Monthly Archives: October 2025

General

Open Source Software Driving Digital Resilience, Sovereignty, and Sustainability

I had the pleasure of attending (and helping organize) the very first Digital Resilience Forum in Madrid, Spain this week where industry leaders, policy makers, governments, and others discussed and collaborated on ways to make our digital infrastructure more sustainable and resilient. Daniel Izquierdo, CEO, Bitergia kicked off the day by talking about how software runs everything and we need to improve the resilience of that software. We always talk about the problems, but this event is focused on sharing how we’re learning and solving the problem of digital resiliency across politics, academia, and industry. Open source allows us to collaborate while increasing digital sovereignty to have more control over our software and infrastructure. Resilience and technological independence is possible if we collaborate and work together using open source software.

“Digital resilience is key for the success of our software-driven digital societies”

The first keynote was from Omar Mohsine, OSS Coordinator, United Nations titled “UN Development Goals: Making Digital Public Infrastructure more Resilient” where he started by talking about the UN Sustainable Development Goals (SDGs). Open source offers us transparency, security, cost-efficiency, sustainability, innovation, and community, and we need technology experts from within our open source communities to help us achieve the UN SDGs. The Global Digital Compact sets out a path toward advancing an open, free, secure, and human centered technology. The UN has 8 open source principles, including open by default, contributing back, and more that were designed for the UN, but now many others have also endorsed them. The UN doesn’t have the funding or resources to achieve all of this on their own, so the rest of us within open source communities need to help by working together. The UN Open Source week is one way to bring all of us together. I attended this event last year, and I’m looking forward to the next one on June 22 – 26, 2026. 

John Ellis, President and Head of Product, Codethink had the next keynote, “Why do you trust software? I don’t. (And Why That Matters for Digital Resilience)” where he talked about how software can break the world creating real failures across industries (e.g., recent AWS outage, SolarWinds). Security theater gives us an appearance of security without it actually being secure. We have a trust gap – we built our digital world on speed and features, rather than trust and resilience. The Eclipse TSF (Trustable Software Framework) is designed as a structured path to trustable software with reproducibility, SPDX manifests, zero-trust build pipelines, and automated supply chain traceability along with a FICO-style score for software trust to compare, identify, and underwrite the risks associated with software. This crosses over to make the CRA tangible and help people comply with the CRA. He concluded by saying that we don’t need perfect software, we just need trusted software.

Next up, we had Adriana Groh, CEO, Sovereign Tech Agency (STA) talking about “The Engine Room for Digital Sovereignty”. The STA is focused on solutions to secure and strengthen the open source ecosystem. We have an invisible problem – it may be visible to those of us in the tech industry, but it isn’t to governments and policy makers. Software infrastructure is often overlooked until it breaks, and this invisible problem is how they convinced the German government to fund infrastructure maintenance as part of their digital sovereignty efforts. Digital infrastructure is fragile, but open technologies are the foundation of the modern economy. However, until recently there has been a lack of public investment. This led to the creation of the STA, which is one piece of the puzzle to make sure that OSS continues to be sustainable. They have made 87 investments and over 32 million euros in work commissioned along with a bug bounty program with 32 critical technologies strengthened and over 175 vulnerabilities found. They added a fellowship program with 6 fellows in the 2025 pilot cohort of key maintainers working on multiple open source projects. This isn’t charity – it provides a return on investment to prevent this infrastructure from crumbling while also increasing GDP. They are training a new muscle for the government to encourage them to think of open source infrastructure as something that needs support as a public service in the public interest. Innovation and maintenance are 2 sides of the same coin and you need to support both for long term resilience and sovereignty. 

Amanda Brock, CEO, OpenUK and Executive Producer State of Open Con was our next keynote with a talk titled “Digital Sovereignty and Other Fables”. OpenUK is focused on developing UK leadership and global collaboration in open technology. The open source community is the submarine under the UK’s digital economy because we do so much in open technologies as part of global collaboration that people don’t really notice. Amanda talked about her background in law and how she realized that the open source community was her tribe when she worked at Canonical. She melded her love of open source with her background in law when she edited Open Source Law, Policy and Practice (available as open access for free). For her, open source is about global collaboration that includes everyone. The UN principles that Omar talked about take the concept that anyone can use it for any purpose and builds on it. A geopolitical shift has been happening with Brexit being one part of it, and OpenUK was created in part because the UK was being excluded from EU efforts. Digital sovereignty refers to the ability to have control over your own destiny across the data, hardware, and software that you rely on. In the UK, sovereignty is discussed as not being isolationist, but as being collaborative. We need to bring together the best innovation, intelligence, and collaboration to serve our own countries, but we can build this through global collaboration. You need open source as part of a sovereignty strategy, but these projects are built via global collaboration, not as isolated projects. She concluded by saying that open source is not local source, it’s a global collaboration. 

The final keynote came from Tanu Sahnan, Head of Software Engineering, BBC talking about “The Digital History of the BBC”. England’s world cup opener in Nov 2022 was the moment that tested the BBC, but resilience isn’t about surviving a crisis, it’s about learning and improving. The BBC values include trust, and the BBC has a public service mission, so they build in-house using open source for digital sovereignty with innovation, ethics, and inclusion while scaling to millions of daily users with a global impact. The BBC uses a responsible, trusted and human-centered approach to AI with efficiency, new capabilities, and trust / responsibility, not about chasing AI trends. 

We also had a number of very interesting panels and workshops, including the one that Ana Jiménez Santamaría and I led titled “Kick-starting your OSPO: a practical approach”. I’m only covering the keynotes in detail here because there was just too much amazing content to include all of it, but you’re in luck because pictures and videos from the day should be available soon on the Digital Resilience Forum website. 

General

Assessing the Viability of Open Source Projects

I’m thrilled to announce that we just launched the Practitioner Guide: Assessing Viability, which is the latest in the CHAOSS Practitioner Guide series! A huge thank you to Gary White Jr. who wrote quite a bit of this guide along with the viability metrics models that it’s based on.

The topic of viability and risk is one that’s near and dear to my heart, and is something that I’ve been talking and speaking about for the past 5 years going back to when I was at VMware where it was an important consideration for our Open Source Program Office.

Open source software is found in almost every codebase, but some open source projects are more viable than others over the long term. Many companies don’t have a rigorous process for selecting the most viable dependencies. Often product teams, or even individual software developers, select open source projects because they fill a particular technical need without any assessment of the viability of the project or the risks they might be taking by using it. Assessing the viability of open source projects, especially ones that have the potential to impact your business, is a good first step toward managing risk and reducing the chances of potential business disruptions.

Here’s a short quote from the guide:

“Most business decisions boil down to an assessment of risk and making tradeoffs. Organizations should be thinking strategically about project risks in light of how they are using the projects. If it’s a critical part of a technology stack, it should be as low of a risk as possible. On the other hand, if an open source project is used as a small part of some non-critical infrastructure, an organization can accept more risk. Assessing viability and thinking about it from the perspective of risk and which risks to accept is an important first step, but it’s also important to think about which risks can be mitigated to improve viability. The best way to mitigate many of these risks is by paying employees to contribute to the projects that are most important to your organization. This provides an opportunity to improve viability and sustainability, but it also provides insight into where the project is heading and how things are going, so that if something changes in the project to further increase risk, it might be easier to anticipate those changes.”

– The CHAOSS Practitioner Guide: Assessing Viability

This guide provides advice for assessing viability across four categories: compliance and security, governance, community, and strategy. Depending on your use case, you may find different opportunities to use this viability assessment framework and how you use it will vary based on your organization’s assumption of risk. I hope you enjoy this guide and the others in the CHAOSS Practitioner Guide series! If you want feedback or help with your open source strategy, I’m available for consulting engagements.

Additional Reading:

Photo by Ian Gonzalez on Unsplash

General

The Turing Way Fireside Chat about Governance

I’ve been spending quite a bit of time recently thinking and writing about open source project governance, so I was thrilled to be invited to participate in the Turing Way fireside chat about governance along with Clare Dillon and Richard Littauer! The three of us have very different backgrounds and experiences, so we were able to cover a range of different perspectives on open source governance. 

We talked about some of the challenges, including how difficult it can be to make governance changes, since changes involve people with feelings and opinions that will be difficult to reconcile. We encouraged people to use existing resources, like templates and examples from other projects, rather than starting from scratch, and to reach out to get advice from experts who have experience with governance, since governance is complex with nuances and best practices that may not be obvious. We discussed the importance of having a way to remove people from your open source projects that is clearly documented, even when you hope to never need it. These are just a few of the topics we covered, so I encourage you to watch the video to learn more. 

This fireside chat was the 5th in a series about governance, so you might also enjoy watching the rest of the videos, which can be found in the playlist.

If you want feedback or help with governance or related OSPO topics, I’m available for consulting engagements.

Related Resources:

General

More about Demonstrating Organizational Value

OSPOs and other open source teams often struggle to demonstrate the value of their work in a way that resonates with the people in leadership positions within their organization. This is why we created a CHAOSS Practitioner Guide all about Demonstrating Organizational Value, which I blogged about in July when the guide was launched. Since then, it’s still been something I’ve continued to spend quite a bit of time thinking about!

Bob Killen and I recently joined Harmony Elendu for an episode of CHAOSScast to share our thoughts about how organizations can more effectively demonstrate the value of their open source efforts. We talked about the guide and shared some of our own stories about what we’ve done at past companies to demonstrate the value of our teams’ open source work. It’s only 23 minutes long, so I hope you enjoy listening to our conversation!

I’ll also be at OSPOlogy Lyon on November 5 & 6 where I’ll be giving a 20 minute talk about Demonstrating the Value of Open Source Efforts, which is based partly on the content from the guide along with my own experience working within organizations to demonstrate open source value. It’s in person, but free to attend, so I hope to see some of you in Lyon!

OSPOlogy hosted by LF Energy and Réseau de Transport d’Electricité (RTE) on 5-6 November 2025 in Lyon, France on a purple-blue background. Profile picture of Dawn Foster with text underneath reading, Speaker Dawn Foster with the CHAOSS logo.

If you want feedback or help with your open source strategy and how to demonstrate value for your organization, I’m available for consulting engagements.

Related blog posts: