Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSPO Book] Some suggestions for change and/or discussion #504

Merged
merged 2 commits into from
Dec 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions ospo-book/content/en/01-chapter.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
In this book, we will guide organizations through the process of creating and implementing an OSPO. The book provides:

* Practical advice and best practices on how to streamline open source operations
* Recommendations to ensure that organizations can maximize the benefits of open source while being good open source citizens.
* Recommendations to ensure that organizations can maximize the benefits of open source while being good open source citizens and follow related regulations.

The book is structured in a user-friendly and practical manner, with a focus on providing actionable advice and steps that organizations can take to create and implement an OSPO. The book will cover a range of topics, including:

Expand All @@ -38,7 +38,7 @@

[WHO] OSPOs are composed of people (open source specialists) wearing different hats:

* Open Source Enabler: OSPOs can help organizations navigate the cultural, process, and tool changes required to engage with the open source community effectively. This can involve educating teams/ units, establishing new processes and workflows, and adopting new tools and technologies.
* Open Source Enabler: OSPOs can help organizations navigate the cultural, process, and tool changes required to engage with the open source community effectively. This can involve educating teams/units, establishing new processes and workflows, and adopting new tools and technologies.

* Open Source Counselor: OSPOs can provide guidance and advice on the latest open source trends, licensing issues, and how to engage with open source projects, foundations, and communities. This can help organizations stay up-to-date with the rapidly changing open source landscape and ensure they are making informed decisions.

Expand Down Expand Up @@ -80,7 +80,7 @@

Assessing open source adoption is critical because it sets the foundation for successful open source operations. Without proper understanding and adoption of open source, an OSPO may not be effective in achieving the desired outcomes.

* **☑️ Open Source Software (or open works) Usage:** Evaluate the level of open source software usage within your organization. Are there any specific open source projects that are widely used? Are there any projects that are critical to the organization's operations?
* **☑️ Open Source Software Usage:** Evaluate the level of open source software usage within your organization. Are there any specific open source projects that are widely used? Are there any projects that are critical to the organization's operations?

* **☑️ Knowledge and Understanding of Open Source:** Evaluate the level of knowledge and understanding of open source within your organization. Are the different actors that will be or are currently involved in open source familiar with open source licensing models and requirements? Do they understand the benefits and risks of using open source software?

Expand All @@ -94,7 +94,7 @@

* How would you define 'open source'?
* What does 'open source' mean for you and your organization?
* How much open-source software is already being used in the organization?
* How much open source software is already being used in the organization?
* How would you define the 'open source culture' within your organization?
* What are the organization's goals and objectives for using open source?
* How is open source software currently being used (usage) within the organization?
Expand Down Expand Up @@ -165,7 +165,7 @@
* [OSPO 101 Module 1 - Open Source Introduction](https://github.com/todogroup/ospo-career-path/tree/main/OSPO-101/module1)
* [OSPO 101 Module 2 - Open Source Business Models](https://github.com/todogroup/ospo-career-path/tree/main/OSPO-101/module2)
* [OSPO 101 Module 3 - Open Source management & your organization](https://github.com/todogroup/ospo-career-path/tree/main/OSPO-101/module3)
* [OSPO easy FAQ - TODO Group and Open Chain Japan, Linux Foundation](https://todogroup.org/resources/guides/open-source-program-office-ospo-easy-faq/)

Check failure on line 168 in ospo-book/content/en/01-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"alex.Condescending"

Using 'easy' may come across as condescending.
* [How to create an OSPO - TODO Group, Linux Foundation](https://todogroup.org/resources/guides/how-to-create-an-open-source-program-office/)
* [OSPO Definition - TODO Group, Linux Foundation](https://ospoglossary.todogroup.org/ospo-definition/)
* [The OSPO: A New Tool for Digital Government - Open Forum Europe](https://openforumeurope.org/wp-content/uploads/2022/06/The-OSPO-A-New-Tool-for-Digital-Government-2.pdf)
Expand Down
30 changes: 15 additions & 15 deletions ospo-book/content/en/02-chapter.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: "2 - The Value of Open Source Program Offices"
title: "The Value of Open Source Program Offices"
status: Completed
weight: 40
---
Expand All @@ -20,17 +20,17 @@ Organizations of various types – including end-user companies, software vendor

### Supply Chain and Open Source

Sometimes, organizational stakeholders may assume that their product isn't using any open source projects because their end product is proprietary. However, when you look at the [entire software supply chain](https://opensource.com/article/16/12/open-source-software-supply-chain) you can see that your proprietary software contains open source dependencies or artifacts. If the contributors working on those open source projects were to leave, the project could become obsolete or a target for security vulnerabilities. This affects the proprietary software the organization uses or sells, directly impacting its reputation, performance, or revenue.
koozz marked this conversation as resolved.
Show resolved Hide resolved
Sometimes, organizational stakeholders may assume that their product isn't using any open source components because their end product is proprietary. However, when you look at the [entire software supply chain](https://opensource.com/article/16/12/open-source-software-supply-chain) you can see that your proprietary software contains open source dependencies or artifacts. If the contributors working on those open source projects were to leave, the project could become obsolete or a target for security vulnerabilities. This affects the proprietary software the organization uses or sells, directly impacting its reputation, performance, or revenue.

#### Common challenges when managing open source integration

Organizations may encounter issues when managing open source components that are integrated into their technology infrastructure. If these issues are ignored or neglected, they can lead to mid-term and long-term innovation bottlenecks and security vulnerabilities. It’s important to understand the unique factors that make open source different.

- **Vulnerability management can be hard:** Open source projects can be a source of security vulnerabilities in a product that depends upon them. It can be hard to keep track of how open source projects are being used by your organization to perform risk assessments on the identified projects. When you identify key projects within the organization, you can prioritize securing them by tracking common vulnerabilities and exposures. Often, the Enterprise Architecture team are the ones tracking the open source components of applications and technologies, and OSPOs are there to give subject matter expertise.
- **Vulnerability management can be hard:** Open source projects can be a source of security vulnerabilities in a product that depends upon them. It can be hard to keep track of how open source projects are being used by your organization and to perform risk assessments on the identified projects. When you identify key projects within the organization, you can prioritize securing them by tracking common vulnerabilities and exposures. Often, the Enterprise Architecture team are the ones tracking the open source components of applications and technologies, and OSPOs are there to give subject matter expertise.

- **It can take a lot of work to understand the complexity of the open source supply chain:** The open source landscape is large and decentralized, and it can be hard to identify who the contributors to individual projects are and to perform risk assessments on the identified projects. These factors can make it challenging for organizations to accurately assess risks and to comprehend the security and quality standards of the software, hardware, data, etc.

- **There can be a tension between the need to ship product features and the need to contribute back to open source:** Commercial organizations that are using open source are often keen to contribute back to the projects they use. However, the pressure to ship features in their own products mean that open source contributions may take a back seat when things get busy.
- **There can be a tension between the need to ship product features and the need to contribute back to open source:** Commercial organizations that are using open source are often keen to contribute back to the projects they use. However, the pressure to ship features in their own products mean that open source contributions may take a back seat when things get busy. Even it is known that contributing features and bugfixes to upstream is less effort on long term than to maintain a fork of the project oprganisations often optimize for short term benefits and do not spend the extra effort to upstream the changes.

- **It takes time and planning to collaborate effectively with the community and industry:** Your organization could be in a good position to provide resources to open source projects. That could be through coding, expertise, or money donations as incentives for fixing common vulnerabilities ([see Log4Shell real vulnerability example](https://en.wikipedia.org/wiki/Log4Shell)). It could also be productive to collaborate with industry working groups to address security concerns holistically. Making a plan that aligns with your organization strategy and provides value to the open source projects is a good way to be a helpful community member.

Expand Down Expand Up @@ -61,13 +61,13 @@ _[Source: OSPOs, key lever for open source sustainability](https://speakerdeck.c

### Reasons and Value of Investing in a Resilient OSPO

In a world governed by software, open source projects offer solutions to the mission-critical problems organizations wish to address, whether social-economic (governments, NGOs) or technological (companies). Integrating open source into an organization's infrastructure and operations encompasses various objectives, such as risk management, innovation, and the sustainability of the open source communities they rely on. To achieve effective integration, organizations need the right staff to operate and the necessary talent to manage such operations. This is where the mission of an OSPO (Open Source Program Office) comes into play. Go to “tips on how to get started with an OSPO” sub-section to see some practical advice on when starting to staff an OSPO.
In a world governed by software, open source projects offer solutions to the mission-critical problems organizations wish to address, whether social-economic (governments, NGOs) or technological (companies). Integrating open source into an organization's infrastructure and operations encompasses various objectives, such as risk management, innovation, and the sustainability of the open source communities they rely on. To achieve effective integration, organizations need the right staff to operate and the necessary talent to manage such operations. This is where the mission of an OSPO comes into play. Go to “[tips on how to get started with an OSPO](#tips-on-how-to-get-started-with-an-ospo)” sub-section to see some practical advice on when starting to staff an OSPO.

On the other hand, stopping the work of an OSPO could have significant negative impacts on those organizations that use open source (directly or indirectly) at any level, including loss of open source expertise, increased security and legal risks, reduced community engagement, and damage to reputation.

> 💡 _Open Source is a silent critical need_

An OSPO needs to be an ongoing initiative within an organization in order to evolve its culture and open source knowledge, helping the organization to contribute to and build more secure open-source software, as well as improving the sustainability of open-source projects.
An OSPO needs to be an ongoing initiative within an organization in order to evolve its culture and open source knowledge, helping the organization to contribute to and build more secure open source software, as well as improving the sustainability of open source projects.

The different roles and pillars of support of an OSPO shared below can help readers understand why it should be viewed as a critical area to maintain and nurture within an organization, rather than just a pet project with an expiration date.

Expand All @@ -90,15 +90,12 @@ The [business value of the OSPO report](https://www.linuxfoundation.org/research

- Building standardized processes around open source
- Learning how to approach the open source community
- Embracing the Sustainability of open source Projects
- Embracing the Sustainability of open source projects
- Managing compliance
- Expanding access to open knowledge
- Improving development velocity
- Mitigating security risks




### Interlude

#### A perspective of open source in public administrations
Expand Down Expand Up @@ -138,7 +135,7 @@ Organizations may underestimate how much they already depend on the usage (also
Assess this value for your own organization by taking steps such as:

- Collect information about open source software used by your development and operations teams
- Get clarity about composition of commercial software you buy or services you use, ask vendors for what open source software they use, e.g. by requesting Software Bill of Materials (SBOMs)
- Get clarity about the software composition of commercial software you buy or services you use, ask vendors for what open source software they use, e.g. by requesting Software Bill of Materials (SBOMs)
- Assess value by evaluating what costs would occur by using alternative proprietary solutions and components
- Take factors such as speed of innovation or engineering agility into account

Expand All @@ -164,17 +161,20 @@ There is a wide variety of open source maturity models –for governments, NGOs,
* Participation - Engagement with open source communities
* Contribution - Pragmatic contributions to open source projects
* Leadership - Strategic involvement with open source to drive business value
* Participation - Engagement with open source communities
* Contribution - Pragmatic contributions to open source projects
* Leadership - Strategic involvement with open source to drive business value

![opensourceinvolvementmodel](https://user-images.githubusercontent.com/43671777/232468143-cde69525-7adb-4399-96d3-fa63f056b942.png)

#### Maturity Model 2 - Five stages or corporate open source adoption talk by [Carl-Eric](https://web.archive.org/web/20240419100823/https://debricked.com/blog/what-is-open-source-maturity-model/)

* Accidental - open source is used by the organisation without knowing that it is used
* Repetitive - there are processes set up for both consumption and contribution, but contributions are sporadic
* Directed - active participation incritical open source projects
* Collaborate - open source collaboration is used as a tool to create business value
* Prevail - open source is used to influence strategic areas of the business and technology

![osmm-carl](https://github.com/user-attachments/assets/4a382434-878c-4c22-a2cd-d10292129370)

## How do you identify and categorize the benefits of open source activities for your organization?
## How do you identify and categorize the benefits of open source activities for your organization?

Once you have a certain familiarity with open source adoption models, the next natural question to ask is _What are the benefits of open source activities for the organization?_

Expand Down
Loading
Loading