From 0287e056fb0477aea51bbe00bf677097d3791266 Mon Sep 17 00:00:00 2001 From: Alice Sowerby Date: Tue, 27 Aug 2024 17:54:42 +0100 Subject: [PATCH] Update 04-chapter.md Fixing changes suggested by @koozz Signed-off-by: Alice Sowerby --- ospo-book/content/en/04-chapter.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ospo-book/content/en/04-chapter.md b/ospo-book/content/en/04-chapter.md index 8ae82170..58cc8aa6 100644 --- a/ospo-book/content/en/04-chapter.md +++ b/ospo-book/content/en/04-chapter.md @@ -56,7 +56,7 @@ The contributors to this book have identified challenges in implementing the min | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Define open source compliance rules and practices | An explicit consensus on the organization's open source compliance rules and practices between the legal and business stakeholders. | The organization knows that it has a managed approach to the legal aspects of open source consumption, which can be maintained and improved over time. Each company has different aspects of open source compliance, interpretations of licenses and different risk appetite (e.g dealing with regulations). Having well-defined compliance rules and practices is the first step toward deterministic open source compliance | | Define rules and policies on using open source (criteria for using open source software which relate to open source health) | Consumption of open source projects is not just viewed through the compliance lens, but is considered more holistically and includes the risks associated with unhealthy projects. A consensus is built in the company related to the hygiene related to consumed open source components. The organization has clear policies to follow. | Consumed open source projects are lower in risk because they are healthy, fixing security vulnerabilities, implementing new features and release regularly. | -| Define rules and policies on how to contribute to open source (criteria on how to engage in the community, how to transfer rights, CLAs) | The OSPO can increase awareness of the two-way relationship with open source projects. Using policies supports a consistent and ethical approach. The organization has clear policies to follow. | Policies and practices ensure that the organization considers how to jointly build value with open source projects. Contributions made are likely to improve the company reputation, not damage it. | +| Define rules and policies on how to contribute to open source (criteria on how to engage in the community, how to transfer rights, Contributor License Agreements) | The OSPO can increase awareness of the two-way relationship with open source projects. Using policies supports a consistent and ethical approach. The organization has clear policies to follow. | Policies and practices ensure that the organization considers how to jointly build value with open source projects. Contributions made are likely to improve the company reputation, not damage it. | | Adopt ISO/IEC 5230 (OpenChain) Compliance | The OSPO can implement an international, defined standard rather than creating one from the ground up. | The organization can demonstrate its compliance with an internationally-recognized standard. | | Manage an inventory of open source software used in the organization | The OSPO is aware of the surface area of open source software it is overseeing. | The organization has a base for overall risk management. This is an important tool for dealing with issues relating to specific projects (security problems, license changes, lifecycle issues, etc.) | | Training on open source awareness | Providing training on open source increases visibility of the role of open source, visibility of the OSPO and its value, and improves understanding of how the organization uses and engages with open source. | Increases the competence present in the organization to work with open source software through an awareness of open source value, licensing, and contributions etc. | @@ -86,7 +86,7 @@ The contributors to this book have identified challenges in implementing the min | Activities | Value for the OSPO | Value for the Organization | | --------------------------------------------------------------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Open sourcing previously proprietary projects | The OSPO can reduce the burden on the Engineering (and other) departments. | New opportunities will open up to improve the codebase of a commodotized component through collaboration in public. More strategic involvement in open source. Access to new expertise. | +| Open sourcing previously proprietary projects | The OSPO can reduce the burden on the Engineering (and other) departments. | New opportunities will open up to improve the codebase of a commoditized component through collaboration in public. More strategic involvement in open source. Access to new expertise. | | Establish an “upstream first” policy | Offering the organization a way to get more value for the same, or smaller, amount of effort. | The organization can support or even lead open source projects and make them part of the primary value creation of the organization without losing its competitive differences, and while benefiting from the contributions of a whole community. | | Supporting autonomy of contributors and maintainers of open source projects | In-house experts in open source are valuable to the OSPO. | Employing people who are dedicated to only open source work means the organization can strategically strengthen important open source projects in the most organic and effective way. |