Open Source: Pick Your Projects With Care

Open source really is taking over the enterprise, says Matthew Sarrel. But you still have to choose carefully which projects to do, and how to develop them

Getting involved more deeply

As use of particular open-source software components within an enterprise deepens, there’s a point where increasing project participation beyond bug reporting and forum interaction may become beneficial. For instance, the costs of supporting code extensions that don’t deliver a competitive advantage to one’s organisation can be minimised if shared among other users of the project.

However, there are many issues around extending participation in this way — from collaborating effectively with a project’s developers to issues around copyright assignment and other intellectual property concerns, it’s hard enough to manage internal development projects, let alone manage a diverse crowd of individual developers who your organisation really can’t hold accountable.

Last year, Microsoft helped found the Outercurve Foundation (formerly the Codeplex Foundation) to help organisations navigate the ins and outs of working with a community. The company-agnostic organisation helps assign and track intellectual property of bits of code and connect members of the community through processes that facilitate the exchange of code.  Outercurve.org currently hosts seven OSS projects by monitoring and managing contributions.  According to Paula Hunter, Outercurve’s executive director, “this way enterprises know the code they download is free and properly licensed. They also know that they can contribute safely while shielding their own IP.”

Assigning a project to Outercurve distances the project from its creators while ensuring that it will remain free. Most projects are started to solve a problem, and most problems are likely to affect more than the project’s founder. For example, the CoApp project started as just an idea to bring package management to Windows platforms. The project launched, and within weeks dozens of developers were helping with planning. Now hundreds are actively contributing code or requirements.

Along similar lines but more directly focused on issues around license compliance, the Linux Foundation recently launched the Open Compliance Program to help companies understand licence governance and software inventory management of OSS. The initiative includes tools, training and guidelines for tracking OSS licenses such as a self-assessment checklist. Another component of the project is FOSSBazaar.org, a community for software and compliance professionals.

Most enterprises consume OSS through distributors’ professional support organizations such as Red Hat and Novell (which track license compliance for them) and don’t redistribute code as part of a product. “Life isn’t that complicated because the goal is that consumption of OSS should be hassle-free,” said Jim Zemlin of the Linux Foundation .

However, those companies intending to redistribute open-source components within embedded systems, mobile devices and network devices must manage their software supply chain tightly. As custom-built platforms become complex fabrics of OSS, knowing from where each component came from and if it can be used legally becomes more of a challenge.

We’ve reached the point where businesses supply the community and the community supplies businesses. It’s critical to understand where each component came from, what’s in it, whether it adheres to corporate development best practices, if it is secure, and whether it does what it says it does.  According to Tim Yeaton of Black Duck, “a mobile handset manufacturer may add up to 100 new components to the base Linux kernel. With development scattered all over the world it is important to automate license governance as part of the code management process.”