“Open source” is a very popular word in recent years, but many companies are currently wondering what open source is, how to use it, how to participate in it, how companies make decisions about open source, how to carry out open source governance, and how to use open source to strengthen their competitiveness. and other issues, there are still some difficulties.

In fact, the reality is that Open source Has Wonenterprises are inseparable from open source software, butThere are various risks associated with the use of open source software by enterprises,Businesses can leverage open source for commercial benefit,Enterprises can learn from the open source model for various collaborations. These risks and benefits are things that enterprises need to consider.Therefore, an overall, consistent, long-term, and clear company-level strategy is required, which is called an enterprise open source strategy.

This article focuses on what is an enterprise open source strategy; why enterprises need an open source strategy; what is included in an enterprise open source strategy, and the practical experience in formulating and implementing an enterprise open source strategy. This article is divided into two parts: the first part is what the enterprise open source strategy is, why it is needed, and what it contains; the second part is how to formulate and implement the enterprise open source strategy. Because these contents are more applicable to large and medium-sized technology companies, the title of this article is how large and medium-sized technology companies formulate and implement corporate open source strategies.

1. Enterprise Open Source Strategy Definition

The enterprise open source strategy is a part of the enterprise technology strategy. It is mainly related to the open source software used by the enterprise and the internal and external collaboration of the enterprise, including how to select and use, how to manage and maintain, how to cooperate with external enterprises and communities, and whether to create its own open source software. It also includes learning the collaboration model of the open source community to improve internal efficiency and quality.

The key is to align with the business strategy of the enterprise.

Talking about open source has no meaning for enterprises. Enterprises are profit-making organizations, and ROI (return on investment) must be considered in everything they do. Therefore, an enterprise’s open source strategy must be aligned with the enterprise’s business strategy.

1.1 What problems does the enterprise open source strategy mainly solve?

• How can massive open source components be used safely, compliantly, and efficiently?
• How to use open source to build an internal R&D culture, make internal collaboration smoother, reduce repetitive wheel creation, and accelerate innovation?
• Every enterprise will use a large number of open source projects, which projects should be invested in? Why? How to vote? How to measure?
• Do you want to open source your own project, and why? How? What is the direction of continuous operation?

1.2 Why is an enterprise open source strategy needed?

Enterprises are inseparable from open source software, and need to use open source to enhance corporate competitiveness, so a holistic, consistent, long-term, and clear company-level strategy is very necessary.

• A unified, coherent enterprise open source strategy helps clarify priorities within the enterprise
• An enterprise open source strategy can guide open source operations within the enterprise and provide employees with clear and consistent direction
• The processes and policies of open source software management require a higher level of superordinate law

Before explaining what is included in the enterprise open source strategy and how to do it, let’s take a look at some basic knowledge and underlying logic of enterprise open source.

2. Basic knowledge and underlying logic of open source

2.1 What exactly is open source?

The term “open source” has been interpreted in many ways, such as open source software, open source business, open source collaboration, open source community, etc. The core concept of open source is to generate intellectual property rights in an open manner. Open source software = open source code + OSI certified license. The open source business model is a business model based on open source software.

It is now believed that open source is an open collaboration model, and the output of collaboration meets the requirements of the open source license. This kind of collaboration is used in software, and the output, that is, software that meets the requirements of the open source software license, is open source software.

2.2 The use of open source software by enterprises does not mean free

The use of open source software by enterprises is not free, and there are various costs, such as introduction costs, learning costs, maintenance costs, etc. Among them, maintenance costs are generally the highest. No matter what kind of open source software license is, it contains a disclaimer clause, that is, any problems encountered by users of the open source software in the process of using the open source software have nothing to do with the original author, and the original author has no obligation to repair the enterprise in the production environment. actual problems encountered. Therefore, when enterprises encounter problems using open source software, they either need the support of commercial companies, or recruit engineers to take charge of this work. And this all comes at a cost.

2.3 Common open source business models related to open source software

Software that conforms to the open source license defined by OSI has no sales value in itself, and anyone can download, modify, and distribute it without charging any fees for the software itself. As for open source business models, there are mainly the following two categories:

(1) Wool comes from pigs

This is a model very familiar to Internet practitioners. Product A is free and product B is charged. Provided free of charge through open source software products, and generate revenue from charging for other products. For example, Google’s Android mobile phone system is free, but Google GMS installed on it is a must, and Google benefits from the services on GMS. For example, Mozilla’s Firefox browser is open source, and it charges Google by defaulting to Google through the built-in search engine. This is a typical profit model.

(2) Enterprise services based on open source software

In summary, there are mainly four modes as follows:

• Dual License (representative: MySQL, X264)
• Open—Core (representative: Kafka, Elastic)
• Service (Representative: RedHat, IBM)
• SaaS (representatives: AWS, Tencent, Ali)

2.4 The underlying logic of enterprise open source

First of all, companies open software for free and expose their intellectual property rights, which in itself is an altruistic behavior. However, it is self-interested for companies to obtain benefits from open source. Therefore, self-interest and altruism must be well combined, not only to absorb the convenience brought by open source, but also to avoid excessive commercialization from harming the long-term interests of the open source community and enterprises. Therefore, it is necessary to design a good business model and grasp this degree.

There is a term in the open source world called Coopetition, which is a mixture of the words Competition and Cooperation. The open source world has both competition and cooperation. The two vendors may be in a competitive relationship in terms of open source project A, but they are in a cooperative relationship in terms of open source project B. Open source is not a zero-sum game, but rather a process of making the cake bigger and sharing benefits. For example, two open source software companies on the same business track may only be in sharp competition when facing the same customer, but in other aspects, such as investors, media, upstream and downstream or users, They are actually a prosperous partnership.

• The values ​​of openness + transparency + collaboration

The operation of open source is based on the values ​​of “openness + transparency + collaboration”, which is also the most basic concept of the Apache Open Source Software Foundation advocated by the Apache project. Collaboration in open source is about building trust, the operation of the community is also based on trust, and the establishment of trust must abide by this value.

For knowledge workers engaged in software research and development, participating in open source communities and making contributions is more due to their self-motivation. They hope that their software can be used by more people and obtain better value. The traditional “carrot + stick” method, the traditional incentive method of getting as much money as you do is very short-term and low-level, and it is not suitable for the long-term healthy operation of open source. Open source needs to leverage the Motivational 3.0 incentive model.

3. Next, let’s take a look at the first part of the enterprise’s open source strategy. How to manage the open source software supply chain within the enterprise?

(1) One of the enterprise open source strategies: open source software supply chain management

The supply of open source software is very large, and enterprises must ensure the credibility of the open source software supply chain. Enterprises introduce open source and internally compile, redevelop, and redeploy. This is a chain process. In this process, the most important thing is to ensure that the chain is safe, compliant, and efficient. Otherwise, it will bring direct commercial losses to the enterprise. The following are several actual cases, because of the business losses caused by the incorrect use of open source software by enterprises.

Examples of compliance:

• FSF sued cisco overLinksys WRT54G
• X264 Claim tens of millions of dollars from a large factory
• VirtualApp Jurisprudence:GPLis a contract

Examples of CVEs:

Bugs:

• differentOpenSSLAfter the version results in the integrationCore dump
• Fast JSON hang damage to multiple businesses

The main challenge lies in
Open source software has massive supply and massive demand, and the trend of increasing supply and consumption is still increasing.

According to well-known software warehouse software providerSonatype’s report“ 2021 State of the Software Supply Chain“statistics,byJavaFor example (according tomaven central warehouse statistics), maven central warehouse has430million software projects7.3 million software versions,Average downloads per engineer per year3Ten thousand+ packages;byJavaScriptas an example (withnpmjs central warehouse statistics), npm central warehouse has1800 million software packages21 million versions,Average downloads per engineer per year10Ten thousand+software packages. The vast majority of these packages are open source software.

• Measuring the Supply Chain Management Capabilities of Software Enterprises

Mainly look at two points:

• When a commonly used open source software is found to be high-riskCVE bugswithfixAfter that, how long can it be located and repaired within the enterprise?
• When the enterprise exports software to the outside world, does it quickly output high-qualitySBOM(Software Component List) and notesto meet compliance requirements?

Security vulnerabilities in the open source software community are fixed very quickly. Generally speaking, if a vulnerability breaks out today, a corresponding patch will be released within three days, and a new version will be released within a week at the latest. For enterprises that introduce open source, the key issue is firstly the location of the vulnerability, and secondly the impact of the fix. This is a typical issue that enterprises need to consider. For enterprises that export open source, some stricter suppliers will require a list of compliant software components, which will be a test for enterprises. Only when the import and export can be done well can it be considered reliable and efficient supply chain management.

Building a supply chain requires the joint support of policies, processes, tools, legal affairs, and security teams. This is a company-level behavior. Taking the case of open source software governance at home and abroad as an example, it is necessary to turn this process into a company-level behavior in order to save costs.

Actual operation case:

• Form a cross-departmental multifunctional small team, including legal affairs, security, tools team
• Use tools to automate as much as possible
• Requires large-scale, multi-level training and advocacy

For a high-risk CVE bug of the same Fastjson. Before building software supply chain management capabilities, the processing method is as follows: the security management department sends an email to all employees stating that a certain software version has a high-risk vulnerability that needs to be fixed as soon as possible. No way of knowing. After possessing the open source software supply chain management capability, the enterprise can locate the business line affected by the vulnerability within 30 minutes and accurately send a security work order to the direct person in charge to inform the situation and repair method, and all repairs can be completed within three days.

Next, let’s look at the content related to internal open source in the enterprise open source strategy.

(2) Enterprise Open Source Strategy 2: Internal Open Source

When the scale of the enterprise is large, it is easy to have serious barriers between departments, commonly known as silos, which means “departmental walls”, and it is also easy to repeatedly create wheels in multiple departments. The author once found that there are 15 machine learning platforms in a large factory, and more than 10 Kubernetes cloud deployment platforms in a large factory, and most of the wheels are low-level, repetitive, and relatively low wheels. The existence of these situations within the group is a huge waste of human resources. In addition, engineers have relatively low pursuit of technology. They only want to make products quickly, go online quickly, get income quickly, get promoted quickly, and finally change jobs. This will slow down the technology upgrade of the enterprise, leaving a large amount of technical debt and extremely poor infrastructure, and the deployment environment and monitoring are relatively poor. There are often problems with online services, and development and operation and maintenance personnel are often in the middle of firefighting.

For the above problems, internal open source is an effective solution. Internal open source (InnerSource) is a software development model that draws experience from the software development of the open source community and applies it within the company. It mainly has the following advantages:

• Improve code quality
• Improve people’s capabilities
• Improve employee satisfaction
• breaking down departmental walls
• Reduce reinvention of the wheel
• Incentivize innovation

Since the code of the participating projects will be disclosed internally after the implementation of open source within the enterprise, engineers will naturally consider the readability of the code during the work process, and the operating mode of the open source community is that code submission must go through code review, with strict The code review process will naturally improve the code quality.

InnerSource has a very deep connection with the DevOps that has been implemented in enterprises in the last decade. Both are aimed at improving efficiency. The two most important ways to improve efficiency are reuse and automation. InnerSource is more about reuse, DevOps is more about automation. The two are mutually reinforcing. It is more beneficial for a project that has done a good job in DevOps to operate in an internal open source manner. And InnerSource’s good infrastructure can also help DevOps tools land faster. Only by establishing a culture of internal trust based on the values ​​of openness, transparency, and collaboration can DevOps be promoted positively. For DevOps, it is not that the enterprise is on the CI/CD platform, and the process is considered to be done well.

The figure below is the relationship between InnerSource and DevOps.

At present, major international companies using internal open source include Microsoft, Google, and Bosch, and domestic major companies including Huawei, Tencent, Baidu, etc., are all carrying out related internal source construction.

(3) In the third part, let’s take a look at the strategies related to open source of enterprises.

The Linux Foundation once proposed that an enterprise’s external open source includes four stages: the consumer stage, the participant stage, the contributor stage, and the leader stage. There are two forms of open source for enterprises, one is Upstream, which contributes to existing projects, and the other is to create open source projects independently. Independent creation of open source projects must have a strong commercial purpose and is a Business Driven issue.

The purpose or benefits of enterprise upstream mainly include the following three points: First, reduce the maintenance cost of internal versions.If the open source software used internally needs to be synchronized with the version of external open source software for a long time, it is necessary to reduce the number of local patches. The method is to contribute some patches back, and the number of local patches will naturally decrease, thereby reducing the cost of continuous version upgrade and maintenance. cost

Second, we hope to reuse the mature distribution channels of the open source community. For example, Microsoft’s contribution to the Linux kernel is not small, but its contribution only focuses on the relevant parts of the kernel and Microsoft Hypervisor. Use these patches to make the virtual machine with Linux distribution installed on Microsoft’s operating system run well. Therefore, Microsoft directly contributes these patches to the upstream community, that is, the Linux kernel, so that these patches will be directly included when each distribution releases a new version.If you don’t contribute to the upstream Linux kernel community, Microsoft needs to communicate and cooperate with each Linux commercial distribution manufacturer one by one, which will cost a lot of money

Finally, it is desirable to maintain control over some critical software. Some large companies choose to invest manpower in open source projects that are critical to their business, hoping to ensure that the iteration of this project is in line with their interests.

In recent years, many companies, especially large factories, have been continuously open-sourcing their internal technologies. But before opening up to the outside world, you need to answer three soul tortures: first, why do you want to do it; second, how to prove whether it is successful; and finally, how to measure it. If there are no answers to these questions, then open source can only be regarded as the spontaneous behavior of engineers, and the open source project will most likely become an unfinished project.

There are some good reasons why open source is as follows:

• Build de facto standards and provide open source implementations to advance standards faster
• Crack down on competitors. For example, a company and a certain manufacturer are competitors with different business focuses. Realizing the focus of the rival company and making it open source is a blow to the competitor.
• Competitive differences, such as the competition between Mozilla and IE, IE chooses pre-installation, while Mozilla directly chooses open source to achieve competitive differences
• Establish ecosystem promotion, such as Android
• Employer brand and technology word of mouth, such as LinkedIn open source Kafka
• Reduce support costs, customers can maintain themselves, such as cloud SDKs of various cloud vendors

Of course, there are some bad reasons as follows:

• Get rid of the burden, and leave the projects you don’t want to maintain to the community
• I don’t want to increase staff internally, I want to find free labor
• KPIs for internal engineers or departments
• Pure PR without follow-up support plan

Before open source, the project needs to be well evaluated.

To evaluate the potential of a project, it is necessary to clarify its track, classification, market potential, differences with competitors, and what projects are upstream and downstream. These are more issues of product design and product strategy. In addition, enterprises must do the following reviews when doing open source:

• Legal Review: What kind of license and terms are used for the project, and whether there are legal risks
• Technical Review: Are there any security holes in the project, and are there any unnecessary codes included?
• Market Review: What branding does the project use, what is the market competition strategy
• Governance model review: whether to adopt an independent development model or to be hosted by the foundation, or to become an incubation project of the foundation

The second part is how to formulate and implement the enterprise open source strategy

**1.**how to formulate

An enterprise’s open source strategy must be formulated in stages in light of the enterprise’s own situation. For example, companies with overseas business can start with compliance first; companies with serious internal repetitive wheel creation can first open source internally; and companies that mainly focus on cloud and want to expand smart cloud to B business can open source externally would be a good means.

The formulation process can refer to the BLM (Business Leadership Model) method for planning and formulation.

2. How to implement the open source strategy

There is a simple way to implement the open source strategy, which is to set up an open source management office (OSPO). Its role is to help companies create and execute open source project strategies that enable open source leaders, developers, marketers, and other employees to successfully operate open source projects. The main responsibilities of OSPO involve the following aspects:

• Clearly communicate your company’s open source strategy internally and externally
• Implement and supervise the implementation of open source strategy
• Promote the effective and safe use of open source software within the enterprise
• Maintain review and oversight of open source license compliance
• Ensure high-quality and high-frequency release of code to the open source community
• Work with the developer community to facilitate effective company contributions to other projects
• Create an open source culture within your organization

The first company in the industry to create OSPO was Sun Microsystems. Sun established its first open source office in 1999. The first thing it did was to promote the open source of Java. Due to the positive impact of open source, Java has always been Live up to the present and very alive.

Common Models for Setting Up an OSPO

There are three common models for designing OSPO in the industry.

• The first is to set up OSPO under the legal department and focus on solving intellectual property issues. For example, hardware companies will put OSPO under the legal department.
• The second is to set up OSPO in the R&D department, which mainly supports engineers to use open source software, which is suitable for software companies.
• The third is to set up OSPO in the marketing/developer relations team, and focus on PR to influence sales.

At present, there are many cases of OSPO landing in major domestic enterprises.

• Tencent: R&D Management Department
• Ali: belonging toCTO office
• Baidu: Technology Management Department
• Ant: Affiliated withCTO office
• Weizhong: Belongs to the project management department of the company
• Didi: Belonging to the Open Source Committee (Virtual)

It is an effective way to promote the formulation and implementation of an enterprise’s open source strategy through the establishment of OSPO.