal of this project is to evaluate and document established open source development best practices and to provide an assessment guide for the user to rate the quality of open source projects. This increases trust in open source software for the adoption in regulated industries, e.g. for safety critical systems.
This shall be achieved via 3 project phases:
- Phase 1: Analyzing existing literature, OSS projects, and relevant standards, including emerging cyber-resilience frameworks.
- Phase 2: Defining a framework of OSS good practices and KPIs for both safety and security.
- Phase 3: Testing and refining the framework through pilot projects.
The project welcomes collaboration with academia, public sector organizations, OSS communities, foundations, and industry leaders across various sectors. By working together, we can create a quality standard that provides means to demonstrate the technical and process capabilities of OSS projects, enabling their adoption within a company-specific development framework for safety-critical and cyber-resilient systems, thereby paving the way for innovation while upholding the highest levels of safety and security.
SUPPORTING QUOTES:
While e.g. the European Commission and Japanese government are right starting to champion open source for software-defined vehicles (SDVs), a clear path to integrating OSS with existing automotive standards is crucial for realizing its full potential. ETAS is committed to bridging this gap, ensuring that open source initiatives drive innovation without compromising safety, reliability, or established industry practices. We believe this approach is essential for fostering true digital sovereignty and competitiveness within the automotive sector. – Philipp Ahmann, Sr. OSS Community Manager at ETAS GmbH
As indicated above, there is an increasing usage of OSS in regulated and standards-driven sectors. Setting up a convergence between the OSS quality and security processes with regulations and standards definitions becomes a must and this activity needs to take place on both sides of the equation to find an agreement. The project initiative described here would be the OSS part, matching the regulatory part also started in the different sectors, like the new revision of the ISO-26262 with the introduction of the ISO/PAS 8926 for the Automotive sector, and the EUROCAE WG-117 SG-2 related to “COTS, Open Source and Service History” for the Avionics sector. – Olivier Charrier, Principal Technologist – Functional Safety at Wind River Systems
With open source as the basis for every commercial product offering, Red Hat is invested in the quality and security of related open source software. This investment is substantiated by all Red Hat customers’ success stories, including but not limited to, deployments of Red Hat products into mission critical systems (such as finance, defense, telco and space industries). For this reason Red Hat fully supports this project and is looking forward to having an innovative and suitable approach to rate open source software quality; thus aiming to accelerate and simplify OSS evaluation for use in mission-critical systems or regulated industries. – Gabriele Paoloni, Sr PE | Open Source Community Technical Leader at Red Hat
