This document discusses navigating open source risk and provides guidance on ownership and governance, community, and resources to consider. It notes that open source projects with clear governance and neutral foundations have lower risks, as do projects with active, diverse communities that are helpful, kind and responsive. The document recommends making informed decisions about accepting and mitigating risks.

1. ©2021 VMware, Inc. @geekygirldawn
Navigating Open
Source Risk
Open Source Lisbon June 2021
Dr. Dawn M. Foster
Director of OSS Community Strategy
fosterd@vmware.com fastwonderblog.com
Open Source at VMware @vmwopensource
blogs.vmware.com/opensource

2. @geekygirldawn
©2021 VMware, Inc.
Why should you care?
Ownership and Governance
Community
Resources
Final Thoughts
2
Agenda
Photo by Marco Verch - CC BY 2.0

3. ©2021 VMware, Inc. @geekygirldawn 3
whoami
• Geek, traveler, reader
• 20+ yr tech career focused on
community & open source
(Intel, Puppet, Scale Factory, …)
• OpenUK Board, CHAOSS Board and
Maintainer, TODO Group Steering
• Kubernetes contributor & CNCF
Contributor Strategy SIG
• PhD from the University of Greenwich
focus on Linux kernel collaboration
Photos by Mom, Josh Bancroft, Don Park

4. ©2021 VMware, Inc. @geekygirldawn
Your business could
be disrupted
4
Why do we care about risk?
https://xkcd.com/2347/

5. ©2020 VMware, Inc. @geekygirldawn
Ownership & Governance
Photo by K-nekoTR - CC BY-NC-ND 2.0

6. ©2021 VMware, Inc. @geekygirldawn 6
Business Risk Licensing Example
Server Side Public
License*
(SSPL)
*Not an Open Source Initiative (OSI)
approved open source license!

7. ©2021 VMware, Inc. @geekygirldawn 7
Undermines the project
leading to forks
and other disruptions
Business Risk Governance Example

8. ©2021 VMware, Inc. @geekygirldawn
Leadership,
trademarks,
and projects
8
Determining
Neutrality for
Foundations?
Image by Andreas Komodromos CC BY-NC 2.0

9. ©2021 VMware, Inc. @geekygirldawn
Lower risk:
participate as equals
9
Neutral Foundations

10. ©2021 VMware, Inc. @geekygirldawn
Higher risk:
single company
in control
10
Company
Originated
Photo by Jan Fidler - CC BY 2.0

11. ©2020 VMware, Inc. @geekygirldawn
Lower risk:
Processes for how
people collaborate
and make decisions
11
Governance is
about People
Photo by Allen and Allen - CC BY 2.0

12. ©2020 VMware, Inc. @geekygirldawn
Image by the CNCF CC BY-N
2.0
Community
Image by the CNCF CC BY-NC 2.0

13. ©2021 VMware, Inc. @geekygirldawn
Lower risk: helpful, kind, respectful, and welcoming
13
Awesome Community
Kubernetes CNCF CC BY 4.0

14. ©2021 VMware, Inc. @geekygirldawn
Lower risk: keeps up
with contributions
14
Responsiveness
Image by Joe Penniston CC BY-NC-ND 2.0

15. ©2021 VMware, Inc. @geekygirldawn
Lower risk:
active contributors
and
organizational
diversity
15
Contributor
Risk
Image by the CNCF
CC BY-NC 2.0

16. @geekygirldawn
©2020 VMware, Inc. 16
Resources
CNCF Contributor Strategy Tag
https://github.com/cncf/sig-contributor-strategy
https://contribute.cncf.io/maintainers/
Linux Foundation’s TODO Group
https://todogroup.org/guides/
The Open Source Way Guidebook
https://github.com/theopensourceway/guidebook/
Photo by Vicente - CC BY-NC-ND 2.0

17. ©2021 VMware, Inc. @geekygirldawn
Make informed and
deliberate decisions
about how much risk
we should accept and
monitor / mitigate
those risks.
17
Final Thoughts
on Risk
Photo by Mohanraj Sivanandam - CC BY 2.0

18. ©2021 VMware, Inc. @geekygirldawn
Dr. Dawn M. Foster
fosterd@vmware.com
fastwonderblog.com
Open Source at VMware
blogs.vmware.com/opensource
@vmwopensource
18
Thank You!
Photo by Thangaraj Kumaravel - CC BY-NC-ND 2.0