Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSPO Book]: Adding notes from KubeCon EU 2024 OSPO BoF #461

Merged
merged 1 commit into from
Apr 11, 2024
Merged

[OSPO Book]: Adding notes from KubeCon EU 2024 OSPO BoF #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ospo-book/content/en/03-chapter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,9 @@ It helps identify the specific areas where they need to concentrate their effort
#### Stage 2

- [ ] Lay out best practices in interacting with OSS projects such as how to request features, file bug reports, and contribute basic code.
- [ ] Communicate to workers, policimakers and other open source stakeholders the importance of contributing to and not merely consuming (also called usage) to open source (including advocating for and driving event sponsorships, booking
project leads and maintainers as speakers or panelists in public coding forums, and securing organizational resources to mission-critical OSS projects).
- [ ] Incentivize developers and non-developers (lawyers, project managers, etc) to participate on open source projects critical to their operations (contirbuting code, field expertise, etc), to the degree that workers become highly active contributors.
- [ ] Communicate to workers, policimakers and other open source stakeholders the importance of contributing to and not merely consuming (also called usage) to open source (including advocating for and driving event sponsorships, booking project leads and maintainers as speakers or panelists in public coding forums, and securing organizational resources to mission-critical OSS projects).
- [ ] Incentivize developers and non-developers (lawyers, project managers, etc) to participate on open source projects critical to their operations (contirbuting code, field expertise, etc), to the degree that workers become highly active contributors.
- [ ] Contributions are focused to a narrow buiness critical set of functionalities in open source projects, and they are sponsored by the organisation (contributions are not a hobby project of individual employees)


#### Stage 3
Expand Down
39 changes: 29 additions & 10 deletions ospo-book/content/en/04-chapter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,30 +12,44 @@

# Introduction

Understanding the day-to-day activities of those managing open source operations within an organization is crucial for several reasons. First and foremost, it sheds light on the fundamental tasks that an OSPO must focus on to ensure the organization's

Check failure on line 15 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"proselint.Cliches" 

'First and foremost' is a cliche.
technology strategy and aefforts aligns with open source best practices. This knowledge helps to streamline engineering processes and maintain compliance with open source licenses and security measures.

Check failure on line 16 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"Vale.Spelling" 

Did you really mean 'aefforts'?

OSPO day-to-day operations encompass a broad spectrum of activities aimed at enhancing open source engagement and compliance within the organization, including providing personalized technical support on licensing and software selection, leveraging automation tools for process efficiency and security,
developing and disseminating educational materials, strategically allocating resources, managing risks through comprehensive assessments of the tech stack, sponsoring and engaging with open source communities and foundations, measuring technical debt in projects, and facilitating coordination
across various organizational divisions to align both technical and non-technical objectives.

- **Personalized Technical Support:** Involves answering questions on all aspects of open source, including license compliance, selecting open source software, and interactions with vendors. It also includes engaging with the community and partners, securing sponsorships, and organizing open source events.
- **Personalized Technical Support:** Involves answering questions on all aspects of open source, including license
compliance, selecting open source software, and interactions with vendors. It also includes engaging with the
community and partners, securing sponsorships, and organizing open source events.

- **Automation tools:** Efficiency in process automation is key because policies alone may not always be effective as they are not always followed. Managers are usually seeking effective options for automation tooling,
including for security automation and reporting, such as the integration of scorecards.
- **Automation tools:** Efficiency in process automation is key because policies alone may not always be effective as
they are not always followed. Managers are usually seeking effective options for automation tooling, including for
security automation and reporting, such as the integration of scorecards.

- **Documentation, Training, and Education:** Crucial to ensure that individuals are qualified to assess projects. Developing training materials and documentation and aiding teams to produce these across different departments are key tasks.
- **Documentation, Training, and Education:** Crucial to ensure that individuals are qualified to assess projects.
Developing training materials and documentation and aiding teams to produce these across different departments are key
tasks.

- **Resource Allocation:** Requires a strategic approach to prioritize effectively.

- **Risk Management:** Involves assessing the risks the organization faces. Obtaining a comprehensive view of the organization's tech stack, such as generating SBOMs, and considering software from vendors, legacy software, and proprietary software is crucial. This is more about a business assessment perspective rather than just data gathering. Decisions need to be made on whether to optimize SBOMs or to allocate time to other areas.
- **Risk Management:** Involves assessing the risks the organization faces. Obtaining a comprehensive view of the
organization's tech stack, such as generating SBOMs, and considering software from vendors, legacy software, and
proprietary software is crucial. This is more about a business assessment perspective rather than just data gathering.
Decisions need to be made on whether to optimize SBOMs or to allocate time to other areas.

- **Sponsoring Open Source Communities and Foundations:** Providing insights into the dynamics and complexities of open source governance and models is part of this.
- **Sponsoring Open Source Communities and Foundations:** Providing insights into the dynamics and complexities of open
source governance and models is part of this.

- **Measuring Technical Debt:** In open source projects requires understanding maturity and governance models.

- **Coordinate with Various Parts of the Organization:** Map interactions with teams based on the OSPO flower diagram, distinguishing between technical questions (engineering) and non-technical questions (business, design team).
- **Coordinate with Various Parts of the Organization:** Map interactions with teams based on the OSPO flower diagram,
distinguishing between technical questions (engineering) and non-technical questions (business, design team).

- **Advise on open source consumpiton** define a set of advices about how the company should select what open source is

Check failure on line 49 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"Vale.Spelling" 

Did you really mean 'consumpiton'?
consumed and how the consumption is made. Advices can be purely technical or considerations based on open source
project health and practices, like the
[Secure Supply Chain Consumption Framework (S2C2F)](https://github.com/ossf/s2c2f/blob/main/specification/Secure_Supply_Chain_Consumption_Framework_(S2C2F).pdf).

## Assessing Daily Operations

Expand All @@ -48,7 +62,7 @@
| **Automation in Security** | Enable tools and best practices for integrating security measures, such as scorecards, into daily operations. | Automation in security practices and vulnerabilities exploration in open source projects allows effective risk management. | Explore automation tools that assist developers to self-assess security risk on specific projects, without burdening them with lengthy approval processes. | Explore automation tools that assist developers to self-assess security risk on projects they would like to contribute as employees, without burdening them with lengthy approval processes. | OSFF Scorecard [https://github.com/marketplace/actions/openssf-scorecard-monitor](https://github.com/marketplace/actions/openssf-scorecard-monitor) |
| **Measuring Performance** | Inform strategic adjustments and operational enhancements. | Measuring performance facilitates transparent assessment of the OSPO's effectiveness. | TBD (ping CHAOSS OSPO metrics WG to give input on this). | N/A | N/A |
| **Strategy and its Impact** | A unified strategy influences daily operations. | Guiding decisions on contributions to open source projects, engagement with community initiatives, and the balancing of organization and community benefits. | Enable decision makers understand the critical importance of supporting open source projects (and its community) and foundations, and the different ways to offer support. | Frameworks that support strategic planning and execution. | N/A |
| **Personalized Support / Q&A Sessions**| Actively involve employees and managers in open source activity engagement. | Increase and improve open source knowledge and expertise across the organization's teams. | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors. | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors. | Internal developer portals / Issue tracker systems / Chatbots / webinars / AMA sessions / IRC |

Check failure on line 65 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"Vale.Spelling" 

Did you really mean 'Chatbots'?
| **Advocacy and Education** | Advocating for the importance of education in open source and creating resources to support it. | Ensure that people are qualified to judge a project (governance models, maturity, etc) and measure the technical debt on an open source project. | Build training and documentation, and assist teams in creating these materials across different teams. | Providing knowledge on how to measure the technical debt on an open source project, including maturity models and governance models, is a form of educational advocacy to help projects improve and sustain. | External open source training and certification courses, customized training courses adapted to the organization's goals. |
| **Community Integration** | Integrate organization's activities effectively with the open source projects and foundations (financial as well as resource support) as well as community dynamics. Map interactions with technical (engineering) versus non-technical teams (business, design team). | Allocate effective financial and resource support to critical open source projects that organization's employees use/engages. | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | N/A |
| **Business Assessment on Risk Management** | Assess risks that the organization is facing, including an overview of the tech stack. | Assistance in evaluating which open source projects to use and how to prioritize resources effectively. | E.g., business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial (dealing with vendor-supplied software, legacy software, proprietary software). | E.g., business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial (dealing with vendor-supplied software, legacy software, proprietary software). | N/A |
Expand All @@ -56,10 +70,15 @@

## Recommendations (TBD)

### Scenario #11
- Scope:
### The OSPO should have secured resources for strategic contributions

- Recommendation:
- Scope: If the company has strategic targets related to open source, its OSPO should be capable to control resources to
drive the execution of the strategy.

- Recommendation: To ensure the continuity of contributions needed for the strategy execution the OSPO should either:
- Have a set of dedicated open source developers
- Have a budget for company internal development resources asigned to startegic OSPO tasks

Check failure on line 80 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"Vale.Spelling" 

Did you really mean 'asigned'?

Check failure on line 80 in ospo-book/content/en/04-chapter.md

View workflow job for this annotation

GitHub Actions / Review docs

"Vale.Spelling" 

Did you really mean 'startegic'?
- Have a budget to hire external developers to work on the startegic OSPO tasks

### Scenario #12

Expand Down
Loading