5 Steps to Become a Good Corporate Open Source Citizen
Companies have an open source problem — and the opportunity to do better.
Upstream, a virtual conference held last week, looked at how companies can become better open source citizens, particularly in supporting projects across their lifespan.
“In open source, we have systemic resource disparities,” said moderator Josh Simmons, Tidelift’s ecosystem strategy lead and former president of the Open Source Initiative, during a panel on open source citizenship.
At any given company, as much as 70% of their stack may be open source; but there’s a deficit in terms of what they contribute, he contended.
“The modern organization has an existential relationship with open source: It depends on it, and, and yet, we have this entrenched resource disparity because of the way that open source has worked,” Simmons said. “There’s not only the resources buried in terms of money, but also just pure time.”
“The interesting thing about upstream is that we find that a lot of end-user organizations think that upstream stuff just magically happens, and somebody is taking care of that,” Gillen said. “The majority of organizations today are more in a position of using open source software, but not necessarily giving back to open source software in an upstream sense.”
The panel agreed that companies must strategically support open source upstream. Here are five steps the group of open source experts recommended companies do to become stand-up open source citizens:
1. Know Thy Open Source Self
Step one for any organization should be understanding where they’re leveraging open source, the panel agreed.
“If you really want to show up, you have to roll up your sleeves and dig into your dependency usage, figure out what’s being used where, how important it is, how healthy it is, and what levers you have within your own organization that you can throw to encourage people and get them involved in these conversations,” advised Duane O’Brien, director of open source at Indeed.
2. Support the Project’s Lifecycle
Open source projects aren’t one and done — like other development projects, they have a lifecycle. “We want to make sure that they’re meeting new standards as we learn what best practices are for security,” said Simmons. “We want to help these maintainers do more to nurture a productive and healthy and welcoming community as well.”
Many open source projects are maintained by a single person, he added, which can lead to a skill disparity that organizations can help fill.
“No one person can ever contain all of the skills necessary to really lead a thriving project,” he added.
Along that same vein, organizations can help with maintenance in a way that individuals may not be willing to, said O’Brien.
“A lot of the dependencies that sort of fall into unmaintained status, it’s because the work that’s left to do isn’t fun,” he said. “Organizations have a unique set of levers that they can throw to help people do the janitorial work in open source dependencies that isn’t fun.”
Gillen stressed that old projects that aren’t maintained is a strategic issue for open source and the companies that use it, one that is “potentially catastrophic for open source software.”
3. Support Developers in Contributing Back
Specifically, developers and engineers should be allowed to contribute back patches and feature additions to projects the company leverages, said Rob Underwood, vice president and global program lead of the Open Source Program Office at Goldman Sachs.
“We think the right way to work is that our engineers are enabled, to be able to contribute back and patch and add features to the projects that we consume,” Underwood said. ”We want to make sure that we’re allowing our engineers and providing them the developer experience and ergonomics so they can contribute back and contribute to upstream repos.”
4. At a Minimum, Contribute Financially
Contributing money should be a starting point — a minimum, said Alyssa Wright, who heads the open source program office at Bloomberg.
“A much more interesting conversation and a more authentic conversation — when we think about these communities that are making the technologies and the projects that are part of this supply chain — is how do we contribute back in a way that is just as valuable and maybe sustainable,” Wright said, “Though I think we all acknowledge here that money is important, but it is a baseline.”
Companies should move beyond “picking a number out of the air” to a decision-making framework perhaps based on portions of revenue or per developer seat licensing price, O’Brien suggested.
5. Provide Manpower to Open Source Groups
It seems obvious, but organizations should participate in standards committees, working groups and open source foundations — and that means giving individuals time to lead open source committees, said Deb Nicholson, executive director of the Python Software Foundation.
”If you are lucky enough to have someone who is embedded in a community, a technical community, that’s really important to you, then you have to let them lead,” Nicholson told the panel. That may mean giving them a few hours a week for a year to devote to the open source community, she added.
Businesses should understand that in that situation, an employee may have to “leave the hat of being there for your company at the door and participate as a member of the community,” she said.
Companies should also look at how they can provide skills beyond software development, as well, she added. For instance, there are a lot of companies deriving value on intellectual property and if a lawsuit happens, it can literally mean the staff on a small open source project have to “tear up their to-do lists for the year and fundraise,” she said. Companies should consider stepping in on these lawsuits by allowing their attorneys to work on these lawsuits pro bono, she suggested.
“Software can be pretty litigious,” Nicholson said. “I’ll just put that out there as the gold bar.”