OW2, profile picture
Uploaded byOW2
37 views

Open source contribution policies, OW2online, June 2020

This document discusses open source contribution policies and provides suggestions for creating a policy that doesn't "suck". It notes that not having a written policy doesn't mean having no policy, and that having a policy doesn't guarantee it isn't restrictive or bureaucratic. An effective policy is permissive, explicit, informative, and frictionless from an engineering perspective, while also minimizing legal risks, ensuring consistent application, and aligning with business goals. The tension between legal risk avoidance and engineering velocity must be acknowledged and a balance found. Contributing both within and outside of work is addressed.

Technology
Related topics:
Open Source Software

Embed presentation

Download to read offline
Tobie Langel, Principal, UnlockOpen tobie@unlockopen.com Open source contribution policies that don’t suck!
Do you have an open source policy? No 48% Don't know 13% Yes 39% < 250 employees 61% 11% 28% > 10,000 employees 25% 10% 65% Source: The New Stack & Linux Foundation/TODO Group 2018 Open Source Program Management Survey (https://github.com/todogroup/survey) Remember this is a biased sample!
What does not having a policy mean? Contrary to popular belief, it does not mean that you don’t have an open source policy at all. It means that you don’t have a written one. You have a policy, whether it is written down or not. It could range from “no open source at all” to “anything goes.”  —Heather J. Meeker, Open Source Licensing Specialist, author of Open Source for Business.
What does having a policy mean? Think you’re in the right camp because you have an open source contribution policy? Think again! • You can have a very restrictive open source policy. • You can have a very bureaucratic process to obtain approval. • You can have a very opaque process to obtain approval. None of these are fun!
PermissiveRestrictive Implicit Explicit Startups SMEs Non-tech enterprise Old tech company Trend setters Tech companies
What is a policy that doesn’t suck? Engineering perspective Legal perspective Business perspective
What is a policy that doesn’t suck? Permissive. Allows open source contribution to be an integral part of the company’s engineering culture and best practices. Based on trust and autonomy. Explicit. The decision making process is well documented and transparent. Informative. The policy explains the why an helps educate engineers. Frictionless. Avoid bureaucracy, red tape, lengthly back and forth with legal, etc. Engineering perspective
What is a policy that doesn’t suck? Minimizes risk. Avoid: • giving away competitive advantage, • giving away IP that can be used defensively (or—shudders —offensively), • reputational damages and accidental infringements. Consistently followed across the company. Keep contribution under your radar. Avoid compliance issues. Savvy about written information. Sometimes you want a paper-trail (e.g. compliance), sometimes you don’t. Doesn’t drown critical problems in a sea of menial issues. Legal perspective* * IANAL (I am not a lawyer). Please talk to me if you are and want to help me improve this slide.
What is a policy that doesn’t suck? Engineering to be happy and productive. Risks minimized and well understood. Good communication between legal and engineering. Alignment with Business goals. Business perspective
At the heart is a tension Legal wants to minimize risk. Prefers oral communication. Manager’s schedule. Favors spectrum thinking. Conservative role. Engineering wants to maximize velocity. Prefers written communication. Maker’s schedule. Favors binary thinking. Innovative role.
Coming to agreement Acknowledge that this tension is normal. It’s just checks and balances. Listen to both sides. Remind them that their role is to help achieve common business goals. • Legal’s role is to minimize risk, but not at the expense of innovation. • Engineering’s needs can’t be fulfilled at the expense of the company’s survival. Find common ground. A good policy will improve the life of both sides. Align your open source activity with your business goals. If you are a patent troll, then don’t do open source. Accept that your open source policy will change with your business.
Contributing open source What is a policy really about? Using open source
Well understood problem, essentially: • Using software with licenses that are compatible with your current and future business model. • Compliance. Using open source Tip: a common issue is missing licenses. Equip engineering with a process (and issue or pull request templates) to request proper OSI-approved licenses.
Contributing open source
Contributing at work Contributing outside of work
Can employees contribute to open source on their free time? • Yes, without asking for permission. • Yes, but must ask for permission. So that sometimes means “no”, right? • I don’t know. • Nope. Contributing outside of work
Other 4% Don't know 37% Must ask 12% Yes! 47% “How does your employer's IP agreement/policy affect your free- time contributions to open source unrelated to your work?” “Respondents were sampled randomly from traffic and qualifying activity to licensed open source repositories on GitHub.com and invited to complete the survey through a dialog box. A smaller sample was recruited from open source communities sourced outside of GitHub, […]” Contributing outside of work Source: GitHub 2017 open source survey (http://opensourcesurvey.org/2017/). But again… this is a highly biased sample.
Contributing outside of work Why so much confusion? • Depends on the jurisdiction, but not uncommon, especially in the USA, for companies to own employees’ production 24/7. • Sometimes, extra criteria apply. For example, in California, IP developed with company equipment—even outside of work— belongs to the employer. • This prevents employees from contributing to open source, unless they ask for, and are granted permission to do so.
Contributing outside of work The common solution: ask for permission • Most companies have a process for this. • Tends to focus on releasing open source or working on a limited set of pre-approved projects. • Breaks down when there’s a high number of dependencies (such as for Node.js projects).
Contributing outside of work The better solution: BEIPA • Balanced Employee IP Agreement • https://github.com/github/balanced-employee-ip-agreement • Project created by GitHub, based on its own IP agreement. • BEIPA only claims control of creations made for or relating to the company's business.
Contributing at work
Patching Releasing
Releasing open source at work • Distinguish large open source projects you want to promote from smaller "day to day” modules. (E.g. Google’s < 100 LoC rule.) • Offer well oiled and well documented processes, checklists, templates, and tooling (see: https://github.com/todogroup/policies). • Offer help. • Promote working in the open rather than releasing software once it’s done. (Consider README-driven development to avoid scope creep.)
Patching open source at work • By far the most common activity and the most important one. • The experience must be as frictionless as possible for engineers. • Surface the process by which decisions are made and trust engineers to do the right thing. This let’s legal focus on the difficult cases. • Cache decisions (build approve- and deny- lists) so that the process gets faster as time goes by.
Outside of work Patching Using open source Releasing At work Contributing open source
Turn your policy into an app! • Automatically approve requests that meet pre-established requirements (e.g. patch an MIT-licensed open source project on GitHub). • Automatically reject requests that don’t meet your criteria (but allow motivated appeals). • Manually handle other requests and cache the decision so more gets automated over time.
Using such a system, Adobe was able to shorten it’s review time from 4.6 days to 4.6 hours. Turn your policy into an app!
Using such a system, Adobe was able to shorten it’s review time from 4.6 days to 4.6 hours. But there’s more. The data collected can help: • understand your open source activity, • promote it, • connect engineers unknowingly contributing to the same projects, • etc. Turn your policy into an app!
Thank you! Tobie Langel (@tobie) Principal, UnlockOpen tobie@unlockopen.com

More Related Content

PDF
Open Source Contribution Policies That Don't Suck
byTobie Langel
 
PDF
Pathways to Technology Transfer and Adoption: Achievements and Challenges
byTao Xie
 
PDF
How To (Not) Open Source - Javazone, Oslo 2014
bygdusbabek
 
PDF
Webinar 2 4nn
byJoe Liscouski
 
PDF
"What have the techies ever done for us?"Can technology help lawyers lead a h...
byEthien
 
PPTX
Agilelessons scanagile-final 2013
bylokori
 
PDF
A Rapid Introduction to Rapid Software Testing
byTechWell
 
PDF
The Elusive Nature of Context: Why We Need It and Were We Might Find It
byGail Murphy
 
Open Source Contribution Policies That Don't Suck
byTobie Langel
 
Pathways to Technology Transfer and Adoption: Achievements and Challenges
byTao Xie
 
How To (Not) Open Source - Javazone, Oslo 2014
bygdusbabek
 
Webinar 2 4nn
byJoe Liscouski
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
byEthien
 
Agilelessons scanagile-final 2013
bylokori
 
A Rapid Introduction to Rapid Software Testing
byTechWell
 
The Elusive Nature of Context: Why We Need It and Were We Might Find It
byGail Murphy
 

What's hot

PDF
Impactful SE Research: Some Do's and More Don'ts
byGail Murphy
 
PDF
Global Complex Project - How to deliver efficiently.
bySunny Menon
 
PDF
Publishing Strategic Technology for Association of Catholic Publishers
byCraig Miller
 
PDF
2016 metrics-as-culture
byNicole Forsgren
 
PPTX
Mark Graban Deming Red Bead 2016 SHS
byMark Graban
 
PDF
Lean Security
byBen Johnson
 
PPTX
The Real Lessons of Dr. Deming’s Red Bead Factory
byMark Graban
 
PPTX
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
PDF
Getting your work funded
byCISPA Helmholtz Center for Information Security
 
PDF
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
byGene Kim
 
PDF
[HCMC STC Jan 2015] Choosing The Best Of The Plan-Driven And Agile Developmen...
byHo Chi Minh City Software Testing Club
 
PDF
Agility from First Principles
byDr. Tathagat Varma
 
PPTX
Fables fantasies and facts
byKelsey van Haaster
 
PDF
Managing international software projects interactively using scrum
byPeter Horsten
 
PDF
Webinar - Design thinking 101 - 2018-07-24
byTechSoup
 
PPTX
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
byGene Kim
 
PDF
Implementing Licensing— A Journey
byFlexera
 
PPT
How to get what you really want from Testing' with Michael Bolton
byTEST Huddle
 
PDF
Using Periodic Audits To Prevent Catastrophic Project Failure
byicgfmconference
 
PPTX
2012 05 corp fin 1c
byGene Kim
 
Impactful SE Research: Some Do's and More Don'ts
byGail Murphy
 
Global Complex Project - How to deliver efficiently.
bySunny Menon
 
Publishing Strategic Technology for Association of Catholic Publishers
byCraig Miller
 
2016 metrics-as-culture
byNicole Forsgren
 
Mark Graban Deming Red Bead 2016 SHS
byMark Graban
 
Lean Security
byBen Johnson
 
The Real Lessons of Dr. Deming’s Red Bead Factory
byMark Graban
 
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
Getting your work funded
byCISPA Helmholtz Center for Information Security
 
DOES SFO 2016 - Kaimar Karu - ITIL. You keep using that word. I don't think i...
byGene Kim
 
[HCMC STC Jan 2015] Choosing The Best Of The Plan-Driven And Agile Developmen...
byHo Chi Minh City Software Testing Club
 
Agility from First Principles
byDr. Tathagat Varma
 
Fables fantasies and facts
byKelsey van Haaster
 
Managing international software projects interactively using scrum
byPeter Horsten
 
Webinar - Design thinking 101 - 2018-07-24
byTechSoup
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
byGene Kim
 
Implementing Licensing— A Journey
byFlexera
 
How to get what you really want from Testing' with Michael Bolton
byTEST Huddle
 
Using Periodic Audits To Prevent Catastrophic Project Failure
byicgfmconference
 
2012 05 corp fin 1c
byGene Kim
 

Similar to Open source contribution policies, OW2online, June 2020

PDF
'Open source contribution policies that don’t suck!'
byShane Coughlan
 
PPTX
Setting Your Code Free (Without Scaring the Lawyers): Licensing & IP Consider...
byAll Things Open
 
PDF
Growing with the Open-Source Community
byTomasz Urbaszek
 
PDF
Creating an Open Source Office: Lessons from Twitter
byChris Aniszczyk
 
PPTX
The Role of In-House & External Counsel in Managing Open Source Software
byFlexera
 
PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
PPTX
Enterprise Open Source
byOscar Renalias
 
KEY
Open Source Compliance at Twitter
byChris Aniszczyk
 
PDF
Four Steps to Creating an Effective Open Source Policy
byiasaglobal
 
PPT
Ten Elements of Open Source Governance
byRogue Wave Software
 
PPT
Understanding the Meaningful Use of Open Source Software
byChris Mattmann
 
PPTX
Oscon 2016: open source lessons from the todo group
byBen VanEvery
 
PDF
Open Source Lessons from the TODO Group
byChris Aniszczyk
 
PDF
Os summit jp 2019 untold story ospo
byBrian Hsieh
 
PDF
How to Open Source an Internal Project
byAll Things Open
 
PPT
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
byActiveState
 
PPTX
How to keep developers happy and lawyers calm (Presented at ESC Boston)
byRogue Wave Software
 
PPT
Open Source Issues and Trends
byNicole Baratta
 
PDF
What’s Driving Open Source (for MyGOSSCon)
bySimon Phipps
 
PPTX
Knocking Down Blockers: Transforming your company into an open source contrib...
byIan Varley
 
'Open source contribution policies that don’t suck!'
byShane Coughlan
 
Setting Your Code Free (Without Scaring the Lawyers): Licensing & IP Consider...
byAll Things Open
 
Growing with the Open-Source Community
byTomasz Urbaszek
 
Creating an Open Source Office: Lessons from Twitter
byChris Aniszczyk
 
The Role of In-House & External Counsel in Managing Open Source Software
byFlexera
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
Enterprise Open Source
byOscar Renalias
 
Open Source Compliance at Twitter
byChris Aniszczyk
 
Four Steps to Creating an Effective Open Source Policy
byiasaglobal
 
Ten Elements of Open Source Governance
byRogue Wave Software
 
Understanding the Meaningful Use of Open Source Software
byChris Mattmann
 
Oscon 2016: open source lessons from the todo group
byBen VanEvery
 
Open Source Lessons from the TODO Group
byChris Aniszczyk
 
Os summit jp 2019 untold story ospo
byBrian Hsieh
 
How to Open Source an Internal Project
byAll Things Open
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
byActiveState
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
byRogue Wave Software
 
Open Source Issues and Trends
byNicole Baratta
 
What’s Driving Open Source (for MyGOSSCon)
bySimon Phipps
 
Knocking Down Blockers: Transforming your company into an open source contrib...
byIan Varley
 

More from OW2

PDF
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
byOW2
 
PDF
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
byOW2
 
PDF
GLPi v.10, les fonctionnalités principales et l'offre cloud
byOW2
 
PDF
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
byOW2
 
PDF
FusionIAM : la gestion des identités et des accés open source
byOW2
 
PDF
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
byOW2
 
PDF
SFScon'20 Bringing the User into the Equation
byOW2
 
PDF
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
byOW2
 
PDF
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
byOW2
 
PDF
Open Source governance and the Eclipse Foundation, OW2online, June 2020
byOW2
 
PDF
Open source contribution policies, OW2online, June 2020
byOW2
 
PDF
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
byOW2
 
PDF
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
byOW2
 
PDF
Open Source Compliance at Orange, OW2online, June 2020
byOW2
 
PDF
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
byOW2
 
PDF
Intelligent package management with FASTEN, OW2online, June 2020
byOW2
 
PDF
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
byOW2
 
PDF
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
byOW2
 
PDF
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
byOW2
 
PDF
Cacti and Big Data at Orange France, OW2online, June 2020
byOW2
 
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
byOW2
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
byOW2
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
byOW2
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
byOW2
 
FusionIAM : la gestion des identités et des accés open source
byOW2
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
byOW2
 
SFScon'20 Bringing the User into the Equation
byOW2
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
byOW2
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
byOW2
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
byOW2
 
Open source contribution policies, OW2online, June 2020
byOW2
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
byOW2
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
byOW2
 
Open Source Compliance at Orange, OW2online, June 2020
byOW2
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
byOW2
 
Intelligent package management with FASTEN, OW2online, June 2020
byOW2
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
byOW2
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
byOW2
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
byOW2
 
Cacti and Big Data at Orange France, OW2online, June 2020
byOW2
 

Recently uploaded

PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 

Open source contribution policies, OW2online, June 2020

  • 1.
    Tobie Langel, Principal,UnlockOpen tobie@unlockopen.com Open source contribution policies that don’t suck!
  • 2.
    Do you havean open source policy? No 48% Don't know 13% Yes 39% < 250 employees 61% 11% 28% > 10,000 employees 25% 10% 65% Source: The New Stack & Linux Foundation/TODO Group 2018 Open Source Program Management Survey (https://github.com/todogroup/survey) Remember this is a biased sample!
  • 3.
    What does nothaving a policy mean? Contrary to popular belief, it does not mean that you don’t have an open source policy at all. It means that you don’t have a written one. You have a policy, whether it is written down or not. It could range from “no open source at all” to “anything goes.”  —Heather J. Meeker, Open Source Licensing Specialist, author of Open Source for Business.
  • 4.
    What does havinga policy mean? Think you’re in the right camp because you have an open source contribution policy? Think again! • You can have a very restrictive open source policy. • You can have a very bureaucratic process to obtain approval. • You can have a very opaque process to obtain approval. None of these are fun!
  • 5.
  • 6.
    What is apolicy that doesn’t suck? Engineering perspective Legal perspective Business perspective
  • 7.
    What is apolicy that doesn’t suck? Permissive. Allows open source contribution to be an integral part of the company’s engineering culture and best practices. Based on trust and autonomy. Explicit. The decision making process is well documented and transparent. Informative. The policy explains the why an helps educate engineers. Frictionless. Avoid bureaucracy, red tape, lengthly back and forth with legal, etc. Engineering perspective
  • 8.
    What is apolicy that doesn’t suck? Minimizes risk. Avoid: • giving away competitive advantage, • giving away IP that can be used defensively (or—shudders —offensively), • reputational damages and accidental infringements. Consistently followed across the company. Keep contribution under your radar. Avoid compliance issues. Savvy about written information. Sometimes you want a paper-trail (e.g. compliance), sometimes you don’t. Doesn’t drown critical problems in a sea of menial issues. Legal perspective* * IANAL (I am not a lawyer). Please talk to me if you are and want to help me improve this slide.
  • 9.
    What is apolicy that doesn’t suck? Engineering to be happy and productive. Risks minimized and well understood. Good communication between legal and engineering. Alignment with Business goals. Business perspective
  • 10.
    At the heartis a tension Legal wants to minimize risk. Prefers oral communication. Manager’s schedule. Favors spectrum thinking. Conservative role. Engineering wants to maximize velocity. Prefers written communication. Maker’s schedule. Favors binary thinking. Innovative role.
  • 11.
    Coming to agreement Acknowledgethat this tension is normal. It’s just checks and balances. Listen to both sides. Remind them that their role is to help achieve common business goals. • Legal’s role is to minimize risk, but not at the expense of innovation. • Engineering’s needs can’t be fulfilled at the expense of the company’s survival. Find common ground. A good policy will improve the life of both sides. Align your open source activity with your business goals. If you are a patent troll, then don’t do open source. Accept that your open source policy will change with your business.
  • 12.
    Contributing open source What isa policy really about? Using open source
  • 13.
    Well understood problem,essentially: • Using software with licenses that are compatible with your current and future business model. • Compliance. Using open source Tip: a common issue is missing licenses. Equip engineering with a process (and issue or pull request templates) to request proper OSI-approved licenses.
  • 14.
  • 15.
  • 16.
    Can employees contributeto open source on their free time? • Yes, without asking for permission. • Yes, but must ask for permission. So that sometimes means “no”, right? • I don’t know. • Nope. Contributing outside of work
  • 17.
    Other 4% Don't know 37% Must ask 12% Yes! 47% “Howdoes your employer's IP agreement/policy affect your free- time contributions to open source unrelated to your work?” “Respondents were sampled randomly from traffic and qualifying activity to licensed open source repositories on GitHub.com and invited to complete the survey through a dialog box. A smaller sample was recruited from open source communities sourced outside of GitHub, […]” Contributing outside of work Source: GitHub 2017 open source survey (http://opensourcesurvey.org/2017/). But again… this is a highly biased sample.
  • 18.
    Contributing outside ofwork Why so much confusion? • Depends on the jurisdiction, but not uncommon, especially in the USA, for companies to own employees’ production 24/7. • Sometimes, extra criteria apply. For example, in California, IP developed with company equipment—even outside of work— belongs to the employer. • This prevents employees from contributing to open source, unless they ask for, and are granted permission to do so.
  • 19.
    Contributing outside ofwork The common solution: ask for permission • Most companies have a process for this. • Tends to focus on releasing open source or working on a limited set of pre-approved projects. • Breaks down when there’s a high number of dependencies (such as for Node.js projects).
  • 20.
    Contributing outside ofwork The better solution: BEIPA • Balanced Employee IP Agreement • https://github.com/github/balanced-employee-ip-agreement • Project created by GitHub, based on its own IP agreement. • BEIPA only claims control of creations made for or relating to the company's business.
  • 21.
  • 22.
  • 23.
    Releasing open sourceat work • Distinguish large open source projects you want to promote from smaller "day to day” modules. (E.g. Google’s < 100 LoC rule.) • Offer well oiled and well documented processes, checklists, templates, and tooling (see: https://github.com/todogroup/policies). • Offer help. • Promote working in the open rather than releasing software once it’s done. (Consider README-driven development to avoid scope creep.)
  • 24.
    Patching open sourceat work • By far the most common activity and the most important one. • The experience must be as frictionless as possible for engineers. • Surface the process by which decisions are made and trust engineers to do the right thing. This let’s legal focus on the difficult cases. • Cache decisions (build approve- and deny- lists) so that the process gets faster as time goes by.
  • 25.
  • 26.
    Turn your policyinto an app! • Automatically approve requests that meet pre-established requirements (e.g. patch an MIT-licensed open source project on GitHub). • Automatically reject requests that don’t meet your criteria (but allow motivated appeals). • Manually handle other requests and cache the decision so more gets automated over time.
  • 27.
    Using such asystem, Adobe was able to shorten it’s review time from 4.6 days to 4.6 hours. Turn your policy into an app!
  • 28.
    Using such asystem, Adobe was able to shorten it’s review time from 4.6 days to 4.6 hours. But there’s more. The data collected can help: • understand your open source activity, • promote it, • connect engineers unknowingly contributing to the same projects, • etc. Turn your policy into an app!
  • 29.
    Thank you! Tobie Langel(@tobie) Principal, UnlockOpen tobie@unlockopen.com