Establishing an
Open Source
Program Office
LEE CALCOTE
Layer5, Founder
TIM TYLER
MetLife, Principal Engineer
“There isn’t a one size fits all model. I can’t stand up in front of a crowd and say, ’this is how you should do it,‘”
– Jeff McAffer, director of Open Source Programs Office at Microsoft.
And neither am I. This is how you "might" do it.
The Philadelphia Open Source Conference aims to connect open source developers, leaders, technologists, and community leaders to collaborate on the latest in open source innovation . It’s an environment for cross-collaboration between developers, operators, architects, leaders and others who are driving the technology forward .
That's great.
But, why?
all major areas of software innovation are happening in open source
™
Awareness
Development velocity
Compliance
Influence
Those without an OSPO want to attract talent.
Those with an existing OSPO already have talent.
a well-rounded open source strategy incorporates these 5 C's
...include not only consuming open source software and complying with licensing, but also participating in community , giving and receiving contributions as well as actively assuaging the competitive nature of popular projects.
Calcote's 5 C's
to open source strategy...
From bottom to top
Today's software products average 60% to 80% open source in their code.
All of these reasons add up to a competitive advantage for organizations for using OSS.
Faster - speed up the delivery of software solutions.
Shared cost - less expensive than commercial software and in-house development.
Flexibility - with source code in-hand, you can make needed modifications and licensing flexibility can allow changes to the code and deployment strategies without impediment.
Innovation - often the leading edge of development comes from open source communities.
Influence - within a project; across related projects.
Talent - both attraction and retention.
Why should I comply with licenses?
Ensure license requirements are upheld.
Shipped products and delivered services have secure components and approved open source licenses.
Vulnerabilities are tracked and remediations incorporated.
Attribution within code.
Redistribution of code.
Empower engineering teams to self-service as much as possible.
Acknowledge on-prem and SaaS has different needs.
Hold each to same rigor and process, augmenting tooling as needed.
Account for multi-source development model.
Enable and streamline continuous execution.
2 C's deep. Quit here?
Is this step necessary for your organization?
How do I give and receive?
Need to:
Delineate what is and isn't IP.
Consider a license agreement.
Contribution License Agreement (CLA)
Developer Certificate of Origin (DCO)
Provide contribution guidelines.
Define project governance.
Formulate and communicate - your end-user and developer community support strategies and guidelines.
Anyone in your company who wants to start or participate in an existing project should understand what a well-run community looks like.
Support, governance, velocity are all measures used to decide whether to use open source software.
Deeper
Broader
Integrations
Ingestion
Interoperability
Displace or integrate?
the center of the universe for a company’s open source operations and structure
Engineering
Legal
Program Management
(Operations)
Corp Dev
Talent Acquisition
Marketing
IT
Documentation
Procurement
How centric to your business is OSS?
Open Source Executive Committee
Review and approve proposals to release IP / proprietary source code under OSS license.
Review and approve proposals to use non-approved license types.
Open Source Program Office (Review Board)
Drive all activities surrounding the 5'Cs.
Provide guidance on open source questions coming from company staff and engineers.
Develop community involvement policy, process, procedures, and guidelines.
Coordinate source code scans, audits and distribution of source code packages.
Contribute to compliance and OS training.
Contribute to creation of new tools to facilitate automation, discovery of OS in dev environment.
Host and maintain the company’s open source websites.
Engineering Operations
Review requests for the use, modification, and distribution of open source.
Handle compliance inquiries.
Maintain records of compliance for any given open source software component are up to date.
Review end-user documentation to ensure that appropriate copyright, attribution, and license notices are given to consumers.
Perform audits all software included in a product, which involves the following tasks:
Run a source code scanning tool over the software base and analyze results.
Address all flagged licensing conflicts flagged by the scanning tool.
Oversee the closure of all issues identified by scanning tools.
Create a final audit report and ensure that all identified issues have been closed.
Legal
Provide guidance on licensing.
Contribute to and approve training.
Review and approve list of obligations to fulfill.
Review and approve open source notices.
Engineering & Product Teams
Follow compliance policies and processes.
Integrate compliance practices in dev process.
Conduct design, architecture, and code reviews.
Prepare software packages for distribution.
IT & Supply Chain
Mandate third party software providers to disclose open source in licensed or purchased software components.
Assist w/ingress of third party software (commercial and open source software).
Support and maintenance for tools infrastructure used by the compliance program.
Create and/or acquire new tools based on OSPO requests.
Documentation & Localization
Include open source license information and notices in the product documentation.
Translate basic information in target languages about open source information related to the product or software stack.
Corporate Development
Request open source compliance be completed before a merger or acquisition.
Request open source compliance be completed when receiving source code from outsourced development centers or third-party software vendors.
Without the
right
legal counsel
, an open source program office can end up placing undue risk on company management. Legal can also stifle innovation, so strike the right balance.
Align with product management . If your open source program office is not helping your product strategy, then it's not reaching its full potential.
Two points of ingest
74% of an OSPO's role
Request approval before using.
Initial and on-going scans of existing code bases.
inspired by Ibrahim Haddad
Measuring and monitoring success.
For your code and third-party code
Security
Compliance
Contribution
Hire a believer; a champion
Open source pragmatists are everywhere, but your innovative, forward-thinking, ambitious open source advocate is an extremely valuable rarity.
Hire them to run your open source programs if you want to make a difference.
Open source programs tend to start informally as a working group or a few key open source developers and then evolve into formal programs over time...
...typically within a company’s software engineering or development department (about 41% of programs).
Strategy planning
Defining policies
Executive support
Open source software is more than free software
Most don't understand many of the motivations for participants, nor do they understand the nuanced differences in licensing models, various types of productization and business models, or how proprietary and open source software can be used in conjunction to create a better product line.
Most tech company executives are far-removed from open source communities.
70%
of those without a program believe -
creating an OSPO would have a positive impact in their company, despite any barriers to creating it.
Teething is painful
Supporting Groups:
many thanks to these open stewards
OSPO Case Studies:
clouds, containers, functions,
applications and their management
Husband, Proud Dad, Technologist, SCUBA Diver, Foodie, Corgi human, #DockerCaptain
Checkout the Open Source Summit!