Creating an open source software policy is a strategic imperative for organizations in the software industry. But what does a strategic policy include, and how can you implement one?
What is an OSS Management Policy?
Let’s start by defining an open source management policy. It is a set of rules and guidelines for using and managing OSS in your organization. To be effective, it must cover all the essential aspects of managing OSS, yet it must be succinct and easily understood; otherwise nobody will read it, much less follow it. At the Olliance Group, our rule of thumb is that policies should be five pages or less, and reflect the way software is developed and delivered in your company specifically – general rules are not likely to apply directly to your requirements and processes, so the results are likely to be approximate and inefficient.
Open Source Management Policy Development Process
There are four key steps to developing an open source management policy:
- Identify key stakeholders
- Obtain an organizational commitment
- Draft the policy
- Review and approve the policy
Step 1: Identify Key Stakeholders
Identifying and including important stakeholders should be first on your list. These functional responsibilities may include software architects, software developers and engineers, quality assurance and release management personnel, the legal team and product and business managers. In addition, organizations with sensitive data may also wish to include those security stakeholders responsible for software entering the organization and being released from the organization.
Step 2: Obtain an Organizational Commitment
This is the most important success factor! Securing a commitment from stakeholders to contribute the time and effort to the policy and sharing an understanding of the policy’s importance can make or break your efforts. We have found that policy development teams are most effective when they work from a clearly articulated statement of the company’s OSS strategy, including statements of the benefits the company wishes to realize and how it intends to ensure them.
An effective way to solidify this commitment is collecting and disseminating information about your organization’s use and plans for OSS. Share documents that include:
- Existing OSS policies and processes
- Comprehensive lists of OSS currently used within the organization
- Existing license compliance requirements and procedures
- All agreements and business relationships related to OSS
- New and future initiatives that may involve OSS
Step 3: Draft the Policy
Policies are typically developed in a series of meeting of the relevant stakeholders. This is where the trade-offs inherent in any policy must be discussed and resolved, and include:
- Controlling risk v. development productivity
- Broad, simple rules v. specific, more complex rules
- Self-checking v. independent checking
- Using judgment calls v. detailed prescriptions
To speed this process, you may wish to consider using a facilitator with extensive OSS policy development experience.
We recommend that open source policies include the following eight elements:
- Program Administration and Management – determine responsibilities for the policy itself and overseeing the program’s management. Consider assigning tasks to individuals or creating an Open Source Management Board.
- Discovery, Acquisition and Evaluation – efficiently finding and properly evaluating new software packages helps avoid future problems and risks. As such, OSS policies typicall recommend certain sources of code (including the code already in-house) and establish evaluation criteria for use throughout the organization.
- Review and Approval – this policy specifies how an OSS component evaluation is reviewed and who may approve it for specified use. Typically, policies establish an OSS Review Board consisting of key stakeholders who can inform decisions, although sometimes a simpler approval cycle can be established for already approved components and reuse needs.
- Software Procurement – embedded OSS is subject to the same license compliance requirements, and potential operational risks, as downloaded OSS. OSS policies should require suppliers to report each OSS element embedded in their deliverables, any modifications, license and compliance terms.
- Code and Documentation Management – policies should specify that original source code, build files, documentation and license declaration for each OSS component must be archived and all internal modifications must be tracked. In addition, most organizations require that OSS archives are kept up-to-date with internal bug fixes and enhancements. In addition, you should also require tracking in order to generate reports identifying all uses of OSS components.
- Support and Maintenance – identify a responsible party for tracking security vulnerabilities and bugs, notifying users of updates and applying fixes, as necessary.
- License Compliance – ensuring compliance with relevant OSS licenses is a critical element of OSS management. We recommend auditing each release to verify that no undocumented or mis-documented OSS is included, that that all compliance requirements are met.
- Community Participation – for OSS acquired from communities, often the source of support is through community participation. OSS policies should specify the kinds of community participation permitted (or required) and the standards and controls for these activities – whether your company mandates no community participation or active participation, or some level between, articulating these expectations is key.
Step 4: Review and Approve the Policy
Circulate the policy among stakeholders for review and approval. Most organizations are able to develop a final policy document after two or three revisions.
And remember: no policy remains unchanged – most companies will go through several rapid revisions as they gain experience during implementation, and after that, it’s useful to establish a periodic review and fine-tuning of the policy.
For more information, please review the Olliance Group’s open source policy creation whitepaper or gain more insights from viewing the full OSS Policy webinar.
