This paper identifies Open Source Software / Free Software (OSS/FS) programs that I believe are generally recognized as mature (GRAM), also known as generally recognized as safe (GRAS).

1. Introduction

Open Source Software / Free Software (OSS/FS) has risen to great prominence. Briefly, OSS/FS programs are programs whose licenses give users the freedom to run the program for any purpose, to study and modify the program, and to redistribute copies of either the original or modified program (without having to pay royalties to previous developers). There is significant evidence that any user of software should consider using OSS/FS programs, and I've written a paper on how to evaluate OSS/FS programs.

Unfortunately, OSS/FS is a relatively new concept to many acquirers, and as a result some acquirers inadvertantly fail to consider OSS/FS options. Acquirers who have are not looking for their available options will often be unaware of them, since OSS/FS projects do not generally have large marketing campaigns and they ofte do not respond to government Request for Proposals (RFPs). OSS/FS distribution processes often make it difficult to identify their market share, so even widely-used programs can at first appear to be less common.

To combat these and other problems, a MITRE study recommended creating a "generally recognized as safe" (GRAS) list of OSS/FS programs. Such a list has also been called a "Generally Recognized as Mature" (GRAM) list, since the issue is one of maturity, not whether the program will be used in a safety-critical environment. Basically, certain OSS/FS programs are so widely used in their market niche that the risk of using them is significantly reduced, and having a GRAM or GRAS list would save evaluators time and money. For example, in web applications the combination of Linux, Apache, MySQL, and Perl/Python/PHP is so widespread that it has its own acronym: LAMP. Clearly, if certain combitations are so widely used that there are industries and acronyms built on them, they should be considered by potential users.

This paper proposes a short GRAM list, that is, a list of OSS/FS programs that are clearly mature and appropriate for a wide variety of circumstances. It is intended for use by acquirers to help them identify important OSS/FS options they should consider when acquiring software.

2. Scope

This document does not identify the proprietary software generally recognized as mature. Acquisition organizations have far more experience in acquiring proprietary software, and proprietary software vendors often spend considerable resources on marketing their software. Thus, there doesn't seem to be a need for a GRAM list for proprietary software; certainly the need seems much less pressing. Given the limited resources available to create a GRAM list, it appeared appropriate to concentrate on the greatest need: a GRAM list for OSS/FS software.

This document only identifies widely-applicable software (not specialized software). Also, this document doesn't emphasize infrastructure software; a typical GNU/Linux or *BSD operating system has many subcomponents, such as the X window system, which won't be listed here.

Even if software is listed on the GRAM list, that does not necessarily mean that the program is best for a particular application. Acquirers must still compare available software to their specific needs. Conversely, OSS/FS software not on the GRAM list may actually be more appropriate for a specific unusual application. See the companion paper on how to evaluate OSS/FS programs for more information on evaluating OSS/FS programs.

Note that if the OSS/FS programs meets most but not all needs, the OSS/FS program should still be considered. One of the hallmarks of OSS/FS programs is flexibility; OSS/FS programs can be customized to meet a particular need if necessary. If an OSS/FS program many but not all needs, an acquirer should examine the pros and cons of modifying the program to meet the acquirer's needs. Typically such changes are performed by working with the existing trusted project developers, so that the support costs of these program can be transitioned away from the individual acquirer.

To be listed on the GRAM list, prospective programs and their projects must meet certain criteria. These include significant usage (in their market area), significant development/support, mature functionality, security, quality, and cost. Currently, these attributes have been only considered in an informal way. Future descendents of this GRAM list may work to provide more information on these and other important attributes, possibly using a small team of experts to evaluate GRAM candidates. I'd certainly love to see a variation of this list that captured more detailed information (and evidence) for each of these attributes, as well as a short description of each product, including its strengths / weaknesses and information useful to potential users (such as contrasts of various support options).

The process for evaluating OSS/FS and proprietary software is the same in a broad way, but they are necessarily different in detail. For example, it is generally not possible to examine the source code or developmental discussions of proprietary software without special arrangements, while that's possible for OSS/FS projects. Thus, it would be unsurprising if descendents of this list continued to concentrate only on OSS/FS programs. Again, see my related paper on how to evaluate OSS/FS programs.

Many worthy applications are not included in this particular list; there are so many useful programs that it's essentially impossible to create a "complete" list. In particular, this list includes relatively few libraries; there are so many libraries available that it's difficult to identify the "important" ones. Still, I offer it to the world as a short list that may help you if you are considering using OSS/FS.

3. Related Work

Others have also created similar lists, which you may also find useful:

1. The Interchange of Data between Administrations (IDA) programme is managed by the European Commission, with a mission to "coordinate the establishment of Trans-European telematic networks between administrations." IDA has developed The IDA Open Source Migration Guidelines to describe how to migrate from proprietary programs to OSS/FS programs. This paper includes a list of suggested OSS/FS programs.
2. The table of equivalents / replacements / analogs of Windows software in Linux lists "equivalent" OSS/FS programs to common proprietary programs that run on GNU/Linux (however, its listings may be immature or proprietary, since its focus is different than this paper).
3. The MITRE study lists programs used in the U.S. Department of Defense (DoD). Programs that are widespread in the DoD are likely to be mature.

4. GRAM List

• Operating Systems
  1. GNU/Linux - an operating system based on the Linux kernel. Widely-used distributions include Red Hat Linux, Debian GNU/Linux, SuSE, and MandrakeSoft.
  2. The *BSD Operating systems (FreeBSD (general purpose), OpenBSD (security-focused), NetBSD (portability-focused)).

• Network Services
  1. Apache (web server)
  2. bind (domain naming service, a critical Internet infrastructure service)
  3. Mailman (mailing list manager)
  4. Samba (supports interoperability with Windows clients by acting as a Windows file and print server)
  5. Postfix (email server)
  6. Sendmail (email server). This is the most popular email server in the world. However, it has had a number of security issues over time; some people use Postfix (also listed here) instead, so anyone considering Sendmail should also consider Postfix at least (another widely-used choice is Exim).

• Relational Database Management Systems (RDBMSs)
  1. MySQL (database emphasizing speed)
  2. PostgreSQL (database emphasizing functionality)

• Desktop applications
  1. Evolution (email client as well as calendar and contact manager)
  2. Mozilla (web browser and email client)
  3. OpenOffice.org (office suite, including word processor, spreadsheet, and presentation software)
  4. The GIMP (bitmapped image editor)

  Note: some applications, such as GnuCash (for accounting) and Wine (for running Windows applications), are well-known but not yet mature at the time of this writing.

  Note that while there are several OSS/FS office suites available, Open Office tends to interoperate with Microsoft Office better than the alternatives, and Open Office supports more platforms than Gnumeric (a well-respected GNOME spreadsheet program) or KOffice suites. Note that according to at least one report Gnumeric has more accurate statistical functions than Excel. I've been pleased when using Abiword, and Abiword does support many platforms, but note that Abiword is currently intended to be "lightweight" word processor with fewer features, while many users want a full-featured word processors.

• Development Tools/Languages
  1. Bugzilla (Bug tracking tool)
  2. CVS (software version management tool)
  3. GNAT (implementation of Ada programming language)
  4. Emacs (text editor)
  5. GNU Compiler Collection (GCC, a suite of compilation tools for C, C++, and several other languages).
  6. JBoss (J2EE-compliant web application server
  7. TAO (The ACE ORB, in implementation of a CORBA ORB)
  8. Perl (programming/scripting language)
  9. PHP (hypertext preprocessor used for web development)
  10. Python (another programming/scripting language)
  11. Vim (text editor)

• Web Application Development / Content Management
  1. Zope (website development tool)
  2. Plone (content management system)
  3. Midgard (content management system)
  4. OpenCMS (content management system)
  5. Typo3 (content management system)

• Graphical user interface (GUI) infrastructure
  1. GNOME (a desktop environment)
  2. KDE (also a desktop environment)
  3. XFree86 (graphics infrastructure which implements the X window system)

• Security
  1. OpenVAS (network security scanner); this is a descendent of the older
  2. Nessus.
  3. Nmap (network configuration scanner)
  4. OpenSSH (secure replacement for telnet, rcp, and ftp)
  5. OpenSSL (library implementing the SSL and TLS security protocols)
  6. Snort (intrusion detection)

• Research Tools
  1. Octave (numerical computation language)
  2. R (language for statistical computing)

For more information, see Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!, How to Evaluate Open Source Software / Free Software Programs, or David A. Wheeler's home page.