source: simon willison: gds weighs in on the nhs's decision to retreat from open source
level: technical
the government digital service published guidance on ai, open code, and vulnerability risk in the public sector on may 14. it says making everything private adds delivery and policy costs and reduces reuse and scrutiny. the key recommendation is to keep open by default, with closure used sparingly and deliberately. the post does not name the nhs directly, but it comes after the nhs decided to close access to its open source repositories in response to vulnerabilities found by project glasswing.
terence eden, who has been covering the nhs move, interprets the gds statement as a major escalation. he notes that in the uk civil service, public disagreements are rare. the phrase "being invited to a meeting without biscuits" describes a frosty discussion without niceties. eden sees the gds post as a clear signal that the nhs decision was poorly considered and goes against established digital service principles.
the nhs closed its repositories after receiving vulnerability reports, a reaction that many in the open source and security communities criticized. closing code does not fix vulnerabilities and can hide them from researchers who might help. the gds guidance reinforces that openness enables better security through public scrutiny. it also aligns with broader government policy to make code available for reuse and collaboration.
why it matters: open source code allows faster vulnerability discovery and fixes, reducing long-term security risks for public sector ai and data systems.
source: simon willison: gds weighs in on the nhs's decision to retreat from open source