The World of Open-Source Software (OSS) Governance and Compliance
For expertise on open-source software governance and compliance, you’d be hard-pressed to find a more experienced and accomplished professional than Russ Eling, founder and CEO of OSS Engineering Consultants (OSSEC). On May 14, Russ will be the featured speaker at the IBSMA webinar Industry Leads the Way in Open-Source Software Governance. To register for the webinar, click here.
Prior to starting OSSEC, Russ served as General Motors’ open-source compliance officer. In that capacity, Russ developed a successful OSS governance program that is now regarded as one of the most comprehensive in the industry. As part of it, he designed and implemented a process and a system for managing OSS use and compliance in every GM vehicle across the globe; the process is still in use today.
“The automotive industry has one of the most intricate and complex supply chains,” Russ says. “Despite these challenges, we were able to implement a simplified [open-source management] process and unified system to bring it all together. We developed a method that simplifies complexities and mitigates risk, and we look forward to helping other organizations that face similar challenges, regardless of their industry.”
Make Cool Stuff—and Do the Right Thing
Industry today likes to focus on powerful technologies that are enabling exciting new developments in machine learning, artificial intelligence, autonomous driving, docker containers, and cloud computing, to name a few. “Most of them are built on top of open-source,” Russ says. Often, though, developing that wondrous new capability becomes the first order of business, with open-source compliance relegated to an afterthought.
“What about all the open-source that was used?” Russ asks. “Were you using open-source that is licensed for academic use only? That can’t be used in a commercial product or service.” Questions like these become very real—very fast—when trying to get a product or service to market successfully without running afoul of open-source compliance issues.
Secret Sauce
One key to Russ’s success is his systems engineering approach. “Instead of iterative fixes that are following serial failures,” Russ says, “I take a holistic view of the system, including the relationship and interactions between all the components.”
Many professionals with open-source compliance expertise are former software developers, or lawyers, or sometimes a combination of the two; as a systems engineer, Russ says, “I look at the relationship and interactions between all the components in the system. What are the inputs? What are the required outputs? And then, what are the interactions of everything in between? I put that together as one cohesive system and one centralized process that serves everybody.”
What’s at Stake
At the May 14 webinar, Russ will share vivid details on the risks that come with using open-source—from security breaches to lawsuits, which themselves can lead to financial claims, injunctions against the distribution of products or services, or both. In addition, of course, “you want to be a good steward,” Russ says. “If you’re using free, open-source software, all they are asking you to do is to comply with the terms of the license, so you should at least do that.”
Russ comes by his expertise honestly. Onto a solid professional base in automotive engineering, he layered years of experience in both software and systems engineering at GM. Russ holds a master’s degree in engineering and an M.B.A. in leadership and strategy; he is currently completing a doctorate in engineering.
The Power of Positive Culture
One trusted way to increase the ongoing awareness and buy-in of every developer on staff is to build a culture of compliance. After all, the system that a company puts into place is only as effective as the people who do—or do not—follow that system.
So, if the stakes are high—expensive lawsuits, security breaches, and unplanned rework to correct a compliance issue—why do some companies still not engage fully in open-source software compliance?
In a survey conducted by Flexera Software in 2018, 37 percent of developers said their companies had open-source policies, while 43 percent said they did not, and 19 percent—that’s one out of every five software developers at that company—said they did not know whether or not the company had a policy on open-source code use. That points to the importance of educating developers about company approaches to open-source.
“A lot of that is fostered by support from the top,” Russ says. “If you have leadership that’s supporting a culture of compliance, it makes the adoption of the open-source program go a lot more smoothly, and the compliance becomes easier.”
At the end of the day, the goal of a good open-source compliance program is to enable the developers in the company to focus on what they do best—building good software—while also making it easy for developers to “do the right thing” with open-source, Russ says. “It works best when everyone’s doing the right thing together, but there are checks and balances in the system to catch when that doesn’t happen. Sometimes it’s an honest mistake.”
Trending
In 2018, for the first time ever, more than half of the content of the average code repository in industry consisted of open-source software—with less than half being proprietary, Russ says. For companies with a repository of software developed through the years in the course of preparing for various product releases, the repository becomes a valuable source of code when a new product is in development.
“To say that open-source surpassed proprietary software in the average code repository was big news,” he adds. “That was such a huge marker, and it continues to grow.” In 2019, the proportion of open-source code was 60 percent of the average code repository, according to some industry sources.
To learn more from industry leader Russ Eling about the ins and outs of developing and maintaining a best-in-class open-source software compliance program, join us on May 14 for the IBSMA webinar Industry Leads the Way in Open-Source Software Governance. To register, click here or visit https://attendee.gotowebinar.com/register/2986873221316820495.