diff --git a/ospo-book/content/en/04-chapter.md b/ospo-book/content/en/04-chapter.md index a7c0a35e..8c297c3e 100644 --- a/ospo-book/content/en/04-chapter.md +++ b/ospo-book/content/en/04-chapter.md @@ -1,38 +1,15 @@ --- title: "A Deep Dive into Day-to-Day Operations" -status: To be Done +status: Completed weight: 60 --- -## WG Meetings Workflow -Brainstorming Session ✅ - -- Objective: Identify and list of OSPO responsibilities -- Process: Open floor for participants to contribute ideas/share experiences -- Outcome: Compiled list of responsibilities to be further explored - -Discussion on Scenarios Session ⏳ - -- Objective: Share and discuss common issues faced by open source professionals in managing day-to-day operations. -- Process: Participants share experiences and examples - -Formulating Recommendations Session ⏳ - -- Objective: Develop recommendations based on shared scenarios -- Reference Format: OSPO Book Chapter 3 Recommendations -- Process: Group discussion to align on recommendations -- Outcome: Drafted recommendations for common scenarios - ---- - -## Assignments for April 1st Call - -* Content team: Complete and improve the content added below based on your input and meeting notes -* Review Team: copyright work. Include new terms that appear in this chapter in the OSPO Glosarry for reference -* Infra team: frequently check for issues and PRs related to infrastructure bugs/feature requests - ---- +* [Introduction](#introduction) + * Defining day-to-day Operations +* [Assessing Daily Operations](#assessing-maturity-of-open-source-program-office) - `✅ Assessment` +* [Recommendations](#recommendations) - `💡 Recommendations` +* [Resources](#resources) - `📚 Continue Here` # Introduction @@ -43,8 +20,9 @@ Moreover, it highlights the diverse types of values and key assets (e.g. risk ma # Defining day-to-day Operations - -## Daily Operations List (WIP) +day-to-day operations encompass a broad spectrum of activities aimed at enhancing open source engagement and compliance within the organization, including providing personalized technical support on licensing and software selection, leveraging automation tools for process efficiency and security, +developing and disseminating educational materials, strategically allocating resources, managing risks through comprehensive assessments of the tech stack, sponsoring and engaging with open source communities and foundations, measuring technical debt in projects, and facilitating coordination +across various organizational divisions to align both technical and non-technical objectives. - **Personalized Technical Support:** Involves answering questions on all aspects of open source, including license compliance, selecting open source software, and interactions with vendors. It also includes engaging with the community and partners, securing sponsorships, and organizing open source events. @@ -64,32 +42,27 @@ including for security automation and reporting, such as the integration of scor - **Coordinate with Various Parts of the Organization:** Map interactions with teams based on the OSPO flower diagram, distinguishing between technical questions (engineering) and non-technical questions (business, design team). -## Assessing Daily Operations (WIP) - -| | Automation in License Compliance | Automation in Security | Measuring Performance | Strategy and its impact in day-to-day operations | -|-------------------------------------|----------------------------------|-----------------------|-----------------------|--------------------------------------------------| -| Fundamental reasons for OSPOs to focus on this task | Streamline license management to facilitate easier discovery of licenses and minimize the approval processes required from developers when using open source tools. | Enable tools and best practices for integrating security measures, such as scorecards, into daily operations | Inform strategic adjustments and operational enhancements | A unified strategy influences daily operations | -| Perceived Value | Automation in license compliance reduces manual oversight, accelerates development workflows, and ensures compliance with open source licenses without burdening developers with lengthy approval processes | Automation in security practices and vulnerabilities exploration in open source projects allows effective risk management. | Measuring performance facilitate transparent assessment of the OSPO's effectiveness | Guiding decisions on contributions to open source projects, engagement with community initiatives, and the balancing of organization and community benefits | -| Using Open Source (Scope) | Explore automation tools that assist developers in organizations in scanning and identifying open source licenses the can use, and speed up the compliance process. | Explore automation tools that assist developers to self-assess security risk on specific projects, without burdening them with lengthy approval processes | TBD (ping CHAOSS OSPO metrics WG to give input on this) | Enable decision makers understand the critical importance of supporting open source projects (and its community) and foundations, and the different ways to offer support | -| Contributing to Open Source (Scope) | Explore automation tools that assist developers in organizations in scanning and identifying open source licenses to projects they would like to contribute as employees, and speed up the compliance process. | Explore automation tools that assist developers to self-assess security risk on projects they would like to contribute as employees, without burdening them with lengthy approval processes | | frameworks that support strategic planning and execution | -| Tools | License checker for NPM ecosystem: [https://github.com/onebeyond/license-checker](https://github.com/onebeyond/license-checker) | OSFF Scorecard [https://github.com/marketplace/actions/openssf-scorecard-monitor](https://github.com/marketplace/actions/openssf-scorecard-monitor) | | | - - -| Personalized support / Q&A Sessions | Advocacy and Education | Community Integration | Business Assessment on Risk Management | -|-------------------------------------|------------------------|-----------------------|--------------------------------------| -| **Fundamental reasons for OSPOs to focus on this task** | Actively involve employees and managers in open source activity engagement. | Advocating for the importance of education in open source and creating resources to support it | Integrate organization's activities effectively with the open source projects and foundations (financial as well as resource support) as well as community dynamics. Map interactions with technical (engineering) versus non-technical teams (business, design team) | Assess risks that the organization is facing, including an overview of the tech stack | -| **Perceived Value** | Increase and improve open source knowledge and expertise across the organization's teams. | Ensure that people are qualified to judge a project (governance models, maturity, etc) and measure the technical debt on an open source project | Allocate effective financial and resource support to critical open source projects that organization's employees use/engages | Assistance in evaluating which open source projects to use and how to prioritize resources effectively | -| **Using Open Source (Scope)** | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors | Build training and documentation, and assist teams in creating these materials across different teams | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | E.g.) business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial. (dealing with vendor-supplied software, legacy software, proprietary software) | -| **Contributing to Open Source (Scope)** | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors | Providing knowledge on how to measure the technical debt on an open source project, including maturity models and governance models, is a form of educational advocacy to help projects improve and sustain | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | E.g.) business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial. (dealing with vendor-supplied software, legacy software, proprietary software) | -| **Tools / Services** | Internal developer portals / Issue tracker systems / Chatbots / webinars / AMA sessions / IRC | External open source training and certification courses, customized training courses adapted to the organization's goals | | | +## Assessing Daily Operations +This section presents a detailed overview of the operational considerations necessary for managing open source initiatives within organizations. This section is structured to cover several key areas: the core reasons for Open Source Program Offices (OSPOs) to prioritize specific tasks, the tangible benefits these tasks +provide to the organization, the scope of engagement with open source in terms of usage and contribution, and an inventory of tools and services that support these efforts. +| Category | Fundamental Reasons for OSPOs to Focus on This Task | Perceived Value | Using Open Source (Scope) | Contributing to Open Source (Scope) | Tools / Services | +|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Automation in License Compliance** | Streamline license management to facilitate easier discovery of licenses and minimize the approval processes required from developers when using open source tools. | Automation in license compliance reduces manual oversight, accelerates development workflows, and ensures compliance with open source licenses without burdening developers with lengthy approval processes. | Explore automation tools that assist developers in organizations in scanning and identifying open source licenses they can use, and speed up the compliance process. | Explore automation tools that assist developers in organizations in scanning and identifying open source licenses to projects they would like to contribute as employees, and speed up the compliance process. | License checker for NPM ecosystem: [https://github.com/onebeyond/license-checker](https://github.com/onebeyond/license-checker) | +| **Automation in Security** | Enable tools and best practices for integrating security measures, such as scorecards, into daily operations. | Automation in security practices and vulnerabilities exploration in open source projects allows effective risk management. | Explore automation tools that assist developers to self-assess security risk on specific projects, without burdening them with lengthy approval processes. | Explore automation tools that assist developers to self-assess security risk on projects they would like to contribute as employees, without burdening them with lengthy approval processes. | OSFF Scorecard [https://github.com/marketplace/actions/openssf-scorecard-monitor](https://github.com/marketplace/actions/openssf-scorecard-monitor) | +| **Measuring Performance** | Inform strategic adjustments and operational enhancements. | Measuring performance facilitates transparent assessment of the OSPO's effectiveness. | TBD (ping CHAOSS OSPO metrics WG to give input on this). | N/A | N/A | +| **Strategy and its Impact** | A unified strategy influences daily operations. | Guiding decisions on contributions to open source projects, engagement with community initiatives, and the balancing of organization and community benefits. | Enable decision makers understand the critical importance of supporting open source projects (and its community) and foundations, and the different ways to offer support. | Frameworks that support strategic planning and execution. | N/A | +| **Personalized Support / Q&A Sessions**| Actively involve employees and managers in open source activity engagement. | Increase and improve open source knowledge and expertise across the organization's teams. | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors. | Answering questions on everything about open source, including license compliance, selecting open source software, and dealing with vendors. | Internal developer portals / Issue tracker systems / Chatbots / webinars / AMA sessions / IRC | +| **Advocacy and Education** | Advocating for the importance of education in open source and creating resources to support it. | Ensure that people are qualified to judge a project (governance models, maturity, etc) and measure the technical debt on an open source project. | Build training and documentation, and assist teams in creating these materials across different teams. | Providing knowledge on how to measure the technical debt on an open source project, including maturity models and governance models, is a form of educational advocacy to help projects improve and sustain. | External open source training and certification courses, customized training courses adapted to the organization's goals. | +| **Community Integration** | Integrate organization's activities effectively with the open source projects and foundations (financial as well as resource support) as well as community dynamics. Map interactions with technical (engineering) versus non-technical teams (business, design team). | Allocate effective financial and resource support to critical open source projects that organization's employees use/engages. | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | How to get sponsorship, run open source events, and integrate effectively with the open source community and its foundations. | N/A | +| **Business Assessment on Risk Management** | Assess risks that the organization is facing, including an overview of the tech stack. | Assistance in evaluating which open source projects to use and how to prioritize resources effectively. | E.g., business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial (dealing with vendor-supplied software, legacy software, proprietary software). | E.g., business assessment to determine whether optimizing SBOMs or focusing on other areas is more beneficial (dealing with vendor-supplied software, legacy software, proprietary software). | N/A | ## Recommendations (TBD) ### Scenario #11 -- Scope: +- Scope: - Recommendation: