Tag Archives: open source

General

Digital Sovereignty Runs on Open Source

The tagline for Open Forum Europe’s (OFE) EU Open Source Policy Summit on January 30th in Brussels was “Digital Sovereignty Runs on Open Source,” which is in sharp contrast to last year’s tagline, “What can open source do for Europe?” At the 2025 summit, the conversations were about convincing those working in the public sector that open source was a good idea. Given the changes in the political landscape over the past year, many of those public sector folks seem to have shifted toward talking about what it will take to use open source as a key component in the EU’s digital sovereignty strategy. While we still have a lot of work to do, it feels like the conversations are moving in the right direction from why to use open source to how open source can increase digital sovereignty.

In my post last week about Funding Open Source Sustainability at CHAOSScon and FOSDEM, I talked about how open source sustainability was top of mind for me during these events considering the increase in maintainer burnout due to a lack of resources for open source projects. What struck me about the OFE event was how many people were talking about how we need to provide more resources for open source projects if the EU wants to rely on them to facilitate digital sovereignty.

In Dirk Schrödter’s keynote, he talked about how the EU doesn’t want to be locked into big US tech firms that deliver technology as black box, proprietary solutions. He mentioned that open source provides shared knowledge and skill development that leads to open innovation and lower barriers to entry, which is a key to economic prosperity. Dirk went on to say that sustaining open source software requires shifting spending to prioritize open source solutions, and public money should be spent on open source solutions. These ideas were common threads throughout the day that came up again and again in other panels and talks.

Here are a few other key points summarized from throughout the day:

  • I heard several people say that we should “never waste a good crisis,” and the current political landscape is an opportunity to re-evaluate how the EU uses technology, but speeches aren’t enough. Many public procurement policies make it difficult to use open source, and that needs to change. Procurement policies need to focus on open source to facilitate standardization and interoperability.
  • Digital sovereignty is about choice and the need to be able to switch between solutions to avoid lock in and create a transparent ecosystem to build solutions on top of open source. The EU should define concrete steps to replace proprietary solutions and transition to open source and use this as a window of opportunity to leverage what already exists, rather than reinventing. 
  • Open source is worldwide, so there is a need to fund the maintainers and people who are contributing the code wherever they are located. Open source has always been global and there is a hope that we can continue to collaborate together, rather than being isolationist. 
  • We need to all work together to strengthen and scale open source to improve sustainability, but financing and sustainability is a big challenge, and it requires investing in open source maintenance. Maintenance keeps innovation alive; it’s like plumbing, roadworks, and other infrastructure that needs to be steadily supported over time. There isn’t enough money in public budgets to make a big enough difference, so there is also a need for industry support. 
  • There is a need for action now beyond the people attending the summit. The message of using open source to facilitate digital sovereignty needs to go well beyond the tech crowd to local officials across the EU public sector.
  • OSPOs can help put digital sovereignty and open source in context and facilitate collaboration and discussions between internal stakeholders, but also between industry and the public sector. OSPOs can help organizations take a more strategic approach by contributing to and funding open source, encouraging employees to take on leadership / maintainer positions, and increasing advocacy for open source solutions.
  • There were also two announcements at the summit. First, the Open Knowledge Foundation, Open Source Initiative, and OpenForum Europe came together to launch Open Technology Research to create a sustainable global platform for research, knowledge exchange, and policy engagement around open technologies. Second, the UN published the report from the 2025 UN Open Source Week and announced that the 2026 UN Open Source Week will be held in New York from June 22 – 26.

As someone who has been working in open source for a very long time, I’ll admit to being a bit bored at last year’s event with so many discussions about why we should use open source, since I’ve been having those discussions for 25+ years. This is why I was so pleasantly surprised to see how far the conversations have evolved in just one year. The shift toward talking about what needs to happen to make using and relying on open source in the public sector along with conversations about sustainability felt like progress. There is still a very long way to go. So many open source projects are struggling with finding people, funding, and other resources to sustain themselves over time, so we need to continue to move from conversations to action so that the open source projects we all rely on will continue to thrive as even more people rely on them to facilitate digital sovereignty.

Related Resources:

If you want help with your open source strategy, I’m available for consulting engagements.

Photo from the EU Open Source Policy Summit’s photo gallery.

General

A Strategic Approach for OSPOs 

I think we’ve all been on teams where everyone is working, but no one is thinking about whether it’s the “right” work. It can be too easy to go on autopilot and keep doing the same things without thinking about whether / how those activities fit within the goals of the overall organization. I’ve built my career around taking a strategic approach to the work that my team is doing by making sure that our efforts support the overall strategies of the organization. Most recently, I did this as Director of Open Source Community Strategy at VMware and before that as Pivotal’s Open Source Strategy Lead. I’ve given loads of conference talks and written many blog posts with this strategic approach as the underlying theme. Last week, I read a LinkedIn post and blog post from David Hirsch that got me thinking more about this, and those ideas just kept rolling around in my head until I decided that I should blog about how OSPOs (Open Source Program Offices) can take a more strategic approach. 

One piece of David’s post talked about how OSPOs can play a critical role in digital sovereignty for European companies by helping them make better technology choices at a strategic level. I believe that this is absolutely critical for European companies, but thinking strategically is also important for all OSPOs, which is the focus of this post.

Being proactive and thinking strategically about how you are helping your organization meet their goals and objectives is something that can help your OSPO stand out as an important part of the business. This is especially true for new OSPOs, since it can help you justify continuing and growing your open source efforts, but it’s also something that established OSPOs should revisit regularly to make sure that you are still doing work that is valued within your organization. OSPOs often struggle to demonstrate the value of their work in a way that resonates with the people in leadership positions within their organization. Creating and regularly updating an open source strategy can help OSPOs frame their discussions with leadership to demonstrate the value of their open source efforts in ways that resonate with leadership and show how the open source works fits into the strategy of the organization as a whole. Once you have an OSPO strategy that aligns with the strategy of your organization, then you can figure out what you need to measure to show whether you are achieving your goals.

Another area that can benefit from an OSPO’s more strategic approach is in assessing risks and viability of the open source projects that your organization is consuming. Many organizations don’t have a rigorous or strategic process for selecting the most viable dependencies. Often product teams, or even individual software developers, select open source projects because they fill a particular technical need without any assessment of the viability of the project or the risks they might be taking by using it. Is the project controlled by a single company or a foundation? Who contributes to the project? Is the project at the risk of a rug pull or similar disruptions? Assessing the viability of open source projects, especially ones that have the potential to impact your business, is a good first step toward managing risk and reducing the chances of potential business disruptions. But it’s also important to look beyond just assessing the viability of individual projects and to look at viability and risk with a more holistic approach that includes assessing the risks associated with cloud infrastructure, data storage and access, use of AI models, vendor lock-in, and more.

Another critical piece of an OSPO’s strategy is around contribution to open source projects. By having employees actively participating and contributing to the projects that are most strategic for your organization, they can influence project direction, fix bugs, add features, otherwise improve the health and sustainability of the critical projects for your organization. I also like to think of contribution as a way to anticipate and mitigate risks as part of thinking about viability. When assessing viability, you can include whether contributing to a project might help improve viability. Organizations have the power and resources to make real improvements within open source projects, and corporate involvement and contribution can positively impact the sustainability of our projects.

I only scratched the surface of a few topics here. It isn’t possible to cover every part of an OSPO’s strategy in one blog post, so there are certainly other areas, like business impacts, licensing and compliance, governance, policies, and more. What’s important is to think about what your organization is trying to achieve and how your OSPO can play a strategic role in helping your organization be successful. If you want feedback or help with your open source strategy, I’m available for consulting engagements.

Additional Resources:

Photo by Karolina Kołodziejczak on Unsplash

General

Sustainable Open Source Leadership

Sustainable leadership for open source projects is something that we all know is important, but it’s also one of those topics that can be neglected for far too long within a project. We’ve all seen projects where the same people sit in the same leadership positions year after year without providing opportunities for other contributors to move up within the project. Contributors can become disillusioned and disengage if they don’t feel like there are enough opportunities within a project, and since there are so many open source projects that need help, those contributors might just move on from your project to another one where they have more opportunities to participate and lead in a more meaningful way.

Sustainable open source projects and sustainable leadership is something that I’m deeply passionate about. I’ve had discussions about sustainability with more projects than I can count as part of my past role as co-chair of the CNCF Contributor Strategy Technical Advisory Group (TAG) and the Governance Working Group that was part of the TAG, and as part of my previous corporate open source roles when I worked at companies like VMware, Pivotal, and Intel. 

A few months ago, I published a 5-part blog post series about governance, and while all of the posts touch on sustainable leadership, Part 3: New Contributors and Pathways to Leadership is particularly relevant. But I’ve been thinking more about sustainable leadership lately, in part, because we recently recorded a CHAOSScast episode on diverse leadership to go along with the CHAOSS Practitioner Guide: Getting Started with Building Diverse Leadership, but also because we’ve been having discussions within the CHAOSS Governing Board about making the process for joining the board more inclusive. 

The CHAOSS Inclusive Leadership metric has several best practices that leadership bodies can reflect on as they work toward becoming more inclusive. This includes whether there are terms for leaders and regular opportunities for community members to get involved and have a voice in the project. 

Those of us who are established in our careers and in open source projects can use our influence and reputation in a project to help others gain visibility and opportunities that eventually result in other people moving into leadership positions. We call this sponsorship, which is more than just mentoring, and can include things like inviting someone to co-present or join a panel at an event, providing opportunities to collaborate together on some aspect of a project, or other activities that give people new opportunities to learn and lead. For me, it was Danese Cooper who encouraged me to blog and gave me opportunities for some of my first conference talks as part of panels and lightning talks that she was organizing. This gave my career in open source a huge boost back in the mid-2000s and helped me move from doing mostly internal corporate open source strategy roles into more publicly facing open source community roles that provided even more opportunities for me to lead.

As we move into the new year, I’d like to take this time to encourage everyone in a leadership position in an open source project to reflect on your governance processes and whether those processes provide ample opportunities for up and coming contributors to move into leadership roles. You could also be thinking about ways that you can personally provide more opportunities (aka sponsorship) for someone newer in their career or new to open source who is showing promise, but who could use your support to move to the next level.

Additional Resources:

If you want feedback or help with sustainable leadership, governance, or related open source topics, I’m available for consulting engagements.

Photo by Markus Winkler on Unsplash

General

Good Governance for Open Source Projects

We all want our open source projects to be sustainable, healthy, and successful, and having good governance influences project success more than many people realize. I’ve had governance discussions with so many open source projects over the years. When I was co-chair of the CNCF Contributor Strategy Technical Advisory Group (TAG) we did governance  reviews and provided feedback for CNCF projects, and when I worked at VMware, Intel, and other companies, this was a regular topic that I discussed with employees who were leading and contributing to open source projects.

Last summer, I did a series of five blog posts on the topic of governance, so I think it’s time to revisit those posts. Here is a quick summary of each topic with a link to the post where you can learn more.

Governance Part 1: Why is it important?

Ultimately the focus of open source project governance is on the people. The roles we play, our responsibilities, how we make decisions, and what we should expect from each other as part of participating in the community. It also helps create pathways to leadership where other people can better understand the process for moving into leadership roles along with an intentional process for how the project promotes people into leadership. Being proactive about governance and related topics before something escalates into a crisis can make your projects more sustainable and reliable. 

Governance Part 2: Defining Governance

In general, you should start with the simplest possible governance model and only move to something more elaborate when your project evolves to the point where the complexity is needed because otherwise you create more overhead and extra work when that time would be better spent on project development, rather than governance processes. If you don’t already have your governance and decision-making processes documented, the best place to start is by documenting and formalizing what you are already doing when you make decisions for your project. The maintainer council governance model is a simple one that many projects can use as a starting point. 

Governance Part 3: New Contributors and Pathways to Leadership

Defining the roles and responsibilities for contributors, reviewers, and maintainers can help with recruiting new people into these roles. You can think of this as a ladder because contributors climb up to become reviewers and those reviewers can become maintainers. This helps set expectations for the roles and encourages people to think about how they might take on increasing responsibility within the project. As you get more of the people moving into maintainer roles, you can reduce the workload for the existing maintainers.

Governance Part 4: Creating Intentional Culture

Defining your governance / decision-making processes along with pathways to leadership are key to creating an intentional culture for your project that encourages participation and contributions from others. However, just documenting your governance process and setting expectations in writing isn’t enough. You should also be role modeling good behavior and helping others understand what behavior is appropriate within your project. It’s important to remember that tolerating bad behavior unwittingly sets the expectation that this behavior is acceptable in your project, which can drive new contributors away. Robust governance documentation that incorporates your code of conduct, charter (or similar statement of mission, scope, and values), and includes clear processes for dealing with conflict can help make your project more sustainable over time.

Governance Part 5: Overall Ownership of a Project

While there are a few exceptions, open source projects usually have an individual, company, or foundation controlling the trademarks, project infrastructure, and other assets. This overall ownership structure often impacts how the project is governed on a day to day basis and how the project is perceived by others. Neutral foundations provide a level playing field where contributors can contribute as equals regardless of whether they are contributing on behalf of a company or as an individual. This structure allows companies to collaborate together in a neutral environment where no single company is in control of the project.

I hope you enjoyed this short summary, and if you want feedback or help with governance or related OSPO topics, I’m available for consulting engagements.

Additional Resources:

General

Open Source Software Driving Digital Resilience, Sovereignty, and Sustainability

I had the pleasure of attending (and helping organize) the very first Digital Resilience Forum in Madrid, Spain this week where industry leaders, policy makers, governments, and others discussed and collaborated on ways to make our digital infrastructure more sustainable and resilient. Daniel Izquierdo, CEO, Bitergia kicked off the day by talking about how software runs everything and we need to improve the resilience of that software. We always talk about the problems, but this event is focused on sharing how we’re learning and solving the problem of digital resiliency across politics, academia, and industry. Open source allows us to collaborate while increasing digital sovereignty to have more control over our software and infrastructure. Resilience and technological independence is possible if we collaborate and work together using open source software.

“Digital resilience is key for the success of our software-driven digital societies”

The first keynote was from Omar Mohsine, OSS Coordinator, United Nations titled “UN Development Goals: Making Digital Public Infrastructure more Resilient” where he started by talking about the UN Sustainable Development Goals (SDGs). Open source offers us transparency, security, cost-efficiency, sustainability, innovation, and community, and we need technology experts from within our open source communities to help us achieve the UN SDGs. The Global Digital Compact sets out a path toward advancing an open, free, secure, and human centered technology. The UN has 8 open source principles, including open by default, contributing back, and more that were designed for the UN, but now many others have also endorsed them. The UN doesn’t have the funding or resources to achieve all of this on their own, so the rest of us within open source communities need to help by working together. The UN Open Source week is one way to bring all of us together. I attended this event last year, and I’m looking forward to the next one on June 22 – 26, 2026. 

John Ellis, President and Head of Product, Codethink had the next keynote, “Why do you trust software? I don’t. (And Why That Matters for Digital Resilience)” where he talked about how software can break the world creating real failures across industries (e.g., recent AWS outage, SolarWinds). Security theater gives us an appearance of security without it actually being secure. We have a trust gap – we built our digital world on speed and features, rather than trust and resilience. The Eclipse TSF (Trustable Software Framework) is designed as a structured path to trustable software with reproducibility, SPDX manifests, zero-trust build pipelines, and automated supply chain traceability along with a FICO-style score for software trust to compare, identify, and underwrite the risks associated with software. This crosses over to make the CRA tangible and help people comply with the CRA. He concluded by saying that we don’t need perfect software, we just need trusted software.

Next up, we had Adriana Groh, CEO, Sovereign Tech Agency (STA) talking about “The Engine Room for Digital Sovereignty”. The STA is focused on solutions to secure and strengthen the open source ecosystem. We have an invisible problem – it may be visible to those of us in the tech industry, but it isn’t to governments and policy makers. Software infrastructure is often overlooked until it breaks, and this invisible problem is how they convinced the German government to fund infrastructure maintenance as part of their digital sovereignty efforts. Digital infrastructure is fragile, but open technologies are the foundation of the modern economy. However, until recently there has been a lack of public investment. This led to the creation of the STA, which is one piece of the puzzle to make sure that OSS continues to be sustainable. They have made 87 investments and over 32 million euros in work commissioned along with a bug bounty program with 32 critical technologies strengthened and over 175 vulnerabilities found. They added a fellowship program with 6 fellows in the 2025 pilot cohort of key maintainers working on multiple open source projects. This isn’t charity – it provides a return on investment to prevent this infrastructure from crumbling while also increasing GDP. They are training a new muscle for the government to encourage them to think of open source infrastructure as something that needs support as a public service in the public interest. Innovation and maintenance are 2 sides of the same coin and you need to support both for long term resilience and sovereignty. 

Amanda Brock, CEO, OpenUK and Executive Producer State of Open Con was our next keynote with a talk titled “Digital Sovereignty and Other Fables”. OpenUK is focused on developing UK leadership and global collaboration in open technology. The open source community is the submarine under the UK’s digital economy because we do so much in open technologies as part of global collaboration that people don’t really notice. Amanda talked about her background in law and how she realized that the open source community was her tribe when she worked at Canonical. She melded her love of open source with her background in law when she edited Open Source Law, Policy and Practice (available as open access for free). For her, open source is about global collaboration that includes everyone. The UN principles that Omar talked about take the concept that anyone can use it for any purpose and builds on it. A geopolitical shift has been happening with Brexit being one part of it, and OpenUK was created in part because the UK was being excluded from EU efforts. Digital sovereignty refers to the ability to have control over your own destiny across the data, hardware, and software that you rely on. In the UK, sovereignty is discussed as not being isolationist, but as being collaborative. We need to bring together the best innovation, intelligence, and collaboration to serve our own countries, but we can build this through global collaboration. You need open source as part of a sovereignty strategy, but these projects are built via global collaboration, not as isolated projects. She concluded by saying that open source is not local source, it’s a global collaboration. 

The final keynote came from Tanu Sahnan, Head of Software Engineering, BBC talking about “The Digital History of the BBC”. England’s world cup opener in Nov 2022 was the moment that tested the BBC, but resilience isn’t about surviving a crisis, it’s about learning and improving. The BBC values include trust, and the BBC has a public service mission, so they build in-house using open source for digital sovereignty with innovation, ethics, and inclusion while scaling to millions of daily users with a global impact. The BBC uses a responsible, trusted and human-centered approach to AI with efficiency, new capabilities, and trust / responsibility, not about chasing AI trends. 

We also had a number of very interesting panels and workshops, including the one that Ana Jiménez Santamaría and I led titled “Kick-starting your OSPO: a practical approach”. I’m only covering the keynotes in detail here because there was just too much amazing content to include all of it, but you’re in luck because pictures and videos from the day should be available soon on the Digital Resilience Forum website. 

General

Assessing the Viability of Open Source Projects

I’m thrilled to announce that we just launched the Practitioner Guide: Assessing Viability, which is the latest in the CHAOSS Practitioner Guide series! A huge thank you to Gary White Jr. who wrote quite a bit of this guide along with the viability metrics models that it’s based on.

The topic of viability and risk is one that’s near and dear to my heart, and is something that I’ve been talking and speaking about for the past 5 years going back to when I was at VMware where it was an important consideration for our Open Source Program Office.

Open source software is found in almost every codebase, but some open source projects are more viable than others over the long term. Many companies don’t have a rigorous process for selecting the most viable dependencies. Often product teams, or even individual software developers, select open source projects because they fill a particular technical need without any assessment of the viability of the project or the risks they might be taking by using it. Assessing the viability of open source projects, especially ones that have the potential to impact your business, is a good first step toward managing risk and reducing the chances of potential business disruptions.

Here’s a short quote from the guide:

“Most business decisions boil down to an assessment of risk and making tradeoffs. Organizations should be thinking strategically about project risks in light of how they are using the projects. If it’s a critical part of a technology stack, it should be as low of a risk as possible. On the other hand, if an open source project is used as a small part of some non-critical infrastructure, an organization can accept more risk. Assessing viability and thinking about it from the perspective of risk and which risks to accept is an important first step, but it’s also important to think about which risks can be mitigated to improve viability. The best way to mitigate many of these risks is by paying employees to contribute to the projects that are most important to your organization. This provides an opportunity to improve viability and sustainability, but it also provides insight into where the project is heading and how things are going, so that if something changes in the project to further increase risk, it might be easier to anticipate those changes.”

– The CHAOSS Practitioner Guide: Assessing Viability

This guide provides advice for assessing viability across four categories: compliance and security, governance, community, and strategy. Depending on your use case, you may find different opportunities to use this viability assessment framework and how you use it will vary based on your organization’s assumption of risk. I hope you enjoy this guide and the others in the CHAOSS Practitioner Guide series! If you want feedback or help with your open source strategy, I’m available for consulting engagements.

Additional Reading:

Photo by Ian Gonzalez on Unsplash

General

The Turing Way Fireside Chat about Governance

I’ve been spending quite a bit of time recently thinking and writing about open source project governance, so I was thrilled to be invited to participate in the Turing Way fireside chat about governance along with Clare Dillon and Richard Littauer! The three of us have very different backgrounds and experiences, so we were able to cover a range of different perspectives on open source governance. 

We talked about some of the challenges, including how difficult it can be to make governance changes, since changes involve people with feelings and opinions that will be difficult to reconcile. We encouraged people to use existing resources, like templates and examples from other projects, rather than starting from scratch, and to reach out to get advice from experts who have experience with governance, since governance is complex with nuances and best practices that may not be obvious. We discussed the importance of having a way to remove people from your open source projects that is clearly documented, even when you hope to never need it. These are just a few of the topics we covered, so I encourage you to watch the video to learn more. 

This fireside chat was the 5th in a series about governance, so you might also enjoy watching the rest of the videos, which can be found in the playlist.

If you want feedback or help with governance or related OSPO topics, I’m available for consulting engagements.

Related Resources:

General

More about Demonstrating Organizational Value

OSPOs and other open source teams often struggle to demonstrate the value of their work in a way that resonates with the people in leadership positions within their organization. This is why we created a CHAOSS Practitioner Guide all about Demonstrating Organizational Value, which I blogged about in July when the guide was launched. Since then, it’s still been something I’ve continued to spend quite a bit of time thinking about!

Bob Killen and I recently joined Harmony Elendu for an episode of CHAOSScast to share our thoughts about how organizations can more effectively demonstrate the value of their open source efforts. We talked about the guide and shared some of our own stories about what we’ve done at past companies to demonstrate the value of our teams’ open source work. It’s only 23 minutes long, so I hope you enjoy listening to our conversation!

I’ll also be at OSPOlogy Lyon on November 5 & 6 where I’ll be giving a 20 minute talk about Demonstrating the Value of Open Source Efforts, which is based partly on the content from the guide along with my own experience working within organizations to demonstrate open source value. It’s in person, but free to attend, so I hope to see some of you in Lyon!

OSPOlogy hosted by LF Energy and Réseau de Transport d’Electricité (RTE) on 5-6 November 2025 in Lyon, France on a purple-blue background. Profile picture of Dawn Foster with text underneath reading, Speaker Dawn Foster with the CHAOSS logo.

If you want feedback or help with your open source strategy and how to demonstrate value for your organization, I’m available for consulting engagements.

Related blog posts:

General

Educating the Next Generation of Open Source Project Contributors

I have several blog posts here about contributor sustainability because there are so many open source projects and not enough contributors to sustain them all over the long term. With many open source projects desperate for contributors, how do we educate the next generation of open source contributors to grow the contributor base for all of us? This was the topic that Ruth Ikegah, Leslie Hawthorne, Stephen Walli, and I tackled as part of a panel at the recent Open Source Summit EU in Amsterdam.

Collectively, we have experience teaching open source to university students, creating and sustaining open source contribution programs for students in secondary school through to university, and building new open source communities in Africa. In this video, we talked about what we’ve learned, what’s worked, and provided tips for growing the next generation of contributors from within your local communities.

Additional Resources:

General

What can your OSPO do about power dynamics, rug pulls, and other corporate impacts on OSS sustainability

A few months ago, I posted here about the New Power Dynamics in Open Source: Rug Pulls, Relicensing, and Forks, but it’s something I’ve been continuing to think about over the past few months. I recently published a blog post for OpenUK on The Shifting Power Dynamics in Open Source: Rug Pulls, Relicensing and Forks, and at the recent Open Source Summit EU (OSSEU) in Amsterdam, I gave a talk on this topic, which Jon Corbett did a lovely job of summarizing in his LWN Coverage of the talk. Here’s the video if you’d like to watch the full 45 minute talk.

What Can Your OSPO Do?

I’ve spent quite a bit of time looking at relicensing and rug pulls, but the data isn’t the important part. What really matters are the actions that we take based on what we’ve learned. It’s important for OSPOs and other open source teams within companies to think strategically about what these power dynamics mean and how we can anticipate and mitigate the risks associated with rug pulls from open source projects driven by software vendors. During my talk at OSSEU, most of the discussion during the Q&A was about the indicators and red flags that can help us anticipate these risks along with how we can mitigate the risks through open source project contributions.

Indicators and Red Flags

There are a couple of indicators that can help you anticipate which open source projects might be more or less likely to be subject to a rug pull or relicense in the future.

  • Contributor License Agreements (CLAs) create a power imbalance within open source communities where the power is tilted toward the company who owns the project and controls the CLA, which gives the company more power than other contributors; for example, the power to relicense a project. This is probably the biggest red flag when assessing whether a project might be at risk of a rug pull in the future.
  • Neutral Foundations and Governance provide a level playing field where people from many different companies can work together on an open source project as equals to create something that benefits everyone. Projects are much less likely to experience rug pulls if they are under neutral, well-run foundations and have governance structures with leaders and maintainers from a variety of organizations. This is in contrast to projects owned or controlled by a single company, which is a red flag because those projects are more likely to experience rug pulls.

Mitigate through Contribution

The most impactful action that a company can take to mitigate potential issues within an open source project is to have employees actively participating and contributing to the projects that are most strategic for your company. This is an important way to better understand and mitigate the risks associated with future rug pulls, but it also goes beyond just that one concern. Companies have the power and resources to make real improvements within open source projects, and corporate involvement can positively impact the sustainability of our projects. Companies can allocate employee time to contribute to projects or provide funding and other resources to help sustain open source projects. 

Having your employees working within a project helps you understand the power dynamics that might be at play and better understand the strengths and weaknesses of that project while also being able to influence the project from within. If your employees are in positions of leadership within a project, you might be able to help prevent future rug pulls, or at the very least, maybe you can anticipate them.

If you want feedback or help with your open source strategy and how your organization can mitigate potential impacts from rug pulls, I’m available for consulting engagements.

Resources: