GDS weighs in on the NHS's decision to retreat from Open Source

Simon Willison · Simon Willison · 2026-05-17

The UK Government Digital Service publishes guidance recommending public sector bodies keep code open by default, implicitly rebuking the NHS's decision to close its open source repositories after security vulnerabilities were disclosed via Project Glasswing.

Open original ↗

Extraction

Topics: open-source-policypublic-sector-securityresponsible-disclosureuk-government-digital-service

Claims

The NHS closed its open source repositories in response to vulnerabilities reported through Project Glasswing, a decision widely criticized as poorly considered.
The UK Government Digital Service published guidance stating that 'openness should remain the default posture, with closure used sparingly and deliberately.'
Making government code repositories private adds delivery and policy costs and reduces opportunities for reuse and external scrutiny.
The GDS guidance is interpreted by civil service observers as an unusually public rebuke directed at the NHS, despite not naming it explicitly.

Key quotes

Keep open by default. Making everything private adds additional delivery and policy costs, and can reduce reuse and scrutiny. Openness should remain the default posture, with closure used sparingly and deliberately.

Within the UK's Civil Service you occasionally hear the expression 'being invited to a meeting without biscuits'. It implies a rather frosty discussion without any of the polite niceties of a normal meeting. In general though, even when people have severe disagreements, it is rare for tempers to fray. It is even rarer for those internal disagreements to spill over into public.