In May 2025, Magenta published an open source analysis of every OS2 product. Not a gentle overview - a proper audit. Commits counted, Docker Hub versions cross-referenced with GitHub, proprietary dependencies exposed, documentation quality assessed. The report runs to 60 pages and it does not pull punches.
I have read the whole thing. And honestly, some of it is hard to take in.
Full disclosure
I need to be upfront about something. I built OS2udoglær while working as Tech Lead at Novicell. That project shows up in the report with mostly favourable marks. So yes - I have skin in this game. I am not going to pretend otherwise.
But the data in this report is publicly verifiable. Anyone can go to GitHub and count the commits, check the README files, look at the Docker Hub tags. Magenta did the work of compiling it all in one place, and regardless of what you think about their motivations, the numbers are the numbers.
What the report actually says
Magenta evaluated all 20 OS2 products across four categories: structured releases and source code access, open code libraries, documentation and README quality, and changelogs. They used a simple traffic light system - green, yellow, red.
The headline finding is damning. Two products - OS2flytjord and OS2nectar - have no public source code at all. OS2flytjord has a GitHub repository that contains nothing but empty template files. OS2nectar does not appear to have a repository anywhere. The link on OS2's own website leads to the wrong project entirely.
But it gets worse than missing code. Several products depend on proprietary Bootstrap themes - "Angle" and "Inspinia" - that require paid licences. OS2sofd, OS2kravmotor, OS2rollekatalog, and OS2korrespondance all use these. That means you cannot freely use, modify, and redistribute these solutions. The fundamental premise of open source is broken.
Then there is the development transparency problem. The report documents how most OS2 products are developed privately, with large code dumps pushed to GitHub at irregular intervals. OS2sync has had 18 commits since October 2019 - and those commits are just labelled "release" with a version number. No description, no changelog, no way to understand what changed. Meanwhile, Docker Hub shows versions of OS2sync that are five versions ahead of what is on GitHub. You literally cannot inspect the code that is running in production.
The numbers that matter
Magenta tracked commits and releases across all products over six years. The disparity is staggering.
OS2mo has 967 releases and nearly 10,000 commits. OS2borgerPC has 236 releases and 3,155 commits. Together, these two Magenta products account for 74 percent of all releases across the entire OS2 ecosystem. The remaining 18 products share the other 26 percent.
On the commits side, OS2kitos leads with 14,488 commits - transparent, frequent, small changes. Add OS2mo and OS2borgerPC, and three products account for 78 percent of all commits.
The rest? OS2kravmotor has had 8 commits total - all in November 2022. OS2skoledata has had 7 commits since February 2023. OS2sofd has had 6 commits since October 2022. These are not active open source projects. They are occasional code drops with an MPL-2.0 licence file attached.
Where OS2udoglær fits
OS2udoglær received green marks for open code libraries (no proprietary dependencies) and documentation quality. Yellow for releases and changelogs - fair criticism, there is room for improvement on both fronts.
What the report highlights positively: 1,121 commits since April 2024 with short intervals and small code changes. A structured Git strategy with feature and bugfix branches named after issues. Detailed README files with setup guides for both DDEV and LAMP stack. GitHub Actions for CI/CD. No dependencies on closed software.
That is how I was taught - by doing, by the community, by years of contributing to Drupal.org - that open source projects should work. Frequent commits. Clear documentation. No proprietary lock-in. A development process that someone outside the organisation can actually follow and contribute to.
The fact that this is considered noteworthy rather than standard practice is the real problem.
The OS2 ecosystem problem
OS2 was founded in 2012 with the right intentions. A collaborative framework for Danish municipalities to develop and share open source solutions. The principles are sound - openness, transparency, community-driven development, no vendor lock-in.
But the report exposes a fundamental gap between those principles and what actually happens. OS2 lists 64 suppliers on its website. The reality? Eight. Seven companies plus ITK-Development from Aarhus Municipality. The ratio between listed and actual suppliers is close to 10:1.
Digital Identity alone has nine OS2 products and received critical ratings across nearly all of them. Products where the code on GitHub does not match what is in production. Products with proprietary dependencies. Products with no meaningful documentation. Products where the development process is invisible to anyone outside the vendor.
Magenta calls this "open source washing" - using the open source brand to promote products that do not meet the standards. And they are right. When OS2 puts its stamp on a solution that has no public source code, it undermines every developer and every company that actually invests in doing open source properly.
Why this matters beyond Denmark
This is not just a Danish problem. Governments across Europe are increasingly turning to open source for public sector digitalization. The EU is pushing for digital sovereignty. Open source is positioned as the answer to vendor lock-in, to security through transparency, to cost-effective innovation.
But if the organisations meant to champion open source cannot enforce their own standards, then the label becomes meaningless. And that hurts everyone - the municipalities who think they are getting the benefits of open source, the vendors who actually invest in transparency, and the broader ecosystem that depends on trust.
I wrote about this back in 2024 for the OS2 magazine. The core message has not changed: open source is not just a licence. It is a practice. It is how you develop, how you document, how you release, how you collaborate. Skip any of those steps and you have code with a licence file - not an open source project.
What I think should happen
OS2 needs to enforce its own standards. If a product does not have publicly accessible source code, it should not carry the OS2 label. If the code on GitHub is five versions behind what is in production, that is not open source. If a product depends on proprietary licences, that needs to be disclosed and addressed.
The report provides a clear framework - four categories, measurable criteria, publicly verifiable data. OS2 could adopt something similar as a minimum quality bar.
And for those of us building and maintaining OS2 solutions - the bar should be higher than "not the worst." OS2udoglær needs better changelogs and proper release tags. I know that. The report is right to flag it. Open source is a continuous practice, not a checkbox.
The Drupal connection
OS2udoglær is built on Drupal. So is OS2forms. Both show up among the better-performing products in this report. That is not a coincidence.
The Drupal community has decades of established practices around open source development - contribution guidelines, coding standards, structured release processes, public issue queues, transparent development. When you build a product on Drupal and follow those community practices, you inherit a culture of openness that translates directly into the kind of metrics this report measures.
I have been working with Drupal for over 15 years. Every project I touch carries those practices forward - not because someone mandates it, but because the community taught me that this is how you build software that lasts and that others can actually use.
Here is the thing
Magenta wrote this report because they have been trying to raise these issues internally with OS2 for years and were ignored. You can agree or disagree with their approach of going public. But the data is there, the methodology is transparent, and the findings are verifiable.
The full report is available at magenta.dk. Read it. Check the numbers against GitHub yourself. Form your own conclusions.
Open source in the Danish public sector deserves better than what most of the OS2 ecosystem currently delivers. And the people building the exceptions - at Magenta, at ITK-Development, at Novicell, at Netcompany on OS2kitos - deserve recognition for doing the work properly.
The rest need to step up. Or OS2 needs to stop pretending.
The Magenta report: Open source produktanalyse, maj 2025
Full disclosure: I developed OS2udoglær while employed as Tech Lead - Drupal at Novicell (2022-2025). I currently work as Senior Developer and DevOps Engineer at Eksponent.