Presented at Open Source 101 2023 - Charlotte
Presented by Paula Paul NearForm
Title: Zen and the Art of Organizational Open Source
Abstract: Open source software and communities can drive meaningful change in organizations. What lessons can we take from open source to drive change in our own organizations? On the surface, most organizations and stakeholders will embrace open source. However, what does it mean to go deep and embrace the true values and goals of open source, but also drive business value in your organization?
This talk presents a case study of creating a new open source project at a large enterprise and explores the successes, challenges, and downright failures along the way. The talk presents the lessons learned and takeaways that we can all apply in our own organizations.
Enterprises and organizations know that they are powered by open source, but it’s not always easy to live open source. Creating a community to support an open source project can have a huge return on investment. Have you ever tried to convince your employer to make a project open source? Then this talk is for you.
Open source runs the world!
5. 5
Paula Paul
paulapaultweets
Field CTO of DX @NearForm
Board Member OpenJS Foundation
Open Source Day Committee Grace Hopper
Celebration
Many other shenanigans…
At large…
10. 10
It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of
any given piece of modern software solutions.
From: A Summary of Census II: Open Source Software Application Libraries the World Depends On
The World Runs on Open Source
14. 14
The Open Source Landscape is Evolving (rapidly!)
Build-vs-Buy
becomes Compose-
vs-Buy
Invest in People vs
Maintenance fees
for COTS or SaaS
Recruiting/Retention
Time to Market
Innovation
Differentiation
Strategic Control
OSS is accelerating
Value is accelerating
OSS Solutions
Viable solutions to
replace SaaS & COTS
20. 20
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
The OSS security landscape has changed rapidly
23. 23
From OWASP.org: DevSecOps Guideline - v-0.2
Fortunately, automation and tooling has kept up
● Software Bill of Materials (know and audit your dependencies)
○ awesomeSBOM
● Automated dependency updates
○ Dependabot
● FOSS SAST/DAST
○ OWASP Top Ten
○ Bearer
○ Is My Node Vulnerable?
○ Mend.io OSS Tools
○ Synk Open Source
○ Socket
Please Lint for Secrets!
24. 24
Start Small: OSPO Working Group
Getting Started
● Identify Executive Sponsor
● Define simple Ways of Working for the OSPO WG / OSS ‘practice’
○ Use GitHub! (like the Linux Foundation)
○ Adopt ADRs! (we can help)
● Identify Strategic OSS Dependencies
○ E.g. Node, React… (start with a small number then expand)
● Identify target versions for Strategic OSS Dependencies, adopt SBOMs
○ Automate SBOMs and conformance checking (e.g. Linting, CLOMon)
● Set goals for OSS Policy, automate metrics and conformance
○ Contribution to projects you consume (employee agreements, CLAs, Legal)
○ Contributing your projects (licensing, hosting, sponsorship, accountability)
○ Time allocated for all employees to learn, participate, and contribute to OSS
25. 25
From NodeConf EU 2022: Responsible use of Node.js & OpenSource software at an Enterprise Level, Steve Husak, Capital One
Start Small: OSPO Working Group
Practice, learn, and evolve over time, to:
○ Expand the footprint of technologies under the OSPO
○ Create additional automation and conformance checks
○ Sponsor internal Hackathons and OSS Innovation Labs
○ Own and sponsor public facing OSS assets
■ OSS Projects, NPM Registries, GitHub Organizations
○ Participate in public OSS Working Groups and Hackathons
■ OpenJSF / OpenSSF / FINOS / Green Software Foundation
■ Linux Foundation Public Health
■ Grace Hopper Open Source Day!
○ Build community, contribute to recruiting & retention through OSS
26. 26
OSS is a Practice!
Balance -
- Safe Consumption
- Strategic Contribution
(not just one or the other)
Consume
Contribute
27. 27
OSS as a Practice
1. Awareness
2. Safe Consumption
3. Strategic Contribution
Repeated Practice &
Automation to minimize effort
29. 29
Lessons from the field
1. Publishing new projects
○ If you build it, they may not come…
○ All this work for such a small package!
2. Contributing to existing projects
○ Avoid dual maintenance (inner/OSS)
○ Ownership and IP
○ Harnessing Community as an
extension of your Engineering team
30. 30
Starting Small
● Pick a small project
○ Solve an issue for your team!
○ Create a better mousetrap :)
● Avoid huge investments of time & $
● Automate OSS best practices
○ Get to know the TODO Group
○ Repolinter - OSS best practices
● Become familiar with CLOMon
● Consider Backstage for Governance
31. 31
CLOMon, from CNCF - Open Source Health Dashboard
OSS Health - CLOMon, brand as your OSS dashboard
34. 34
Having multiple models for these different
cases that are then combined to form final
customer predictions allows us to account
for these differences.
Open Source Innovation is part
of the NearForm Identity
It is who we are.
People
● Recruiting: We can leverage
open source activities/thought
leadership to attract talent.
● Retention: We can give people
opportunities to ‘do the fun
work’ in open source as part of
our Open Source Policy.
● Training and upskilling: The DX
team is able to pair with core
delivery engineers to upskill and
train them on strategic tech and
how to engage in Open Source.
Brand and Visibility
● The DX team are technology
‘influencers’ via social media,
conference presentations, VLogs,
Twitch live coding, and more.
● OSPO tracks strategic OSS projects for
visibility and contribution.
● The DX team provides service
offerings.
● The DX team incubates new service
offerings based on Open Source
innovation (e.g. Lyra/Orama).
DX-OSS at NearForm
Open Source Leadership and Innovation
● OSPO and OSS Policy.
● Visible participation in Open Source
committees & working groups, with
related content.
● Based on input form working groups
and from core delivery, produce
working code that demonstrates
thought leadership and innovation.
● Offer Open Source Program Office and
Innovation Lab creation services to
clients to ignite innovation and
excitement in their technology teams.
35. OSS at NearForm
We work directly with the Open Source Security
Foundation to ensure the security of the JS
ecosystem
We are co-chairing Open Source Day with the
Grace Hopper Celebration to promote diversity &
inclusion in OSS
Our DX team includes one member of the Node
Technology Steering Committee, and three Node
Core Contributors
We sit on the board of the OpenJS Foundation,
and participate as Associate Members of FINOS
(Financial Services Open Source)
LF Public Health showcases our work on the
COVID App
We are contributing to the FINOS Accessibility
Hackathon to improve end to end accessibility
through Open Source
40. 40
Bargaining
● Open supply chain
● Devs contribute only to
controlled supply chain
● No contributions to public OSS
projects
● “InnerSource” vs Open Source
● No OSS Policy
41. 41
Acceptance
● Developers empowered to use
and contribute to OSS
● Adhoc non-optimized
community contributions
● Part of OSS ecosystem, but
not organized initiative
● Discussions of OSPO & Policy
42. 42
Enlightenment
● Strategic OSS dependencies
known and leveraged for value
● OSS drives innovation,
engagement, growth, & retention
● Measuring contributions & ROI
○ Org & community
● OSPO and OSS policy
○ Automated conformance
○ Education on legal aspects
○ Time for contribution
○ OSS Health Dashboard
● Actively participate in OSS
foundations/standards groups
43. 43
Your OSS Practice
● Areas for growth?
○ Awareness?
○ Safe Consumption?
○ Strategic Contribution?
● What are your goals?
○ Reduce COTS/SaaS Cost?
○ Understand OSS alternatives?
● Innovation & differentiation
○ OSS for competitive advantage
○ OSS to differentiate
○ OSS to innovate
45. 45
Effort vs Value
What are your goals?
- Safe Consumption & Supply Chain?
- Recruiting & Retention?
- Developer Experience? Community?
- Time to Market?
- Reduced COTS & SaaS Cost?
46. 46
Measure & Automate
Start Small - one exercise at a time
- Awareness
- OSS as part of onboarding
- Simple OSS Policy
- Education, time, metrics
- Safe Consumption
- Identify critical dependencies
- Keep dependencies current
- Supply chain automation
- Strategic Contribution
- Solve a business need
- Publish your first project, learn
48. 48
nearform.com
WE’RE BOLD
WE’RE FLEXIBLE
WE’RE OPEN
WE’RE EMPOWERING
follow us on
Major Contributors to the
Open Source Web Platform
Represents modules used globally
8%
NPM monthly downloads
1B
Global Delivery and OSS Innovation
Way too many words, plus this isn’t the typical ‘Enterprise’ talk… although I do hope it becomes the typical enterprise talk ;)
Cody and I co-wrote this material - he delivers it in Europe, I’m in Boston currently …
Cody is a member of my Developer Experience Engineering team at NearForm
This is me -
I’m a ‘Field CTO’ at NearForm - I work with engineers and engineering leaders in the field
I’m also on the board of the OpenJS Foundation (part of the Linux Foundation) and am co chairing the GHC Open Source Day festivities this year-
I’m an ‘at large’ technologist and troublemaker…
To speak of Zen is to speak of the Yin and Yang of Tao -
For technology, the consumption and contribution to Open Source
Like any practice (yoga, TaeKwonDo…) the more you practice the more it becomes automatic. For technology that includes automation and tooling that provides continuous feedback on health and growth. We’ll touch on some of that tooling
Fun fact - the term ‘Open Source’ was coined by a woman
https://www.oreilly.com/openbook/freedom/ch11.html
Christine Peterson, in the mid 1990s, at a Linux Kongress event
Although the conference was supposed to focus on Perl, a scripting language created by Unix hacker Larry Wall, O'Reilly assured Raymond that the conference would address other free software technologies. Given the growing commercial interest in Linux and Apache, a popular free software web server, O'Reilly hoped to use the event to publicize the role of free software in creating the entire infrastructure of the Internet. From web-friendly languages such as Perl and Python to back-room programs such as BIND (the Berkeley Internet Naming Daemon), a software tool that lets users replace arcane IP numbers with the easy-to-remember domain-name addresses (e.g., amazon.com), and sendmail, the most popular mail program on the Internet, free software had become an emergent phenomenon. Like a colony of ants creating a beautiful nest one grain of sand at a time, the only thing missing was the communal self-awareness. O'Reilly saw Raymond's speech as a good way to inspire that self-awareness, to drive home the point that free software development didn't start and end with the GNU Project. Programming languages, such as Perl and Python, and Internet software, such as BIND, sendmail, and Apache, demonstrated that free software was already ubiquitous and influential. He also assured Raymond an even warmer reception than the one at Linux Kongress.
O'Reilly was right. "This time, I got the standing ovation before the speech," says Raymond, laughing.
As predicted, the audience was stocked not only with hackers, but with other people interested in the growing power of the free software movement. One contingent included a group from Netscape, the Mountain View, California startup then nearing the end game of its three-year battle with Microsoft for control of the web-browser market.
Intrigued by Raymond's speech and anxious to win back lost market share, Netscape executives took the message back to corporate headquarters. A few months later, in January, 1998, the company announced its plan to publish the source code of its flagship Navigator web browser in the hopes of enlisting hacker support in future development.
When Netscape CEO Jim Barksdale cited Raymond's "Cathedral and the Bazaar" essay as a major influence upon the company's decision, the company instantly elevated Raymond to the level of hacker celebrity. Determined not to squander the opportunity, Raymond traveled west to deliver interviews, advise Netscape executives, and take part in the eventual party celebrating the publication of Netscape Navigator's source code. The code name for Navigator's source code was "Mozilla": a reference both to the program's gargantuan size-30 million lines of code-and to its heritage. Developed as a proprietary offshoot of Mosaic, the web browser created by Marc Andreessen at the University of Illinois, Mozilla was proof, yet again, that when it came to building new programs, most programmers preferred to borrow on older, modifiable programs.
While in California, Raymond also managed to squeeze in a visit to VA Research, a Santa Clara-based company selling workstations with the GNU/Linux operating system preinstalled. Convened by Raymond, the meeting was small. The invite list included VA founder Larry Augustin, a few VA employees, and Christine Peterson, president of the Foresight Institute, a Silicon Valley think tank specializing in nanotechnology.
"The meeting's agenda boiled down to one item: how to take advantage of Netscape's decision so that other companies might follow suit?" Raymond doesn't recall the conversation that took place, but he does remember the first complaint addressed. Despite the best efforts of Stallman and other hackers to remind people that the word "free" in free software stood for freedom and not price, the message still wasn't getting through. Most business executives, upon hearing the term for the first time, interpreted the word as synonymous with "zero cost," tuning out any follow up messages in short order. Until hackers found a way to get past this cognitive dissonance, the free software movement faced an uphill climb, even after Netscape.
Peterson, whose organization had taken an active interest in advancing the free software cause, offered an alternative: open source.
We work with companies who are ‘strangling out’ SaaS and COTS in favor of OSS
Examples:
eCommerce (Commerce Layer)
Enterprise search, catalog search (Orama)
Marketing Automation (Ghost, Strapi Headless CMS)
CRM (vTiger, more)
….
Non OSS software typically carries 18-20% maintenance fees
go towards opaque features that you don't have control over
OSS is 'free' but you can maintain your dependencies more efficiently and contribute to the ecosystem
OSS is 'free' but you can maintain your dependencies more efficiently and contribute to the ecosystem
Metaphor: renting vs buying a house and living in a community with neighbors
Think M$, can’t control what's coming in the next version, patches, fixes
You can count on the community: lots of stars = bigger community, faster fixes
Why now?
You already consume Open Source Software - are you maximizing your value? Would you like to ride the wave of the accelerating value of OSS?
It’s never too late to begin the practice, and you can start small (just like any practice - I’m a TaeKwonDo person myself but also practice Yoga. Baby steps create big benefits.
Non OSS software typically carries 18-20% maintenance fees
go towards opaque features that you don't have control over
OSS is 'free' but you can maintain your dependencies more efficiently and contribute to the ecosystem
I’ve worked in aa number of organizations who still say they don’t use open source, but unless you put in a LOT of work, you depend on OSS the moment you have a public facing website (which is nearly everyone).
Next, they say it’s too risky, and they have a lot of fear around what it means to work with their existing OSS dependencies.
To manage that fear, sometimes they go overboard on bargaining around Innersource vs. Open Source and heavy policies that create friction… you get the idea here :)
So, we address these mindsets with awareness, then the Yin and Yang of Safe Consumption and Strategic Contribution
Now that we’ve talked about Awareness, let get into the Yin and Yang - they go hand in hand and you don’t have to master one before the other. It’s a practice.
All closed source, commercially licensed software
Locked down deps
Open deps, no contribs
Empowering devs, contributing to ecosystem
Strategic and differentiating investment
Like any practice (yoga, TaeKwonDo…) the more you practice the more it becomes automatic. For technology that includes automation and tooling that provides continuous feedback on health and growth. We’ll touch on some of that tooling
Reminds me of my days with Microsoft - the 20th anniversary of Slammer passed recently (I was at Microsoft, working with BofA at the time… good times)
Malicious actors will find a way
If OSS runs the world, it’s a great attack surface, but vast
Know your supply chain!
This is a high level threat model for package dependency vulnerabilities
Dependencies are a great entry point
Anyone remember DLL spoofing / DLL hijacking? Don’t be overwhelmed by the concept of Supply Chain attacks. They’ve been with us a long time.
Creation of New Packages and Infecting Existing Packages have well known threats that can all be mitigated
Reminds me of my days with Microsoft - the 20th anniversary of Slammer passed recently (I was at Microsoft, working with BofA at the time… good times
The first step in Safe OSS consumption is supply chain threat modeling and threat mitigation. We’ve done this before :)
Malicious actors will find a way
If OSS runs the world, it’s a great attack surface, but vast
Know your supply chain!
\
\
\
Like any practice (yoga, TaeKwonDo…) the more you practice the more it becomes automatic. For technology that includes automation and tooling that provides continuous feedback on health and growth. We’ll touch on some of that tooling
New Projects:
If you search on ‘org name’ Open Source you will find that many large companies publish source code (including NearForm!)
If you look at those repositories, the community engagement varies wildly
So, what was the value of publishing in the first place?
No contributions from the community, no developer engagement, no growth
Community engagement and developer experience was low
Do you have a website?
Do you build any internal software?
Mobile application?
Case study
Worked at employer who:
rejected open source
wanted to “own” all source code
Saw source code as core “value” of products (fallacy)
Imagine artifactory or similar tool
"my competitor will use my code without having to pay engineers".
Case Study
Worked at employer who:
Had devops team that put in place artifactory
Had to submit support ticket to get dependencies added
Usually “no problem” - false sense of security
InnerSource: buzzword, no real organized effort
Case Study
Employer who:
Empowered devs to use open source
Didn’t let us contribute back, preferred “private forks”
Client who:
Wasn’t ready to OSS
Said they were OK with InnerSource, but didn’t have upper management buy-in
Lacked trust in devs, did not empower devs to contribute back to “InnerSource”
Case Study
Employer who:
Truly empowered employees to use and contribute back (startup: “just ship it”)
Frustrating when not given time to do it right at contribute back
NearForm for many years:
Embraced and contributed to OSS
Node.js, Fastify, etc…
Not really in an organized manner, client projects and billable hours priority
level 4, is not as strategic as possible. Not same potential to company and ecosystem
Improved cross team collaboration - team empowerment
Not optimized: finding strategic projects that bring value to org
Case Study
Nearform:
Starting to achieve Enlightenment… it’s a choice as to how far you go!
Lyra
OSPO infancy
Not just making a repo public, building a community
Where is yours?
How many of each (show of hands)
Professional services (consulting)
Walk the walk and talk the talk