|
| 1 | +# Governance |
| 2 | + |
| 3 | +According to the Business Dictionary, governance is defined as: |
| 4 | + |
| 5 | +> _Establishment of policies, and continuous monitoring |
| 6 | +> of their proper implementation, by the members of the |
| 7 | +> governing body of an organization. It includes the |
| 8 | +> mechanisms required to balance the powers of the |
| 9 | +> members (with the associated accountability), and |
| 10 | +> their primary duty of enhancing the prosperity and |
| 11 | +> viability of the organization_ |
| 12 | +
|
| 13 | +In open source, governance is described in the "governance |
| 14 | +model" document, defined by OSSWatch[^1] as: |
| 15 | + |
| 16 | +> _A governance model describes the roles that project participants |
| 17 | +> can take on and the process for decision making within the project. |
| 18 | +> In addition, it describes the ground rules for participation in the |
| 19 | +> project and the processes for communicating and sharing within |
| 20 | +> the project team and community_ |
| 21 | +
|
| 22 | +Usually the governance model is a written document containing: |
| 23 | + |
| 24 | +- project goals |
| 25 | +- work, management and collaboration infrastructures definition |
| 26 | +- people roles and responsibilities definitions |
| 27 | +- community support mechanisms |
| 28 | +- decision making process policies description |
| 29 | +- contribution process policies description |
| 30 | +- monitoring policies and mechanisms description |
| 31 | + |
| 32 | + |
| 33 | +# Govenance Standards/Models |
| 34 | + |
| 35 | +There are some initiatives describing what good corporate open |
| 36 | +source governance means. The most mature one is the _Good Governance |
| 37 | +Initiative_ by the OSPO Alliance, which has already released the |
| 38 | +first version (v1) of its framework. |
| 39 | + |
| 40 | +Coming versions of this framework are expected to consider |
| 41 | +InnerSource as a corporate practice managed by the Open Source |
| 42 | +Program Office (OSPO). |
| 43 | + |
| 44 | +In the shared spirit of reusing materials, we'll avoid overlapping |
| 45 | +and focus here on a pure InnerSource case where no formal corporate |
| 46 | +management of open source exists yet. |
| 47 | + |
| 48 | +The GGI proposes 5 goals to structure 5 governance activities for |
| 49 | +each of them. |
| 50 | + |
| 51 | +All GGI goals for open source governance apply with minor tweaks to |
| 52 | +our pure InnerSource case: |
| 53 | + |
| 54 | +- Goal 1: Foster **usage** of InnerSource software |
| 55 | +- Goal 2: **Build trust** around InnerSource |
| 56 | +- Goal 3: **Spread** the (InnerSource) **culture** |
| 57 | +- Goal 4: **Engage** with the (InnerSource) **community** |
| 58 | +- Goal 5: **Make InnerSource Strategic** for the organization |
| 59 | + |
| 60 | +There will be differences in the context that will cause an |
| 61 | +adaptation. |
| 62 | + |
| 63 | +## Foster usage of InnerSource software |
| 64 | + |
| 65 | +InnerSource-developed software might suffer from the same kind of |
| 66 | +distrust open source has. Usage is the base: don't expect |
| 67 | +contributions without users. And the borders applying to |
| 68 | +InnerSource limit the audience, so this can become challenging for |
| 69 | +small or varied corporations. |
| 70 | + |
| 71 | +### Activities |
| 72 | + |
| 73 | +InnerSource will have a greater need for software inventories due |
| 74 | +to the findability problem. |
| 75 | + |
| 76 | +InnerSource practices are mostly the same as open source ones, |
| 77 | +so the skillset is basically the same, with some specifics: |
| 78 | +- In our focused case, familiarity with usual open source |
| 79 | + products is not needed. |
| 80 | +- InnerSource usually deploys to a single instance. Then, the |
| 81 | + needed scope for deployment training might be narrowed down. |
| 82 | +- Motivation: InnerSource is less sexy than open source, and the |
| 83 | + pool of possible contributors is smaller. Motivation is more |
| 84 | + challenging and needs more effort and skill. |
| 85 | + |
| 86 | +InnerSource-specific topics will need attention: |
| 87 | +- Transfer pricing doesn't apply to open source but use to be a |
| 88 | + barrier for corporations operating in different fiscal |
| 89 | + jurisdictions. |
| 90 | +- Heavily outsourced development scenarios might require focusing |
| 91 | + competency growth on product owners, if there are scant |
| 92 | + developers inhouse. |
| 93 | + |
| 94 | +InnerSource supervision ought to focus on different questions: |
| 95 | +a) Purpose: controlling the redundant developments and ensuring |
| 96 | + InnerSource software is proactively managed. |
| 97 | +b) Push/promote integrating InnerSource components and |
| 98 | + contributing upstream. |
| 99 | +c) Identify where InnerSource are de-facto or critical solutions |
| 100 | + and assess suitability (avoid InnerSource monoliths). |
| 101 | + |
| 102 | +There's usually no need to curate enterprise-grade InnerSource |
| 103 | +software or to manage open source software development skills and |
| 104 | +resources (GGI activities 1.4 and 1.5. |
| 105 | + |
| 106 | +In exchange, software and documentation findability are |
| 107 | +challenging because public search engines usually don't work |
| 108 | +inside corporate borders. |
| 109 | + |
| 110 | +## Build trust around InnerSource |
| 111 | + |
| 112 | +Building trust means dealing with fears, uncertainty, and doubts |
| 113 | +(FUD). The usual sources for FUD are: |
| 114 | + |
| 115 | + - **Legal context**, because most participants usually are |
| 116 | + unaware of the relevant details. |
| 117 | + - **Security**, mainly due to the not-invented here (MIH) |
| 118 | + syndrome. In fact having the source code available ought to |
| 119 | + help building trust by enabling auditability, and shifting |
| 120 | + some testing from back-box to white-box. |
| 121 | + - **Internal context**, specifically in organizations where the |
| 122 | + InnerSource initiative sponsorship is limited. |
| 123 | + |
| 124 | +### Activities |
| 125 | + |
| 126 | +InnerSource has its specific legal challenges: |
| 127 | + - InnerSource license. This might change in the future, but for |
| 128 | + the moment, in contrast to open source, there are no public |
| 129 | + InnerSource licenses for reference. |
| 130 | + - Transfer pricing, for corporations operating in several fiscal |
| 131 | + jurisdictions. |
| 132 | + - Export control. The same is needed for any kind of software |
| 133 | + licensing schema. But InnerSource has better options for control |
| 134 | + than open source since it's privative software and all of its |
| 135 | + development happens in-house. |
| 136 | + |
| 137 | +Managing vulnerabilities is slightly better under InnerSource, and |
| 138 | +way worse than in open source: There are dependencies on privative |
| 139 | +software and services (usually avoided in open source but quite usual |
| 140 | +in InnerSource). |
| 141 | + |
| 142 | +Dependency management needs to take care of both: |
| 143 | + - Internal InnerSource dependencies |
| 144 | + - Dependencies on privative software and services (usually |
| 145 | + avoided in open source but usual in InnerSource). |
| 146 | + |
| 147 | +The internal context is a source of concerns. The specific set of |
| 148 | +concerns depends very much on each organization and vary a lot, but |
| 149 | +the individual concerns are usually shared with other organizations. |
| 150 | +For that reason, the InnerSource Commons collects |
| 151 | +[patterns](https://github.com/InnerSourceCommons/InnerSourcePatterns), |
| 152 | +so solutions can be reused, either as they are or as inspiration for |
| 153 | +a local variant. |
| 154 | + |
| 155 | +Metrics tend to help provide trust. |
| 156 | + |
| 157 | +But the corporate motivation for embracing InnerSource might be |
| 158 | +different (silo breakage, etc) and independent of approaching |
| 159 | +open source. These local differences totally affect the metrics |
| 160 | +architecture. See the |
| 161 | +[metrics pattern](https://github.com/InnerSourceCommons/InnerSourcePatterns/blob/main/patterns/1-initial/introducing-metrics-in-innersource.md) |
| 162 | +published by InnerSource Commons. |
| 163 | + |
| 164 | +## Spread the (InnerSource) culture |
| 165 | + |
| 166 | +The InnerSource culture is the same as the open source one. |
| 167 | +It collects a set of best practices that can be roughly |
| 168 | +summarized as: |
| 169 | + - **contributing upstream** and |
| 170 | + - taking the **human** nature of participants into account. |
| 171 | + |
| 172 | +### Activities |
| 173 | + |
| 174 | +The activities for spreading the InnerSource culture are basically |
| 175 | +the same as with open source as well, so the GGI standard applies |
| 176 | +as-is, with the usual local adaptations. |
| 177 | + |
| 178 | +Usually, going InnerSource is an intermediate step for corporations |
| 179 | +with open-source unfriendly culture to approach open source. |
| 180 | +In such cases spreading the culture will pose a serious challenge |
| 181 | +but less than going full open source. |
| 182 | + |
| 183 | +Cases of organizations targeting pure InnerSource can be legit or |
| 184 | +not. |
| 185 | +Some organizations want to get the benefits of InnerSource |
| 186 | +by adopting cherry-picked open source procedures and lore, but |
| 187 | +without actually practicing InnerSource. Step away from such cases, |
| 188 | +as this most likely won't work! |
| 189 | +Legit pure InnerSource embraces its culture as a fundamental piece |
| 190 | +of the framework. |
| 191 | + |
| 192 | +## Foster engagement with the (InnerSource) community |
| 193 | + |
| 194 | +Under open source, a sense of belonging to any local community |
| 195 | +smoothly transitions into the global community. The feeling crosses |
| 196 | +formal boundaries the same way the software does. |
| 197 | + |
| 198 | +In InnerSource there's also a global community. (In fact, it is an |
| 199 | +open source one, but that's another tale to be told on other |
| 200 | +occasions). |
| 201 | + |
| 202 | +But in contrast to open source, while the global InnerSource |
| 203 | +community shares information and resources, they do **not** share |
| 204 | +**their InnerSource production***. The presence of boundaries for |
| 205 | +the InnerSource production becomes thus very present and remarks |
| 206 | +the separation between the local community and the global one. |
| 207 | + |
| 208 | +### Activities |
| 209 | + |
| 210 | +As part of the open source spirit in which InnerSource roots, |
| 211 | +organizations are encouraged to engage with special interest groups |
| 212 | +(SIG's) beyond their borders, and in particular with the global |
| 213 | +InnerSource community. |
| 214 | + |
| 215 | +Publicly asserting one's InnerSource practice and showcasing related |
| 216 | +experiences may make sense or not that much depending on the context |
| 217 | +of the corporation. Goals that benefit from such external engagement |
| 218 | +include: |
| 219 | + |
| 220 | + - Plans to go open source in the future, |
| 221 | + - InnerSource as hiring motivator |
| 222 | + |
| 223 | +Engagement with the internal community is a fundamental part of |
| 224 | +InnerSource. But as users of software of other teams, it is in |
| 225 | +self-interest to secure long term support or knowledge transfer |
| 226 | +from upstream. The |
| 227 | +[code-consumers pattern](https://github.com/InnerSourceCommons/InnerSourcePatterns/blob/main/patterns/1-initial/code-consumers.md) |
| 228 | +is related to this. |
| 229 | + |
| 230 | +Usually, there's scant or no need for internal InnerSource |
| 231 | +[purchase policies](https://ospo-alliance.org/ggi/activities/open_source_procurement_policy/) |
| 232 | +but if needed, it is a natural task for the InnerSource Program |
| 233 | +Office (ISPO). |
| 234 | + |
| 235 | +## Make InnerSource Strategic for the organization |
| 236 | + |
| 237 | +Most times, InnerSource is a corporate cultural transformation. Such |
| 238 | +changes need time to overcome previous inertia and even longer to |
| 239 | +stabilize and become mainstream. |
| 240 | + |
| 241 | +Some bottom-up InnerSource initiatives die or languish after an |
| 242 | +initial unsuccessful push or because other priorities drain the |
| 243 | +attention before the cultural shift stabilizes. |
| 244 | + |
| 245 | +Making InnerSource strategic for the organization is the way to |
| 246 | +ensure its provided value is perceived as such. |
| 247 | + |
| 248 | +### Activities |
| 249 | + |
| 250 | +Ensure you design your InnerSource initiative and its implementation |
| 251 | +to feature important long-term corporate goals like innovation, |
| 252 | +digital sovereignty, and digital transformation. Think of your |
| 253 | +organization and its context and find other goals InnerSource may |
| 254 | +contribute towards. Then communicate it and get as much air cover |
| 255 | +from your executives as you can. |
0 commit comments