Establishing a Strong Open Source Strategy: 3 Steps to Get Started

Step 1: Conduct an Inventory

Do you know what open source software your organization uses, where and why? If you think you’re not using open source components, you’d be wrong. Start by understanding what’s happening already – what you use, where you contribute (or don’t contribute – and why), and the selection criteria your team applies when considering new contributions or new adoptions. This inventory will paint a clear picture of what you use – information that will enable you to shift from an opportunistic, ad hoc stance to one based on strategy and intent.

Step 2: Build a Framework to Encourage Strategic Choices

Knowing why you use something is as important as knowing that you use it. Seek to understand and document how teams select open source components, when they decide to contribute to open source projects and in some cases, create or “originate” open source projects. Next, create a set of objective selection standards, or a process for each scenario. A recent Sonatype report asserts that enterprise development teams should create and implement open source component selection criteria in the same fashion as traditional manufacturing supply chains intentionally select parts from approved suppliers and rely upon formalized procurement practices. Software development teams can benefit from adopting similar practices and operating principles.

When you’re documenting the selection criteria, keep in mind that there is always more than one open source project for every need; oftentimes there will be dozens of alternatives. Consider the CNCF landscape for perspective. With more than 429 open source projects across 27 different categories to choose from, the selection process can be daunting. Start with a clear definition of the business and technical requirements, but don’t neglect to evaluate projects for their “health” or long term viability.

A Picture of Health: How to Choose

When including open source components, you want certain assurances that the software will be around for the long haul. You’re relying on that piece of code, so it’s vital to understand if that project is strong, supported by a thriving community or alternatively neglected and poorly supported by its community. Since risk lies along a spectrum, you’ll need to know your risk tolerance. For critical components of customer or external facing applications that are embedded or provide an essential foundational function, your risk tolerance may be quite low. You want to be assured that the project is healthy and boasts a diverse contributor community. A project controlled by a single vendor with little to no community input may subject you to an open source version of “vendor lock-in”. An unexpected license change, technical shift or project abandonment may leave you in a difficult situation with little recourse.

Other indicators of project health include documentation quality, frequency of updates, the time open issues languish, and code reviews. These external signs can provide important signals about the project’s health.

If you’re looking to your IT or solutions partner to introduce open source solutions to your strategy, it’s important to understand how to evaluate their open source credentials. While many may default to counting code or commits as a sign of open source leadership, true leadership goes well beyond code. Align with a vendor that not only contributes code, but also assumes leadership positions within the project or its ecosystem. Representation on technical oversight committees, user groups and release managers are indicators of a company that’s truly invested in project success, and one that you can rely on to deliver leading edge commercial solutions built on that open source foundation

Step 3: Building a Community Mindset

Now that you understand what you’re consuming and how to make smarter choices, you need to understand where you’re contributing back. This a critical, but often overlooked, aspect of a sound open source strategy. When you rely on open source components, it’s part of your software supply chain, and it’s your responsibility to keep that component and its dependencies up-to-date. When you are part of the contributor community, that job becomes much easier. As a community member, you’re able to influence direction, understand new challenges, and become part of a decision-making team. This gives you an immediate advantage – because your team has a “backstage pass” to the project’s roadmap and upcoming changes.

Releasing an open source project is another option. In this scenario, you need to make sure your team understands the open source philosophy and development practices and abides by a “community first” mindset. For instance, it’s critical to first understand the scope of the technology you think you want to release – and check for understanding beyond your immediate team, especially if you work in a larger company. Engage with your legal team at the outset – they can help with assessing the IP and patent implications as well as provide guidance on proper licensing. It’s essential that you don’t inadvertently release technology your company prefers to retain as proprietary. And of course, the creation of an open source project must always align to your overall strategy and be one you’re willing to invest in. When you release code into the open source ecosystem, commit to that code. Don’t “set and forget” or use open source as an exit strategy for outdated code or products.

In open source, you reap what you sow. If you truly want to enjoy all the benefits open source has to offer, you need to commit. Know what good citizenship looks like and invest. But before you do that – set your strategy. Know what you’re using today, where your teams are already contributing, and determine where your next investments lie. When you move from an ad-hoc stance to one that’s built on purpose and intent – that’s when you’ll realize the full potential of open source.