U.S. weighs in on open source software security