Generally Recognized as Mature (GRAM) OSS/FS programs

David A. Wheeler
Revised as of October 3, 2004

This paper identifies Open Source Software / Free Software (OSS/FS) programs that I believe are generally recognized as mature (GRAM), also known as generally recognized as safe (GRAS).

1. Introduction

Open Source Software / Free Software (OSS/FS) has risen to great prominence. Briefly, OSS/FS programs are programs whose licenses give users the freedom to run the program for any purpose, to study and modify the program, and to redistribute copies of either the original or modified program (without having to pay royalties to previous developers). There is significant evidence that any user of software should consider using OSS/FS programs, and I've written a paper on how to evaluate OSS/FS programs.

Unfortunately, OSS/FS is a relatively new concept to many acquirers, and as a result some acquirers inadvertantly fail to consider OSS/FS options. Acquirers who have are not looking for their available options will often be unaware of them, since OSS/FS projects do not generally have large marketing campaigns and they ofte do not respond to government Request for Proposals (RFPs). OSS/FS distribution processes often make it difficult to identify their market share, so even widely-used programs can at first appear to be less common.

To combat these and other problems, a MITRE study recommended creating a "generally recognized as safe" (GRAS) list of OSS/FS programs. Such a list has also been called a "Generally Recognized as Mature" (GRAM) list, since the issue is one of maturity, not whether the program will be used in a safety-critical environment. Basically, certain OSS/FS programs are so widely used in their market niche that the risk of using them is significantly reduced, and having a GRAM or GRAS list would save evaluators time and money. For example, in web applications the combination of Linux, Apache, MySQL, and Perl/Python/PHP is so widespread that it has its own acronym: LAMP. Clearly, if certain combitations are so widely used that there are industries and acronyms built on them, they should be considered by potential users.

This paper proposes a short GRAM list, that is, a list of OSS/FS programs that are clearly mature and appropriate for a wide variety of circumstances. It is intended for use by acquirers to help them identify important OSS/FS options they should consider when acquiring software.

2. Scope

This document does not identify the proprietary software generally recognized as mature. Acquisition organizations have far more experience in acquiring proprietary software, and proprietary software vendors often spend considerable resources on marketing their software. Thus, there doesn't seem to be a need for a GRAM list for proprietary software; certainly the need seems much less pressing. Given the limited resources available to create a GRAM list, it appeared appropriate to concentrate on the greatest need: a GRAM list for OSS/FS software.

This document only identifies widely-applicable software (not specialized software). Also, this document doesn't emphasize infrastructure software; a typical GNU/Linux or *BSD operating system has many subcomponents, such as the X window system, which won't be listed here.

Even if software is listed on the GRAM list, that does not necessarily mean that the program is best for a particular application. Acquirers must still compare available software to their specific needs. Conversely, OSS/FS software not on the GRAM list may actually be more appropriate for a specific unusual application. See the companion paper on how to evaluate OSS/FS programs for more information on evaluating OSS/FS programs.

Note that if the OSS/FS programs meets most but not all needs, the OSS/FS program should still be considered. One of the hallmarks of OSS/FS programs is flexibility; OSS/FS programs can be customized to meet a particular need if necessary. If an OSS/FS program many but not all needs, an acquirer should examine the pros and cons of modifying the program to meet the acquirer's needs. Typically such changes are performed by working with the existing trusted project developers, so that the support costs of these program can be transitioned away from the individual acquirer.

To be listed on the GRAM list, prospective programs and their projects must meet certain criteria. These include significant usage (in their market area), significant development/support, mature functionality, security, quality, and cost. Currently, these attributes have been only considered in an informal way. Future descendents of this GRAM list may work to provide more information on these and other important attributes, possibly using a small team of experts to evaluate GRAM candidates. I'd certainly love to see a variation of this list that captured more detailed information (and evidence) for each of these attributes, as well as a short description of each product, including its strengths / weaknesses and information useful to potential users (such as contrasts of various support options).

The process for evaluating OSS/FS and proprietary software is the same in a broad way, but they are necessarily different in detail. For example, it is generally not possible to examine the source code or developmental discussions of proprietary software without special arrangements, while that's possible for OSS/FS projects. Thus, it would be unsurprising if descendents of this list continued to concentrate only on OSS/FS programs. Again, see my related paper on how to evaluate OSS/FS programs.

Many worthy applications are not included in this particular list; there are so many useful programs that it's essentially impossible to create a "complete" list. In particular, this list includes relatively few libraries; there are so many libraries available that it's difficult to identify the "important" ones. Still, I offer it to the world as a short list that may help you if you are considering using OSS/FS.

3. Related Work

I can easily imagine some standards-like group being created to maintain a GRAM list. Since at the moment I know of no such organization, perhaps this list and others will help people until there is such a group.

Others have also created similar lists, which you may also find useful:

  1. The Interchange of Data between Administrations (IDA) programme is managed by the European Commission, with a mission to "coordinate the establishment of Trans-European telematic networks between administrations." IDA has developed The IDA Open Source Migration Guidelines to describe how to migrate from proprietary programs to OSS/FS programs. This paper includes a list of suggested OSS/FS programs.
  2. The table of equivalents / replacements / analogs of Windows software in Linux lists "equivalent" OSS/FS programs to common proprietary programs that run on GNU/Linux (however, its listings may be immature or proprietary, since its focus is different than this paper).
  3. The MITRE study lists programs used in the U.S. Department of Defense (DoD). Programs that are widespread in the DoD are likely to be mature.

4. GRAM List

Here is my GRAM list:

For more information, see Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!, How to Evaluate Open Source Software / Free Software Programs, or David A. Wheeler's home page.