Open Source Business Alliance (OSBA) publishes procurement recommendations for Open Source software
Open source often being viewed as less structured and reliable compared to commercial solutions when it comes to support —there isn’t a clear development roadmap and no single address to turn to in the event of performance issues. At the same time, for companies that take the leap of faith and embrace open source, there are numerous benefits—none the least of which is the freedom from relying on a single vendor to address their business needs and achieve digital sovereignty.
This may, at least in part, explain why an increasing number of European governments encourage the adoption of open-source software for their administrative needs, urging the industry to follow their lead. It may also be one of the reasons for PostgreSQL’s growing popularity in recent years.
To accelerate the adoption of open-source software in the industry, the Open Source Business Alliance (OSBA)—a Germany-based non-profit that operates Europe’s largest network of companies and organisations developing, building, and using open-source software—has published a new position paper outlining four key procurement criteria to help public administrations select open-source software providers that ensure long-term security, quality, and sustainability.
Why there is a need in criteria for open source procurement?
In public procurement, decisions are often based on cost—some providers win bids with low-cost offers but fail to invest in ongoing software maintenance, security updates, and upstream contributions. This can result in poor support, failing projects, and software stagnation, ultimately undermining the broader open-source ecosystem.
OSBA’s recommendations aim to prevent these risks by ensuring that public institutions choose providers who actively contribute to the development and security of the open source projects they rely on.
What are the four procurement criteria that OSBA recommends?
To ensure open source software remains a viable and secure option for public institutions, OSBA has outlined four essential procurement criteria:
- Relationship with the Software Manufacturer / Community
- Does the provider have a direct relationship with the software’s developers or community?
- Is the software manufacturer involved in the project’s support and development?
- Ensuring Upstream Contribution
- Does the provider ensure that patches, bug fixes, and improvements are contributed back to the original project?
- Are these contributions publicly available for the broader community?
- High-Quality Third-Level Support
- Can the provider offer expert-level support for the software?
- Do they have in-depth knowledge of the source code or direct access to the original developers?
- Supply Chain Security and Support for Core Components
- Does the provider support and contribute to the core components of the software?
- Are security and maintenance practices in line with the Cyber Resilience Act?
How does these criteria impact Data Egret and other companies that provide services within PostgreSQL ecosystem?
As a member of the Open Source Business Alliance, we welcome these long-overdue recommendations and believe they will provide clear guidance for us as a consulting company to further deepen our ongoing involvement in PostgreSQL development and community engagement. We feel that we are in the right corse to support these procurement requirements and here is how:
- Relationship with the PostgreSQL Community:
Data Egret has been consistently involved in contributing to PostgreSQL and has been recognised as a Significant Contributing Sponsor to PostgreSQL for its dedication to community activities. We have representatives across various PostgreSQL committees, with our CEO, Ilya Kosmodemiansky, having served for three years on the PostgreSQL Europe Board of Directors. We are also actively involved in organising PostgreSQL community events across different regions.
- Upstream Contributions:
Our DBAs are experienced in the bug report submission process and have submitted over 130 reports as a result of our consulting practice over the years. We also have colleagues who have been recognised by the PostgreSQL community as PostgreSQL contributors, meaning they have extensively contributed to the project’s development in both technical and operational ways.
- High-Quality Third-Level Support:
The ability to provide deep technical expertise is key to our success as a PostgreSQL support consultancy. All our DBAs have at least 10 years of experience working with PostgreSQL, allowing us to ensure that our clients always receive assistance from a third-level PostgreSQL expert. We also encourage our DBAs to be actively involved in the project—sharing their knowledge at events, giving talks, organising community conferences and local PostgreSQL events, and contributing to Postgres initiatives within the community. This ensures that they not only possess a high level of expertise but also stay up to date with the latest PostgreSQL development trends and database internals.
- Supply Chain Security:
It is safe to say that the development of PostgreSQL features is highly transparent. Every suggestion for a new feature is carefully considered and scrutinised by multiple companies and individual contributors, who are then involved in continuous review throughout the CommitFest for each release and comprehensive discussions that take place on mailing lists, as well as in face-to-face developer meetings and conferences, ensuring thorough evaluation and collaboration.
All comments received during the review process, along with the names of those who actively participated, are listed on the PostgreSQL website. This ensures an unbiased and transparent development process.
At Data Egret, we are dedicated to making open-source PostgreSQL the database of choice for businesses—not just in Germany, but worldwide. By adhering to these sustainability principles and continuously contributing to the project, we ensure that our clients benefit from a secure, high-performance, and future-proof database solution. We appreciate OSBA’s support and guidance in this direction and hope it will help achieve the industry’s digital sovereignty.
