In addition to attending the 2009 Open Source Business Conference in San Francisco, I had the pleasure participating in a legal panel presentation - Managing the Use of Open Source Software in a Proprietary Environment: Lessons from In-House Counsel. Virginia Tsai Badenhope from the Smithline Jha law firm moderated the panel, which included Joyce Chow from Apple, Angela Ziegenhorn from Symantec, and Duane Valz from Yahoo!. We discussed the building blocks of good open source policies and business strategies.
The companies represented on the panel each had a unique perspective on the issue. Apple's open source policies evolved over time from ad-hoc e-mail requests to a fully automated workflow review process. Yahoo! relied on a number of employees who were active and well respected in the open source community to formulate an appropriate open source policy. The importance of cross-product security and technical reviews for Symantec products led Symantec to the creation of an open source review board to address its open source policy needs. Finally, Sun serves as an example of a company that has made open source as a core strategy supported by a robust open source policy, but many details of the policy required significant adaptation after the acquisition of MySQL.
All companies need a strategy for handling open source including bringing open source components in house, distrbution of products as open source, and relationships with the community. The following building blocks are worth considering as a starting point:
The companies represented on the panel each had a unique perspective on the issue. Apple's open source policies evolved over time from ad-hoc e-mail requests to a fully automated workflow review process. Yahoo! relied on a number of employees who were active and well respected in the open source community to formulate an appropriate open source policy. The importance of cross-product security and technical reviews for Symantec products led Symantec to the creation of an open source review board to address its open source policy needs. Finally, Sun serves as an example of a company that has made open source as a core strategy supported by a robust open source policy, but many details of the policy required significant adaptation after the acquisition of MySQL.
All companies need a strategy for handling open source including bringing open source components in house, distrbution of products as open source, and relationships with the community. The following building blocks are worth considering as a starting point:
- License Matrix: Analyze and categorize common open source licenses to create a more consistent and efficient review process for inbound and outbound open source.
- Review/Approval Process and Tracking System: Establish a review process that gathers relevant information and archives approvals including a copy of relevant open source licenses. This process should scale based on need, which could range from a simple spreadsheet to a searchable database coupled with an automated workflow approval tool. Consider whether the review process should also include a separate technical and/or security review of the applicable code.
- Written Open Source Policy: A written policy aligned with an organization's business strategy and risk tolerance sets a common set of expectations for everyone. These policies are most effective when developed with input from engineers and business owners.
- Open Source Officer and/or Open Source Review Board. An open source officer is a necessity for any organization that is regularly involved with open source. Also consider whether a cross-functional open source review board is appropriate. Such boards should include business, engineering and legal members. The open source officer or review board often resides in a chief technology office or similar functional group and is responsible for defining high level strategy and initiative, and can also be involved in the review/approval process for particular usage of open source.
- Internal Training and Guidelines in Support of Strategy. Formulate internal training materials and guidelines to maintain consistency in application of strategy. This is particularly important in organizations that decentralize decision making authority on open sourceissues rather than centralizing it in a review board or similar body.
When considering what to include in a policy, the following principals might help in prioritizing objectives:
- OS policies and processes must continually evolve. Don't assume your policy will serve all your needs indefinitely, and don't be afraid to modify it to address new issues.
- Settings goals and defining strategy are critical to good open source decision-making. Because open source issues are often ambiguous with no inherently right or wrong position, decisions cannot be made in a vacuum.
- No matter how many policies, processes and tools are in place, each open source decision requires the application of independent judgment by someone with a functional understanding of open source issues.
No comments:
Post a Comment