mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-23 21:20:42 +08:00
Xingyu Wang
parent
bbe3cf01a1
commit
a51dbccbff
@ -0,0 +1,112 @@
|
||||
[#]: subject: "Why Companies Need to Set Up an Open Source Program Office"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/08/why-companies-need-to-set-up-an-open-source-program-office/"
|
||||
[#]: author: "Sakshi Sharma https://www.opensourceforu.com/author/sakshi-sharma/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "ChatGPT"
|
||||
[#]: reviewer: "wxy"
|
||||
[#]: publisher: "wxy"
|
||||
[#]: url: "https://linux.cn/article-16341-1.html"
|
||||
|
||||
为什么公司需要设立开源项目办公室
|
||||
====
|
||||
|
||||
![][0]
|
||||
|
||||
> 要想软件产品能够成功,关键在于管理开源软件的使用并降低合规风险。开源项目办公室能帮助组织实现这一目标。让我们一起深入了解。
|
||||
|
||||
<ruby>开源软件<rt>Open source software</rt></ruby>(OSS)是构建现代软件解决方案的重要组成部分。无论是服务于内部或是面向客户的解决方案,如今的组织都在很大程度上依赖于开源软件。开源软件组件受其独立的授权条款约束,对这些条款的不合规操作往往会使组织面临安全和知识产权(IP)风险,这进而可能会损害公司的品牌价值。
|
||||
|
||||
当开发团队正忙于发布软件版本时,他们的主要目标是满足项目的截止日期。因此,他们在跟踪组件版本、库或者引入项目的第三方代码时,往往疏于应有的严格性。这意味着带有许可限制或漏洞的开源软件组件可能会进入代码库,然后交付给客户,这对客户和提供软件解决方案的公司都将带来风险。
|
||||
|
||||
开发人员为开源项目做出贡献的领域也日益具有挑战性。如果公司能够参与,他们可以获得多种益处,包括保持技能的最新性,挽留员工,吸引开发者为组织工作,以及提升公司形象。很多开源项目要求开发者签署贡献者许可协议,该协议声明由开发者创建的知识产权属于该项目,而非开发者本人。在这种情况下,组织需要确保那些不公开源代码的知识产权和商业机密不会被转让给开源项目。
|
||||
|
||||
我们需要教育开发者去了解开源许可的相关问题,确定何时、如何以及在何种程度上向社区提供支持,以及哪些软件包可能会给组织的声誉带来风险。通过制定一套战略性的政策和操作流程,我们可以规范这一切。实现上述目标的一种方式就是设立一个专门处理所有开源相关事务的部门——即 <ruby>开源项目办公室<rt>open source program office</rt></ruby>(OSPO)。
|
||||
|
||||
OSPO 为员工使用开源软件创建了一个生态环境,使合规风险得到良好的控制。OSPO 的角色不仅在于监督开源软件的使用,它还负责回馈社区,并通过积极参与各种活动以及组织网络研讨会和促销活动,来推动公司在市场上的增长。
|
||||
|
||||
在这篇文章里,我们将深入探讨为何公司需要设立一个 OSPO,以及它是如何在开源政策和管理程序中崭露头角的。
|
||||
|
||||
### 为何我们需要一个开源项目办公室(OSPO)?
|
||||
|
||||
由于开源软件正广泛地被运用,因此在产品开发周期中,为团队对其使用的监管和维持合规性策略往往会带来重大压力。
|
||||
|
||||
开发者往往会忽略许可证责任,有时甚至管理层或各利益相关方也并未完全意识到不遵守这些开源许可证的影响。不论是用于内部还是外部目的,OSPO 能处理从开始引入开源软件,直至交付给终端用户的过程中的所有环节。
|
||||
|
||||
通过在软件开发生命周期早期阶段开始进行合规性和规章制度的检查,OSPO 能构筑坚实的基础。这通常开始于引导和整合团队成员,共同迈向一个能惠及组织价值观的方向。OSPO 会设定关于开源使用的政策和流程,并在公司内部进行角色和职责的管理。
|
||||
|
||||
总结来说,OSPO 有助于整合所有参与产品构建的相关团队的努力,进而提升组织更好和更有效使用开源的能力。
|
||||
|
||||
#### 开源项目办公室(OSPO)的崛起
|
||||
|
||||
诸如微软、谷歌和 Netflix 等公司已经在自身组织内部设立了成熟的 OSPO。此外,像 Porsche 和 Spotify 这样的公司也在建立自己的 OSPO,以实现开源的高效利用。
|
||||
|
||||
以下是一些知名公司的领导者对 OSPO 实践的看法:
|
||||
|
||||
* “对于公司来说,这是一种文化的变迁,”Jeff McAffer 解释了他的观点,他曾经多年负责微软的 OSPO,并现在是 GitHub 的产品主管,致力于在企业界推动开源的发展。“很多公司并不习惯与外部团队合作。”
|
||||
* “工程、业务、法律每一方的利益相关者都有他们各自的目标和角色,往往需要在速度、质量和风险之间做出权衡,” Spotify 的开源主管 Remy DeCausemaker 解释道。“ OSPO 的任务就是协调和连接这些单独的目标,融合成一个能够减少摩擦的全面策略。”
|
||||
* Verizon Media 的 OSPO 领导 Gil Yahuda 表达了他的观点,“我们正在寻找创造一个人才愿意融入其中的工作环境。我们的工程师都知道,他们处在一个欢迎开源的环境中,他们在这里被鼓励与他们工作相关的开源社区合作。”
|
||||
|
||||
![图 1:2018-2021年各行业开源项目办公室的普及情况 (来源:https://github.com/todogroup/osposurvey/tree/master/2021)][1]
|
||||
|
||||
### 开源项目办公室(OSPO)的职能
|
||||
|
||||
OSPO 的职能可能会根据组织的员工数量、OSPO 团队的人数以及开源的运用目的不同而有所差异。组织可能只想利用开源软件来开发产品,也可能同时计划向社区做出贡献。
|
||||
|
||||
OSPO 的角色可能会包括评估哪些开源许可证是适宜的,以及是否应让全职员工参与开源项目等任务。为愿意贡献的开发人员制定贡献者许可协议(CLA),并确定哪些开源组件有助于产品的快速成长和质量提升也是 OSPO 的重要职责。
|
||||
|
||||
OSPO 的主要职能包括但不限于:
|
||||
|
||||
* 建立开源合规和治理政策来降低组织的知识产权风险
|
||||
* 培育开发者做出更佳决策的能力
|
||||
* 制定政策规范与公司全面采用开源的工作。
|
||||
* 监控组织内外开源软件的使用情况
|
||||
* 在每次软件版本发布后组织会议,讨论开源软件合规流程的优点及改进空间
|
||||
* 加快软件开发生命周期(SDLC)
|
||||
* 提高不同部门之间的透明度和协调性
|
||||
* 通过简化流程在早期阶段降低风险
|
||||
* 鼓励团队成员向上游贡献,以享受开源项目的协作和创新优势
|
||||
* 提供包含合适补救措施和产品团队建议的报告
|
||||
* 准备合规文档,确保满足许可证的义务
|
||||
|
||||
### 构建开源项目办公室(OSPO)的过程
|
||||
|
||||
OSPO 的组成通常包括公司内多个部门的人员。这个过程涉及了对相关部门进行开源合规基础和使用风险的培训与教育。OSPO 可能提供法律和技术支持,以确保达成开源的目标需求。
|
||||
|
||||
组织内的 OSPO 可能包括以下人员(这只是一个可能参与的人员名单,并不是详尽无遗的清单):
|
||||
|
||||
* 主任/首席:主任或首席通常是 OSPO 的主要负责人。他能全方位掌控使用开源的各个方面,包括使用不同组件的影响,许可证的含义,以及开发和社区贡献等。这些要求完全取决于公司的需求。
|
||||
* 项目经理:项目经理为目标解决方案设置需求和目标。他/她将与产品和工程团队共同工作,以协调工作流程。这包括以开发者友好的方式确保策略和工具的实施。
|
||||
* 法律支持:法律支持可能来自公司外部或者内部,但他们在 OSPO 中扮演着重要角色。法律团队将与项目经理密切合作,定义管理开源软件使用的策略,包括每个产品允许使用的开源许可证,如何(或是否)向现有的开源项目贡献等。
|
||||
* 产品和工程团队/开发者:工程团队需要熟悉开源许可及其相关风险。团队在使用任何开源组件之前,必须得到 OSPO 的批准。团队可能需要定期接受关于开源合规基础以及其使用的培训。
|
||||
* 首席技术官/信息官/利益相关者:公司的领导对 OSPO 策略有着巨大影响。利益相关者在任何产品解决方案的决策过程中拥有很大的决定权。因此,工程副总裁,首席技术官/信息官,或者首席合规/风险官员需要参与 OSPO 的工作。
|
||||
* IT 团队:来自 IT 部门的支持十分重要。OSPO 可能被分配实施内部工具的任务,如提高开发者效率,监控开源合规,或者设置开源安全措施等。IT 团队在协助连接工作流程和确保以开发者友好的方式实施策略方面起着关键作用。
|
||||
|
||||
在 TODO 组织于 2021 年执行的 OSPO 调查中,得出了以下的关键发现:
|
||||
|
||||
* 教育企业理解 OSPO 如何为他们带来益处的机会仍然巨大。
|
||||
* OSPO 对其赞助方的软件实践有显著的积极影响,但影响的具体效果并因组织规模的大小而异。
|
||||
* 那些有意设立 OSPO 的公司,他们期望 OSPO 能提升创新,但策略设立及预算力度仍然是实现目标的主要挑战。
|
||||
* 调查参与者中近半数尚未设立 OSPO 的人认为 OSPO 将有助于他们公司的发展,然而在那些认为 OSPO 无助于公司发展的人群中,有 35% 的人还未对此事有所考虑。
|
||||
* 27% 的调查参与者表示,一家公司对开源参与的程度会深刻影响他们组织的购买决策。
|
||||
|
||||
如今,在构建任何软件解决方案时,对开源软件的依赖几乎是无法避免的。然而,开源许可证相关的潜在风险也不容忽视。因此,我们需要一套策略性的流程来有效解决使用开源组件带来的合规性问题。
|
||||
|
||||
通过建立一支集中的专业团队,OSPO 能帮助公司确立规范的开源文化,让员工了解并熟悉与组织内开源使用相关的所有事宜。此外,OSPO 还可以发挥引导作用,吸纳行业内的顶级人才,这无疑将对实现商业目标产生积极影响。
|
||||
|
||||
*(题图:MJ/9a3e106d-0710-4dd7-b278-ef1056c5c5ab)*
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/08/why-companies-need-to-set-up-an-open-source-program-office/
|
||||
|
||||
作者:[Sakshi Sharma][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[ChatGPT](https://linux.cn/lctt/ChatGPT)
|
||||
校对:[wxy](https://github.com/wxy)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/sakshi-sharma/
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/07/Figure-1-OSPO-prevalence-by-industry-2018-2021-2.jpg
|
||||
[0]: https://img.linux.net.cn/data/attachment/album/202311/01/232800a8c8bk3b83rtbn6x.jpg
|
||||
@ -1,111 +0,0 @@
|
||||
[#]: subject: "Why Companies Need to Set Up an Open Source Program Office"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/08/why-companies-need-to-set-up-an-open-source-program-office/"
|
||||
[#]: author: "Sakshi Sharma https://www.opensourceforu.com/author/sakshi-sharma/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: " "
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Why Companies Need to Set Up an Open Source Program Office
|
||||
======
|
||||
*Managing the use of open source software and decreasing compliance risks is key to the success of any software product. An open source program office can help an organisation do just that. Find out how.*
|
||||
|
||||
Open source software (OSS) is integral to building a modern software solution. Be it an internal or a customer facing solution, organisations rely significantly on open source software today. OSS components are governed by their unique licence terms, and non-compliance with these can often expose organisations to security and intellectual property (IP) risks which eventually may hamper a company’s brand value.
|
||||
|
||||
When development teams are delivering a software release, they are primarily trying to meet project deadlines. Therefore, the tracking of versions of components and libraries, or the third party code pulled into the project, is not as rigorous as it should be. This means that licences and vulnerable OSS components can enter the code base and be delivered to customers. This can be risky for both the customer and the company delivering the software solution.
|
||||
|
||||
Another increasingly challenging area is that of developers contributing to open source projects. Companies can reap numerous benefits if they do so. This includes keeping skills current, retention of staff, attracting developers to work for the organisation, and improving the image of the company. Many open source projects require developers to sign a contributor licence agreement. This states that any IP created by the developer belongs to the project and not to the contributing developer. In this scenario, organisations need to be careful that IP and trade secrets that are not open source are not being signed over to open source projects.
|
||||
|
||||
Developers need to be educated about open source licensing issues, determining what to leverage, when or how much they can contribute to the community, and what packages might bring risk to the organisation’s reputation. All this can be streamlined by putting a strategic policy and operations in place. One way of doing this is by creating an entity that is dedicated to working around all things open source—an entity called the open source program office (OSPO).
|
||||
|
||||
An OSPO creates an ecosystem for employees to use open source software in a way that compliance risks are kept at bay. The role of an OSPO is not limited to supervising open source usage; it is also responsible for contributing back to the community and managing the company’s growth in the market by actively engaging in events, as well as conducting webinars and campaigns.
|
||||
|
||||
In this article we will see why there is a need for building an OSPO, and how it has emerged as a prominent entity for any open source policy and governance programme.
|
||||
|
||||
### Why should you have an OSPO?
|
||||
|
||||
With the wide use of open source software, regulating its usage and keeping the compliance strategy in check can be often overwhelming for the teams involved in the product development cycle.
|
||||
|
||||
Developers often overlook licence obligations, and sometimes the management or stakeholders are also not fully aware of the implications of non-compliance with these open source licences. OSPO handles open source software right from its on-boarding till the time it is delivered to the end user and everything inbetween, irrespective of whether it is being used for internal or external purposes.
|
||||
|
||||
An OSPO builds a solid foundation by starting compliance and regulatory checks in the early software development life cycle. This usually begins by guiding and aligning the involved team members towards a common path that benefits the organisation’s values. The OSPO puts in place policies and processes around open source usage and governs the roles and responsibilities across the company.
|
||||
|
||||
To conclude, it aligns the efforts of all relevant teams involved in building the product and helps increase the organisation’s capacity for better and effective use of open source.
|
||||
|
||||
| The rise of the OSPO |
|
||||
| :- |
|
||||
| Companies like Microsoft, Google and Netflix have well established OSPOs within their organisations. Many others, like Porsche and Spotify, are building their own OSPOs to leverage the usage of open source in an efficient way.
|
||||
Here is what leaders from renowned companies have to say about OSPO practices.
|
||||
|
||||
“As a business, it’s a culture change,” explains Jeff McAffer, who ran Microsoft’s Open Source Program Office for years and now is a director of products at GitHub focused on promoting open source in enterprises. “Many companies, they’re not used to collaboration. They’re not used to engaging with teams outside of their company.”
|
||||
“Engineering, business, and legal stakeholders each have their own goals and roles, oftentimes making trade-offs between speed, quality, and risk,” explains Remy DeCausemaker, head of open source at Spotify. “An OSPO works to balance and connect these individual goals into a holistic strategy that reduces friction.”
|
||||
Gil Yahuda, Verizon Media’s OSPO leader, states, “We seek to create a working environment that talent wants to be part of. Our engineers know that they work in an open source friendly environment where they are supported and encouraged to work with the open source communities that are relevant to their work.” |
|
||||
|
||||
Here is what leaders from renowned companies have to say about OSPO practices.
|
||||
|
||||
* “As a business, it’s a culture change,” explains Jeff McAffer, who ran Microsoft’s Open Source Program Office for years and now is a director of products at GitHub focused on promoting open source in enterprises. “Many companies, they’re not used to collaboration. They’re not used to engaging with teams outside of their company.”
|
||||
* “Engineering, business, and legal stakeholders each have their own goals and roles, oftentimes making trade-offs between speed, quality, and risk,” explains Remy DeCausemaker, head of open source at Spotify. “An OSPO works to balance and connect these individual goals into a holistic strategy that reduces friction.”
|
||||
* Gil Yahuda, Verizon Media’s OSPO leader, states, “We seek to create a working environment that talent wants to be part of. Our engineers know that they work in an open source friendly environment where they are supported and encouraged to work with the open source communities that are relevant to their work.”
|
||||
|
||||
![Figure 1: OSPO prevalence by industry 2018-2021 (Source: https://github.com/todogroup/osposurvey/tree/master/2021)][1]
|
||||
|
||||
### The function of an OSPO
|
||||
|
||||
The function of an OSPO may vary from organisation to organisation depending on the number of its employees and the number of people that are part of the OSPO team. Another factor is the purpose of using open source. An organisation may only want to use open source software for building the product or may also look at contributing back to the community.
|
||||
|
||||
Evaluating factors such as which open source licences are appropriate or whether full-time employees should be contributing to an open source project may be part of the OSPO’s role. Putting a contributor licence agreement (CLA) in place for developers that are willing to contribute and determining what open source components will help in accelerating a product’s growth and quality are some other roles of an OSPO.
|
||||
|
||||
Some of the key functions of an OSPO involve:
|
||||
|
||||
* Putting an open source compliance and governance policy in place to mitigate intellectual property risks to the organisation
|
||||
* Educating developers towards better decision-making
|
||||
* Defining policies that lay out the requirements and rules for working with open source across the company
|
||||
* Monitoring the usage of open source software inside as well as outside the organisation
|
||||
* Conducting meetings after every software release to discuss what went well and what could be done better with the OSS compliance process
|
||||
* Accelerating the software development life cycle (SDLC)
|
||||
* Transparency and coordination amongst different departments
|
||||
* Streamlining processes to help mitigate risks at an early stage
|
||||
* Encouraging members to contribute upstream to gain the collaborative and innovative benefits of open source projects
|
||||
* Producing a report with suitable remediation and recommendations for the product team
|
||||
* Preparing compliance artifacts and ensuring licence obligations are fulfilled
|
||||
|
||||
### Building an OSPO
|
||||
|
||||
The OSPO is typically staffed with personnel from multiple departments within the company. The process involves training and educating the relevant departments regarding open source compliance basics and the risks involved in its usage. It may provide legal and technical support services so that the open source requirement goals are met.
|
||||
|
||||
An OSPO may be formed by the following people within the organisation (this is a non-exhaustive list of people who can be a part of it):
|
||||
|
||||
* Principal/Chief: This role can be taken by the flag bearer, the one who runs the OSPO. The chief knows the various aspects of using open source like the effect of using different components, licence implications, development and contributing to the community. These requirements are entirely dependent on an organisation’s needs.
|
||||
* Program manager: The program manager sets the requirements and objectives for the target solution. He/she works alongside the product and engineering teams to connect workflows. This includes ensuring that policies and tools are implemented in a developer-friendly manner.
|
||||
* Legal support: Legal support can come from outside the firm or in-house, but is an important part of an OSPO. The legal role works closely with the program manager to define policies that govern OSS use, including which open source licences are allowed for each product, how to (or whether to) contribute to existing open source projects, and so on.
|
||||
* Product and engineering teams/developers: The engineering team should be well-versed with open source licence(s) and their associated risks. The team must seek approval from the OSPO before consuming any open source component. The team may have to be trained with respect to open source compliance basics and its usage at regular intervals
|
||||
* CTOs/CIOs/stakeholders: A company’s leadership has a huge impact on the OSPO strategies. The stakeholders have a great say in the decision making process for any product/solution’s delivery. Due to the nature of the OSPO’s function within a company, the VP of engineering, CTO/CIO, or chief compliance/risk officer must get involved in the OSPO.
|
||||
* IT teams: Having support from the IT department is very important. An OSPO may be tasked with implementing internal tools to improve developer efficiency, monitor open source compliance, or dictate open source security measures. IT teams are key in helping to connect workflows, and ensure policies are implemented in a developer-friendly manner.
|
||||
|
||||
In the 2021 State of OSPO Survey conducted by the TODO Group, the key findings were:
|
||||
|
||||
* There are many opportunities to educate companies about how OSPOs can benefit them.
|
||||
OSPOs had a positive impact on their sponsor’s software practices, but their benefits differed depending on the size of an organisation.
|
||||
* Companies that intended to start an OSPO hoped it would increase innovation, but setting a strategy and a budget remained top challenges to their goals.
|
||||
* Almost half of the survey participants without an OSPO believed it would help their company, but of those that didn’t think it would help, 35 per cent said they haven’t even considered it.
|
||||
* 27 per cent of survey participants said a company’s open source participation is very influential in their organisation’s buying decisions.
|
||||
|
||||
The use of open source software when building any software solution is almost inevitable today. However, the open source licence risks cannot be overseen. What is needed is a strategic streamlining process that helps combat the compliance issues that come in the way of using open source components effectively.
|
||||
|
||||
An OSPO helps set a regulatory culture by building a centralised dedicated team that educates employees and brings awareness regarding everything related to open source usage in an organisation. An OSPO can also work as a guide to fetch top talent from the industry, which will eventually be a boon for business goals.Sakshi Sharma
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/08/why-companies-need-to-set-up-an-open-source-program-office/
|
||||
|
||||
作者:[Sakshi Sharma][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/sakshi-sharma/
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/07/Figure-1-OSPO-prevalence-by-industry-2018-2021-2.jpg
|
||||
Loading…
Reference in New Issue
Block a user