No census of the critical open source dependencies underpinning UK government and CNI

openclaimed ·shipped ·
What is missing

DSIT's commissioned research (2025) tells businesses to keep SBOMs, and the NCSC warns of active dependency-compromise attacks and urges organisations to check their dependencies, but the state has never aggregated this picture. There is no inventory of which open source components government services and critical national infrastructure actually depend on, who maintains them, or how healthy they are (contrast the Harvard/Linux Foundation 'Census II' of most-used OSS, and US federal SBOM aggregation under EO 14028). Without this evidence base, neither NCSC prioritisation nor any future UK maintenance fund can be targeted, and ministers can honestly say they don't know what the UK runs on.

Why it matters

You cannot defend or fund what you haven't mapped. A census converts open source risk from anecdote (Log4j surprised everyone) into a ranked, actionable list, and is the analytic precondition for a UK Sovereign Tech Fund.

What would fill it

An NCSC/DSIT-commissioned recurring census aggregating SBOMs across departments and CNI operators, published with criticality and maintainer-health rankings; deliverable by an academic-industry consortium in under a year using existing SCA tooling.

// Build together: Counterparty: NCSC/DSIT commission plus departmental and CNI SBOM access; privileged data outsiders cannot scrape.

Why urgency 2

Cheap, deliverable within a year on existing tooling, and entirely unowned, this evidence base is the analytic precondition for targeting any maintenance fund or NCSC prioritisation.

THE FIRST STEP · SMALL ENOUGH TO SAY YES TO
A 90-day pilot aggregating dependency data from five volunteer digital services, producing a criticality ranking for internal review only, and a joint decision afterwards on whether a full census is worth commissioning.
ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
COUNTERPARTY WANTED
government-bodies If you can convene one, open the dialogue →
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.

Distinct but adjacent

More in Open source & public goods

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2026-10-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.