At the biweekly FINOS Open Source Readiness meetings, we typically feature guest presentations by leading lights in the world of corporate open source management. But this week, we had a break between presentations and took the opportunity to check in with participants on the progress of their open source programs and the challenges on the tops of their minds. It was a great discussion, featuring participants from the financial services, insurance, and software industries.
This post summarizes some of the topics that came up, as well as some great resources mentioned by participants. Our biweekly meetings are open to all, so please consider joining a future meeting! A list of upcoming guest presentations is at the end of this post.
InnerSource
Several participants are actively developing InnerSource programs at their firms. For those who are unfamiliar, InnerSource refers to the application of open source principles and development practices to internal development. It can help to encourage collaboration between teams and business units, as well as a learn-by-doing approach to training developers on open source workflows. InnerSource Commons provides some great resources for understanding and implementing InnerSource practices.
To encourage InnerSource participation, participants have:
We also discussed steps that companies have taken to ensure that InnerSource resources are used in compliance with corporate policies. For example, some firms prohibit direct consumption of InnerSource projects by software teams, requiring that releases be onboarded through their usual package-management processes.
Internal developer outreach
Another key focus has been encouraging developers to begin contributing back to the open source projects their work depends on. One firm has begun holding "Open Source Friday" events, following the model proposed by GitHub, to give developers dedicated time each week to focus on contributions. Too often, developers feel too pressed for time to take the extra step of contributing their open source modifications back to upstream projects. By setting aside time for this activity every week (and recognizing open source contribution as valuable work), companies can encourage contributions and reap several distinct benefits:
Participants also shared initiatives for rewarding developers for open source contributions. One FINOS member is planning a two-day internal open source hackathon for developers who have made open source contributions during the prior year, complete with pizza and beer. Another firm maintains an open source contributor fund—developers who contribute to open source projects get to decide which projects and foundations the firm donates to.
And another member pointed out that Tidelift provides an alternative model for companies wishing to fund the open source projects they depend upon. Tidelift uses client subscriptions to both fund development by project maintainers, and to hire its own developers to ensure components used by its clients are secure, compliant, and up-to-date.
OSPO development
Nearly everyone mentioned efforts to build out their internal open source program offices (OSPOs) and increase available resources. One company just approved its first three full-time OSPO staff members. Another found that an uphill battle to for OSPO buy-in and funding became easier when the company was compelled to purchase a commercial license for a dual-licensed component that it realized (too late) it could not use in compliance with the open source license.
Compliance
Finally, participants traded notes on compliance tooling, including how they are supplementing vendor tools and internal tooling with information from other sources. One mentioned ClearlyDefined, an open data project started by Microsoft and hosted by the Open Source Initiative, which tracks key metadata about open source packages. ClearlyDefined identifies the correct license, definitive source code location, and security vulnerability information for the packages it tracks, down to the specific version of the software.
Likewise, FINOS's own Open Source License Compliance Handbook is an open source project to provide practical compliance information about common open source licenses. It's designed to help compliance engineers to cut through the legalese of open source licenses and identify the specific compliance requirements applicable to their use case.
Future meetings
The Open Source Readiness project meets every other Wednesday at 10:00 US/Eastern time. You can find details about upcoming meetings on the FINOS Programs Calendar. Upcoming guest presentations include:
Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.