todogroup.org icon indicating copy to clipboard operation
todogroup.org copied to clipboard

Published 20 hours ago verified publisher icon todogroup

Tracking ideas for 2022 TODO guides

Open amye opened this issue 5 years ago • 6 comments

Creating this issue to track ideas for future TODO Group guides.

amye avatar Dec 17 '19 22:12 amye

So not sure if these will count as guides, but hey have at it internets.

  • "Good First Issue" and more focused project engagement for the enterprise/end user communities
    • With the significant increase in "end user" communities by organizations there is a base recognition that FLOSS is important and they need to be involved
    • Many first issues are focused on the individual developer, but organizational motivations and barriers are likely different
      • Entering into contacts (DCO, CLA, etc) can be a challenge
      • Organizational contribution policy may not exist and the project can help direct key org decision makers to communities like TODO to establish one
      • Organizations may not use a FLOSS project directly, but through the lens of a commercial service or distribution so value of contribution may be blocked
      • Contribution opportunity may be unclear and undervalued within the organization leading to a lack of incentive structure (and potentially significant risk)
    • I think we can learn a bunch from the DNI efforts in the ecosystem and while the causes are significantly different I see much of the same results (apathy, frustration, etc)
    • Goal would be to provide handles for "what's next" after that corporate investment to support broader engagement by that organization
  • Collaboration w SPDX/ACT on supply chain health practice standards
    • I act as an SME for not only our first party developers, but also for the products we source which are a majority 3rd party open components to attempt to assess risk of copyright concerns or security exposure
    • I have framed this as a "USDA" for open source where we can have objective practices that don't eliminate risk, but indicate safe practices that result in a form of accountable badging.
    • This ideally simplifies the supplier side attestation without requiring intrusive analysis, but also provides significant incentives to use projects appropriately, invest upstream in hygiene activities, and generally knowing what they are selling since they will be accountable.
    • 1000% there is a lot of risk for manipulation here on which measures get codified, but with repeated supply chain attacks I think it is making companies ignore the risk rather than acknowledge it and demand more from the suppliers. And we showed w CII that we could find some success in setting standards.
  • Open Source Literacy
    • So the next wave of the FLOSS community may not be developers, but Procurement, ISOs, Human Resources, Talent and Acquisitions, etc.
    • The OSPO is often the SME here, but how can we democratize key concepts for the entire software and hardware ecosystem participants.
    • My preference is to have a certification/credential along with it (Practitioner) that I can nudge my teams who deal with FLOSS regularly to maintain.
    • Coming from financial services space we have seen a significant interest and value in investing in basic financial literacy so the everyday investor can have a useful discussion with a CFP or other more focused associate.

byjrack avatar Dec 18 '19 17:12 byjrack

Some folks from Europe are currently working on a short paper around open source strategy / exec whitepaper (we do not yet have a good title for it), see here. Don't know if this counts as a TODO Guide. We even wanted to work on some other documents, but I first have to check the status. If this is still relevant, I will mention this here as well

misappi avatar Jan 08 '20 15:01 misappi

One that has been sticking in the back of my mind as well has been doing Attribution well.

I see a ton of variance in what I see internally and externally when it comes to Attribution for 3rd party works. What is in the artifact, how it is made available, etc. I believe there are general common practices like the http://www.apache.org/legal/src-headers.html#notice which is a foundation principle and not a part of the license.

I would appreciate help building some consensus approaches to doing attribution well.

  • How to make it available in web and binary works?
  • What does it contain for the works? Include the version? Use SPDX as a framework?
  • Inclusive of all transitive or only the directs?
  • Ecosystem support for auto-generation for the tooling and platforms we are using (OCI may look a bit different compared to Maven)

byjrack avatar Feb 03 '20 16:02 byjrack

Just wondering if we can reuse this issue to share TODO guides ideas for 2021? :smile:

anajsana avatar Sep 22 '21 13:09 anajsana

One candidate would be our paper about outbound open source. Realistically, we can publish it in Q1/2022.

misappi avatar Nov 08 '21 15:11 misappi

New guide idea coming from @jsmanrique Participating in Open Source Conferences https://github.com/todogroup/ospology/discussions/35

anajsana avatar Dec 01 '21 08:12 anajsana