From ee9737d6200e702e025a65252c2e162b7b00bad6 Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Mon, 16 Sep 2024 00:02:21 +0300 Subject: [PATCH 1/2] Some suggestions for change and/or discussion Signed-off-by: Gergely Csatari --- ospo-book/content/en/01-chapter.md | 8 ++++---- ospo-book/content/en/02-chapter.md | 30 +++++++++++++++--------------- ospo-book/content/en/03-chapter.md | 15 ++++++++------- ospo-book/content/en/04-chapter.md | 19 +++++++++---------- ospo-book/content/en/_index.md | 2 +- ospo-book/content/en/taxonomy.md | 24 +++++++++++++----------- 6 files changed, 50 insertions(+), 48 deletions(-) diff --git a/ospo-book/content/en/01-chapter.md b/ospo-book/content/en/01-chapter.md index 827e3748..b5ff8588 100644 --- a/ospo-book/content/en/01-chapter.md +++ b/ospo-book/content/en/01-chapter.md @@ -17,7 +17,7 @@ Creating an Open Source Program Office (OSPO) can accelerate an organization's o In this book, we will guide organizations through the process of creating and implementing an OSPO. The book provides: * Practical advice and best practices on how to streamline open source operations -* Recommendations to ensure that organizations can maximize the benefits of open source while being good open source citizens. +* Recommendations to ensure that organizations can maximize the benefits of open source while being good open source citizens and follow related regulations. The book is structured in a user-friendly and practical manner, with a focus on providing actionable advice and steps that organizations can take to create and implement an OSPO. The book will cover a range of topics, including: @@ -38,7 +38,7 @@ In the following chapters, we will explore the key components of an OSPO, and pr [WHO] OSPOs are composed of people (open source specialists) wearing different hats: -* Open Source Enabler: OSPOs can help organizations navigate the cultural, process, and tool changes required to engage with the open source community effectively. This can involve educating teams/ units, establishing new processes and workflows, and adopting new tools and technologies. +* Open Source Enabler: OSPOs can help organizations navigate the cultural, process, and tool changes required to engage with the open source community effectively. This can involve educating teams/units, establishing new processes and workflows, and adopting new tools and technologies. * Open Source Counselor: OSPOs can provide guidance and advice on the latest open source trends, licensing issues, and how to engage with open source projects, foundations, and communities. This can help organizations stay up-to-date with the rapidly changing open source landscape and ensure they are making informed decisions. @@ -80,7 +80,7 @@ Below, people will find a checklist to assess and better understand their possib Assessing open source adoption is critical because it sets the foundation for successful open source operations. Without proper understanding and adoption of open source, an OSPO may not be effective in achieving the desired outcomes. -* **☑️ Open Source Software (or open works) Usage:** Evaluate the level of open source software usage within your organization. Are there any specific open source projects that are widely used? Are there any projects that are critical to the organization's operations? +* **☑️ Open Source Software Usage:** Evaluate the level of open source software usage within your organization. Are there any specific open source projects that are widely used? Are there any projects that are critical to the organization's operations? * **☑️ Knowledge and Understanding of Open Source:** Evaluate the level of knowledge and understanding of open source within your organization. Are the different actors that will be or are currently involved in open source familiar with open source licensing models and requirements? Do they understand the benefits and risks of using open source software? @@ -94,7 +94,7 @@ Assessing open source adoption is critical because it sets the foundation for su * How would you define 'open source'? * What does 'open source' mean for you and your organization? - * How much open-source software is already being used in the organization? + * How much open source software is already being used in the organization? * How would you define the 'open source culture' within your organization? * What are the organization's goals and objectives for using open source? * How is open source software currently being used (usage) within the organization? diff --git a/ospo-book/content/en/02-chapter.md b/ospo-book/content/en/02-chapter.md index 84c940a0..5855eaef 100644 --- a/ospo-book/content/en/02-chapter.md +++ b/ospo-book/content/en/02-chapter.md @@ -1,5 +1,5 @@ --- -title: "2 - The Value of Open Source Program Offices" +title: "The Value of Open Source Program Offices" status: Completed weight: 40 --- @@ -20,17 +20,17 @@ Organizations of various types – including end-user companies, software vendor ### Supply Chain and Open Source -Sometimes, organizational stakeholders may assume that their product isn't using any open source projects because their end product is proprietary. However, when you look at the [entire software supply chain](https://opensource.com/article/16/12/open-source-software-supply-chain) you can see that your proprietary software contains open source dependencies or artifacts. If the contributors working on those open source projects were to leave, the project could become obsolete or a target for security vulnerabilities. This affects the proprietary software the organization uses or sells, directly impacting its reputation, performance, or revenue. +Sometimes, organizational stakeholders may assume that their product isn't using any open source components because their end product is proprietary. However, when you look at the [entire software supply chain](https://opensource.com/article/16/12/open-source-software-supply-chain) you can see that your proprietary software contains open source dependencies or artifacts. If the contributors working on those open source projects were to leave, the project could become obsolete or a target for security vulnerabilities. This affects the proprietary software the organization uses or sells, directly impacting its reputation, performance, or revenue. #### Common challenges when managing open source integration Organizations may encounter issues when managing open source components that are integrated into their technology infrastructure. If these issues are ignored or neglected, they can lead to mid-term and long-term innovation bottlenecks and security vulnerabilities. It’s important to understand the unique factors that make open source different. -- **Vulnerability management can be hard:** Open source projects can be a source of security vulnerabilities in a product that depends upon them. It can be hard to keep track of how open source projects are being used by your organization to perform risk assessments on the identified projects. When you identify key projects within the organization, you can prioritize securing them by tracking common vulnerabilities and exposures. Often, the Enterprise Architecture team are the ones tracking the open source components of applications and technologies, and OSPOs are there to give subject matter expertise. +- **Vulnerability management can be hard:** Open source projects can be a source of security vulnerabilities in a product that depends upon them. It can be hard to keep track of how open source projects are being used by your organization and to perform risk assessments on the identified projects. When you identify key projects within the organization, you can prioritize securing them by tracking common vulnerabilities and exposures. Often, the Enterprise Architecture team are the ones tracking the open source components of applications and technologies, and OSPOs are there to give subject matter expertise. - **It can take a lot of work to understand the complexity of the open source supply chain:** The open source landscape is large and decentralized, and it can be hard to identify who the contributors to individual projects are and to perform risk assessments on the identified projects. These factors can make it challenging for organizations to accurately assess risks and to comprehend the security and quality standards of the software, hardware, data, etc. -- **There can be a tension between the need to ship product features and the need to contribute back to open source:** Commercial organizations that are using open source are often keen to contribute back to the projects they use. However, the pressure to ship features in their own products mean that open source contributions may take a back seat when things get busy. +- **There can be a tension between the need to ship product features and the need to contribute back to open source:** Commercial organizations that are using open source are often keen to contribute back to the projects they use. However, the pressure to ship features in their own products mean that open source contributions may take a back seat when things get busy. Even it is known that contributing features and bugfixes to upstream is less effort on long term than to maintain a fork of the project oprganisations often optimize for short term benefits and do not spend the extra effort to upstream the changes. - **It takes time and planning to collaborate effectively with the community and industry:** Your organization could be in a good position to provide resources to open source projects. That could be through coding, expertise, or money donations as incentives for fixing common vulnerabilities ([see Log4Shell real vulnerability example](https://en.wikipedia.org/wiki/Log4Shell)). It could also be productive to collaborate with industry working groups to address security concerns holistically. Making a plan that aligns with your organization strategy and provides value to the open source projects is a good way to be a helpful community member. @@ -61,13 +61,13 @@ _[Source: OSPOs, key lever for open source sustainability](https://speakerdeck.c ### Reasons and Value of Investing in a Resilient OSPO -In a world governed by software, open source projects offer solutions to the mission-critical problems organizations wish to address, whether social-economic (governments, NGOs) or technological (companies). Integrating open source into an organization's infrastructure and operations encompasses various objectives, such as risk management, innovation, and the sustainability of the open source communities they rely on. To achieve effective integration, organizations need the right staff to operate and the necessary talent to manage such operations. This is where the mission of an OSPO (Open Source Program Office) comes into play. Go to “tips on how to get started with an OSPO” sub-section to see some practical advice on when starting to staff an OSPO. +In a world governed by software, open source projects offer solutions to the mission-critical problems organizations wish to address, whether social-economic (governments, NGOs) or technological (companies). Integrating open source into an organization's infrastructure and operations encompasses various objectives, such as risk management, innovation, and the sustainability of the open source communities they rely on. To achieve effective integration, organizations need the right staff to operate and the necessary talent to manage such operations. This is where the mission of an OSPO comes into play. Go to “[tips on how to get started with an OSPO](#tips-on-how-to-get-started-with-an-ospo)” sub-section to see some practical advice on when starting to staff an OSPO. On the other hand, stopping the work of an OSPO could have significant negative impacts on those organizations that use open source (directly or indirectly) at any level, including loss of open source expertise, increased security and legal risks, reduced community engagement, and damage to reputation. > 💡 _Open Source is a silent critical need_ -An OSPO needs to be an ongoing initiative within an organization in order to evolve its culture and open source knowledge, helping the organization to contribute to and build more secure open-source software, as well as improving the sustainability of open-source projects. +An OSPO needs to be an ongoing initiative within an organization in order to evolve its culture and open source knowledge, helping the organization to contribute to and build more secure open source software, as well as improving the sustainability of open source projects. The different roles and pillars of support of an OSPO shared below can help readers understand why it should be viewed as a critical area to maintain and nurture within an organization, rather than just a pet project with an expiration date. @@ -90,15 +90,12 @@ The [business value of the OSPO report](https://www.linuxfoundation.org/research - Building standardized processes around open source - Learning how to approach the open source community -- Embracing the Sustainability of open source Projects +- Embracing the Sustainability of open source projects - Managing compliance - Expanding access to open knowledge - Improving development velocity - Mitigating security risks - - - ### Interlude #### A perspective of open source in public administrations @@ -138,7 +135,7 @@ Organizations may underestimate how much they already depend on the usage (also Assess this value for your own organization by taking steps such as: - Collect information about open source software used by your development and operations teams -- Get clarity about composition of commercial software you buy or services you use, ask vendors for what open source software they use, e.g. by requesting Software Bill of Materials (SBOMs) +- Get clarity about the software composition of commercial software you buy or services you use, ask vendors for what open source software they use, e.g. by requesting Software Bill of Materials (SBOMs) - Assess value by evaluating what costs would occur by using alternative proprietary solutions and components - Take factors such as speed of innovation or engineering agility into account @@ -164,17 +161,20 @@ There is a wide variety of open source maturity models –for governments, NGOs, * Participation - Engagement with open source communities * Contribution - Pragmatic contributions to open source projects * Leadership - Strategic involvement with open source to drive business value -* Participation - Engagement with open source communities -* Contribution - Pragmatic contributions to open source projects -* Leadership - Strategic involvement with open source to drive business value ![opensourceinvolvementmodel](https://user-images.githubusercontent.com/43671777/232468143-cde69525-7adb-4399-96d3-fa63f056b942.png) #### Maturity Model 2 - Five stages or corporate open source adoption talk by [Carl-Eric](https://web.archive.org/web/20240419100823/https://debricked.com/blog/what-is-open-source-maturity-model/) +* Accidental - open source is used by the organisation without knowing that it is used +* Repetitive - there are processes set up for both consumption and contribution, but contributions are sporadic +* Directed - active participation incritical open source projects +* Collaborate - open source collaboration is used as a tool to create business value +* Prevail - open source is used to influence strategic areas of the business and technology + ![osmm-carl](https://github.com/user-attachments/assets/4a382434-878c-4c22-a2cd-d10292129370) -## How do you identify and categorize the benefits of open source activities for your organization? +## How do you identify and categorize the benefits of open source activities for your organization? Once you have a certain familiarity with open source adoption models, the next natural question to ask is _What are the benefits of open source activities for the organization?_ diff --git a/ospo-book/content/en/03-chapter.md b/ospo-book/content/en/03-chapter.md index e0427907..a7c7d02f 100644 --- a/ospo-book/content/en/03-chapter.md +++ b/ospo-book/content/en/03-chapter.md @@ -59,12 +59,12 @@ The structure used in this book to represent these areas is shaped as a flower d #### Creating and Implementing an Open Source Strategy -> If an organization's primary objective is profitability, customer satisfaction becomes a linchpin in the corporate strategy – a focal point for both CEOs and CFOs. For individuals in Open Source Program Offices, effectively communicating the open source strategy to C-level executives demands a keen understanding of the industry landscape and alignment with the key considerations of CEOs and CFOs. This alignment necessitates a clear comprehension of the overarching corporate strategy and identifying technologies within the open-source realm that can propel the organization toward its strategic objectives +> If an organization's primary objective is profitability, customer satisfaction becomes a linchpin in the corporate strategy – a focal point for both CEOs and CFOs. For individuals in Open Source Program Offices, effectively communicating the open source strategy to C-level executives demands a keen understanding of the industry landscape and alignment with the key considerations of CEOs and CFOs. This alignment necessitates a clear comprehension of the overarching corporate strategy and identifying technologies within the open source realm that can propel the organization toward its strategic objectives > > Victor Lu and Rob Moffat Presentation - [Strategy - End Game for FINOS Maturity Model](https://osr.finos.org/docs/presentations/strategy) The people behind an OSPO achieve this by creating and maintaining a framework covering the following aspects: strategy, governance, compliance, and community engagement. -The OSPO's strategy focuses on aligning the organization's open source usage (consumption) and contributions across its projects, products, services, or internal infrastructure to its overall organization objectives. +The OSPO's strategy focuses on aligning the organization's open source usage (consumption), contributions and compliance activities across its projects, products, services, or internal infrastructure to its overall organization objectives. A strategy creates a high-level consensus on concrete topics and their impact on your organization and the people within it. A good practice is to [document this strategy in an open source strategy document](https://todogroup.org/resources/guides/setting-an-open-source-strategy/). @@ -115,7 +115,7 @@ It's important for readers to recognize the distinction between measuring an org Regarding the organization's engagement, there are already various models available that help assess the maturity of open source involvement. Examples include Ibrahim's Enterprise Open Source Involvement Stages and the FINOS' [Open Source Maturity Model](https://www.finos.org/blog/open-source-maturity-model-launch). To simplify this topic for this book, these models can be summarized into four main stages: -* Software usage (also called consumption) +* Open source usage (also called consumption) * Community participation * Community contribution * Leadership @@ -125,7 +125,7 @@ It helps identify the specific areas where they need to concentrate their effort ### Simple checklist -[This checklist](https://github.com/todogroup/ospology/blob/main/ospo-model/en/ospo-checklist.md) offers a simplified set of common milestones to both early-stage and seasoned OSPOs in navigating each stage of the previously mentioned OSPO maturity model. Please note that an OSPO might remove, add, or edit some content of this checklist to adapt it to their organization's needs. +[The TODO OSPO checklist](https://github.com/todogroup/ospology/blob/main/ospo-model/en/ospo-checklist.md) offers a simplified set of common milestones to both early-stage and seasoned OSPOs in navigating each stage of the previously mentioned OSPO maturity model. Please note that an OSPO might remove, add, or edit some content of this checklist to adapt it to their organization's needs. #### Pre-stages @@ -133,6 +133,7 @@ It helps identify the specific areas where they need to concentrate their effort - [ ] Define program branding (e.g., OSPO, open source initiative, head of open source operations). - [ ] Define structure, budget and necessary cross-functional staff to get started - [ ] Define an action plan for the upcoming years +- [ ] Define communication plan about OSPO activities to the organisation #### Stage 1 @@ -143,12 +144,12 @@ It helps identify the specific areas where they need to concentrate their effort #### Stage 2 +- [ ] Define compliance process for contributions and interactions with open source communities - [ ] Lay out best practices in interacting with OSS projects such as how to request features, file bug reports, and contribute basic code. -- [ ] Communicate to workers, policymakers and other open source stakeholders the importance of contributing to and not merely consuming (also called usage) to open source (including advocating for and driving event sponsorships, booking project leads and maintainers as speakers or panelists in public coding forums, and securing organizational resources to mission-critical OSS projects). -- [ ] Incentivize developers and non-developers (lawyers, project managers, etc) to participate on open source projects critical to their operations (contributing code, field expertise, etc), to the degree that workers become highly active contributors. +- [ ] Communicate to workers, policymakers and other open source stakeholders the importance of contributing to and not merely consuming (also called usage) to open source (including advocating for and driving event sponsorships, booking project leads and maintainers as speakers or panelists in public coding forums, and securing organizational resources to mission-critical open source projects). +- [ ] Incentivize developers and non-developers (lawyers, project managers, technical writers, etc) to participate in open source projects critical to their operations (contributing code, field expertise, documentation, etc), to the degree that workers become highly active contributors. - [ ] Contributions are focused to a narrow business critical set of functionalities in open source projects, and they are sponsored by the organisation (contributions are not a hobby project of individual employees) - #### Stage 3 - [ ] Initiate and host, or act as primary sponsors of open source projects critical to your organization. diff --git a/ospo-book/content/en/04-chapter.md b/ospo-book/content/en/04-chapter.md index 648bfce8..03a0defe 100644 --- a/ospo-book/content/en/04-chapter.md +++ b/ospo-book/content/en/04-chapter.md @@ -1,5 +1,5 @@ --- -title: "4 - Day-to-Day Operations" +title: "Day-to-Day Operations" status: Completed weight: 60 --- @@ -22,20 +22,19 @@ OSPO day-to-day operations encompass a broad spectrum of activities aimed at enh compliance, selecting open source software, and interactions with vendors. It also includes engaging with the community and partners, securing sponsorships, and organizing open source events. -- **Automation Tools:** Creating process automation to support open source policies is important because policies alone may not always be effective. Managers know that their workers will not always follow policy and therefore want effective options to automate use, management and tracking of open source components. Automation is useful in many areas of open source including licence compliance, and security. +- **Automation Tools:** Creating process automation to support open source policies is important because policies alone may not always be effective. Managers know that their workers will not always follow policy and therefore want effective options to automate use, management and tracking of open source components. Automation is useful in many areas of open source including licence compliance, and security. -- **Documentation, Training, and Education:** An OSPO can play a leading role in ensuring that individuals are qualified to assess open source projects for use in the organization. Developing training materials and documentation and/or aiding teams to produce these across different departments are key - tasks. +- **Documentation, Training, and Education:** An OSPO can play a leading role in ensuring that individuals are qualified to assess open source projects for use in the organization and contributte to critical open source projects for the organization. Developing training materials and documentation and/or aiding teams to produce these across different departments are key tasks. - **Resource Allocation:** There can be a lot of areas that an OSPO can offer value to an organization. Therefore, prioritizing work and allocating resources strategically and tactically is an important activity that will improve the OSPO's impact. -- **Risk Management:** OSPOs are well-placed to take a holistic view on the risk that the organization faces when using open source projects. It is useful for the OSPO to assess the risks by obtaining a comprehensive view of the organization's tech stack. This may include generating SBOMs which allow the OSPO to consider the risks in software from vendors, legacy software, and proprietary software as well as in open source. This is more about a business assessment perspective rather than just data gathering, as risk can only be managed, not eliminated. Optimizing SBOMs is about balancing risks against benefits. +- **Risk Management:** OSPOs are well-placed to take a holistic view on the risk that the organization faces when using open source projects. It is useful for the OSPO to assess the risks by obtaining a comprehensive view of the organization's tech stack. This may include generating SBOMs which allow the OSPO to consider the risks in software from vendors, legacy software, and proprietary software as well as in open source. This is more about a business assessment perspective rather than just data gathering, as risk can only be managed, not eliminated. Optimizing SBOMs is about balancing risks against benefits. - **Sponsoring Open Source Communities and Foundations:** Your organization depends on open source. The projects in open source are only as healthy as their communities, and you can invest your time and money in supporting communities either directly or through Foundations. These relationships need to be understood and managed with care to achieve outcomes that will benefit the projects and your organization. Sometimes money is not the best fix for a problem, and fostering a closer partnership and providing development, marketing, or programmatic support is more useful. - **Measuring Technical Debt:** Providing knowledge on how to measure the technical debt on an open source project helps to determine the risks associated with the project and, when done in collaboration with the project community, is a form of educational advocacy to help projects improve and sustain themselves. -- **Coordinating with Various Parts of the Organization:** It can be helpful to check that you know all your stakeholders, and have the right amount of interaction with them. Take a look at the OSPO flower diagram (Chapter 3) for help mapping interactions. +- **Coordinating with Various Parts of the Organization:** It can be helpful to check that you know all your stakeholders, and have the right amount of interaction with them. Take a look at the [OSPO flower diagram in Chapter 3](../03-chapter/#the-ospo-flower-diagram) for help mapping interactions. - **Giving Advice on Open Source Consumption:** The OSPO considers both the strategic view on which open source projects to consume and on the best practice for using the selected projects. The OSPO should provide reference materials and guidance on how the company should select which open source projects it uses and how it manages them. Guidelines and policy can be purely technical or can include considerations based on open source project health and practices, like the [Secure Supply Chain Consumption Framework (S2C2F)](https://github.com/ossf/s2c2f/blob/main/specification/Secure_Supply_Chain_Consumption_Framework_(S2C2F).pdf). @@ -94,13 +93,13 @@ The contributors to this book have identified challenges in implementing the min ### Scenario #10 -Social Engineering Attack on Upstream xz/liblzma: A [social engineering attack targeted the xz/liblzma](https://research.swtch.com/xz-timeline), an essential open source library. The attack was meticulously planned, gaining trust within the community before executing a malicious attack. This incident was discovered inadvertently by an unrelated project, underscoring the sophistication and stealthiness of such vulnerabilities. The challenge for Open Source Program Offices (OSPOs) lies in identifying and mitigating these vulnerabilities, which are not always apparent until after they occur. Despite existing procedures and policies, OSPOs recognize the need for mechanisms to proactively measure and respond to such threats. +Social Engineering Attack on Upstream xz/liblzma: A [social engineering attack targeted the xz/liblzma](https://research.swtch.com/xz-timeline), an essential open source library. The attack was meticulously planned, gaining trust within the community before executing a malicious attack. This incident was discovered inadvertently by an unrelated project, underscoring the sophistication and stealthiness of such vulnerabilities. The challenge for OSPOs lies in identifying and mitigating these vulnerabilities, which are not always apparent until after they occur. Despite existing procedures and policies, OSPOs recognize the need for mechanisms to proactively measure and respond to such threats. > Recommendation > -> 1. SBOMs Compliance Ready: Ensure that all software components are documented through Software Bill of Materials (SBOMs). This documentation helps in quickly identifying potentially compromised components once a vulnerability is disclosed. +> 1. SBOMs Compliance Ready: Ensure that all software components are documented through automatically generated Software Bill of Materials (SBOMs). This documentation helps in quickly identifying potentially compromised components once a vulnerability is disclosed. > -> 2. Automation Security Checks: Implement automated security checks, such as the OpenSSF Security Scorecard, to continuously evaluate the security posture of projects. This proactive measure can highlight vulnerabilities or anomalies that merit further investigation. +> 2. Automation Security Checks: Implement automated security checks, such as the [OpenSSF Scorecard](https://scorecard.dev/), to continuously evaluate the security posture of projects. This proactive measure can highlight vulnerabilities or anomalies that merit further investigation. > > 3. Having a Computer Emergency Response Team (CERT) within the organization and having the OSPO collaborate closely with them. This specialized team should be equipped with the tools and authority to respond swiftly to security incidents. Pre-existing relationships within the team facilitate rapid internal communication about the severity of incidents. > @@ -114,7 +113,7 @@ Licence changes on an Open Source project. OSPOs face the challenge of navigatin > Recommendation > -> 1. Educational Initiatives on License Implications: Develop educational materials and sessions for developers and users within the organization to understand the nuances of different licenses. This understanding will help them make informed decisions when using or contributing to open-source projects. +> 1. Educational Initiatives on License Implications: Develop educational materials and sessions for developers and users within the organization to understand the nuances of different licenses. This understanding will help them make informed decisions when using or contributing to open source projects. > > 2. Explicit License Terms: Work with legal teams to ensure that license terms are as explicit and unambiguous as possible. Clear terms help in avoiding misunderstandings and potential legal conflicts. > diff --git a/ospo-book/content/en/_index.md b/ospo-book/content/en/_index.md index b2aaaa13..246b8f5d 100644 --- a/ospo-book/content/en/_index.md +++ b/ospo-book/content/en/_index.md @@ -5,7 +5,7 @@ status: Completed # Welcome to the
OSPO Book -The book serves as a source of knowledge for organizations developing strategies to use, contribute to, and/or create open source projects through professionals working in Open Source Program Offices (OSPOs). It aids in gaining a better understanding of the OSPO's role and provides resources [developed openly by a group of contributors](https://ospobook.todogroup.org/07-chapter/) with deep knowledge in open source strategy, community and management. This includes setting up policies, processes, and strategies on how to use, contribute to, and create open source projects critical to the organization's infrastructure, as well as overseeing day-to-day operations. +The book serves as a source of knowledge for organizations developing strategies to use, contribute to, and/or create open source projects with the help of professionals working in Open Source Program Offices (OSPOs). It aids in gaining a better understanding of the OSPO's role and provides resources [developed openly by a group of contributors](https://ospobook.todogroup.org/07-chapter/) with deep knowledge in open source strategy, community and management. This includes setting up policies, processes, and strategies on how to use, contribute to, and create open source projects critical to the organization's products or services, as well as overseeing day-to-day operations. * Why organizations may or may not need an OSPO. diff --git a/ospo-book/content/en/taxonomy.md b/ospo-book/content/en/taxonomy.md index 281a4655..80910107 100644 --- a/ospo-book/content/en/taxonomy.md +++ b/ospo-book/content/en/taxonomy.md @@ -25,31 +25,33 @@ reach their full potential. ### Segments Definition & Diagram * `📈 Business-Oriented`: OSPOs are usually established within for-profit organizations, such as enterprises, -that are primarily focused on creating business value through the use of open source software. + that are primarily focused on creating business value through the use of open source software. * **Drivers of Motivation:** Innovation / Risk Management / Legal Compliance Talent Retention * `🎓 Educational-Oriented`: OSPOs are usually established by educational institutions, such as universities -or schools, that are focused on using open source to support teaching, research, and learning -activities. + or schools, that are focused on using open source to support teaching, research, and learning + activities. * **Drivers of Motivation:** Curriculum development / Student Engagement / Open Data / Knowledge Sharing -* `👩‍🏫 Business-Educational`: OSPOs are usually for-profit organizations that provide training and certification and are likely to collaborate -with `educational-oriented` types. +* `👩‍🏫 Business-Educational`: OSPOs are usually for-profit organizations that provide training and certification and are + likely to collaborate with `educational-oriented` types. * **Drivers of Motivation: hybrid between `📈 Business-Oriented`and `🎓 Educational-Oriented` * `🏛 Social-Gov-Oriented`: OSPOs are usually established within a government or public administrators that are -focused on using open source to achieve social or public policy objectives (e.g serving -citizens). + focused on using open source to achieve social or public policy objectives (e.g serving + citizens). - * **Drivers of Motivation:** Interoperability / Open Data / Accessibility / Inclusion / Privacy / Security / Transparency + * **Drivers of Motivation:** Interoperability / Open Data / Accessibility / Inclusion / Privacy / Security / + Transparency -* `🌳 Social-NonGov-Oriented`: OSPOs are typically established within non-governmental organizations (NGOs) or foundations that are dedicated -to use open source to create positive social change. +* `🌳 Social-NonGov-Oriented`: OSPOs are typically established within non-governmental organizations (NGOs) or + foundations that are dedicated to use open source to create positive social change. - * **Drivers of Motivation:** Innovation / Interoperability / Social Justice / Disaster Relief / Humanitarian Aid / Environmental Protection / Sustainable Development + * **Drivers of Motivation:** Innovation / Interoperability / Social Justice / Disaster Relief / Humanitarian Aid / + Environmental Protection / Sustainable Development ![OSPOSegments](https://github.com/todogroup/ospology/assets/43671777/c589df58-dcba-4237-b95a-e8dd5228be81) From 659ecd4147cfde136e711eb804cd9d03fd29f62a Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Mon, 16 Sep 2024 10:28:56 +0300 Subject: [PATCH 2/2] Update ospo-book/content/en/04-chapter.md Co-authored-by: Jan van den Berg Signed-off-by: Gergely Csatari --- ospo-book/content/en/04-chapter.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ospo-book/content/en/04-chapter.md b/ospo-book/content/en/04-chapter.md index 03a0defe..f2b74e6b 100644 --- a/ospo-book/content/en/04-chapter.md +++ b/ospo-book/content/en/04-chapter.md @@ -24,7 +24,7 @@ OSPO day-to-day operations encompass a broad spectrum of activities aimed at enh - **Automation Tools:** Creating process automation to support open source policies is important because policies alone may not always be effective. Managers know that their workers will not always follow policy and therefore want effective options to automate use, management and tracking of open source components. Automation is useful in many areas of open source including licence compliance, and security. -- **Documentation, Training, and Education:** An OSPO can play a leading role in ensuring that individuals are qualified to assess open source projects for use in the organization and contributte to critical open source projects for the organization. Developing training materials and documentation and/or aiding teams to produce these across different departments are key tasks. +- **Documentation, Training, and Education:** An OSPO can play a leading role in ensuring that individuals are qualified to assess open source projects for use in the organization and contribute to critical open source projects for the organization. Developing training materials and documentation and/or aiding teams to produce these across different departments are key tasks. - **Resource Allocation:** There can be a lot of areas that an OSPO can offer value to an organization. Therefore, prioritizing work and allocating resources strategically and tactically is an important activity that will improve the OSPO's impact.