# Running an Open Source Project

You've published your project to a public repository like [GitHub](https://github.com). You've included a [CITATION file](https://github.com/citation-file-format/citation-file-format) so people know how to credit your work. From a publication perspective, your software is now out in the open: but there are still barriers that stop the wider community from adopting and improving your project. It is not having the impact that it could be having.

## Open Source Licenses

**A friendly note**: I'm not a lawyer, and I'm certainly not your lawyer nor the University's lawyer. I've been the open source IP wrangler for a few software projects, so I have an informed knowledge of how these things work, but not legal expertise nor the qualification to give actual advice. Consider this section guidance at best, and if you need more assistance then find a legal adviser to help you. Your department, or the spinout advisors, can probably help.

In the UK and other signatories to the Bern convention, if you publish anything that can be seen as a creative work, including software, you automatically lay claim to its copyright (there's no need to explicitly write a (C) symbol, for example). Implicitly you (or your employer, depending on your contract with them and how the work was carried out) are asserting all rights available as the copyright holder.

That means that nobody else has any right to use the published work. So even though you may have published your program on GitHub, it's still not "open source", because nobody else actually has the right to use, study, share, or improve the software.

In fact the [Open Source Definition](https://opensource.org/osd) says that open source software must allow certain rights to users. In order to enable their freedoms, the authors' freedoms are curtailed (except that authors are still free to choose not to make their work open source). To explicitly grant those rights, open source authors use licenses that define how readers can use their works. The Open Source Initiative [lists compatible licences](https://opensource.org/licenses). GitHub have a tool [for choosing licences](https://choosealicense.com/) from that list.

Once you have identified the licence for your project, it is common to copy its text into a `COPYING` or `LICENSE` file at the top-level of the project so that there is no doubt over the terms under which the project is shared. Some licences, notably the GPL and variants, additionally require a preamble in a comment at the top of all source files.

## Contributor License Agreements

So you (or your institution, or funding body, or industry sponsor...) have released a project as open source software. You get a pull request, it looks good, so you merge it! _Now_ who owns the copyright on the project?

The answer is, it's a bit messy. The bits that you (or your... you get the idea) wrote are owned by you, and the bits that your contributor wrote are owned by them. Often, people have a vague notion that "small" changes don't change the copyright situation, but don't tell you how small "small" is. _Presumably_ they're OK with releasing the software under the same licence, but what happens when you want to change the licence? Or commercialise the IP and relicence the software to paying customers? Or transfer project stewardship to a different institution, or a foundation like the Free Software Foundation or Software Freedom Conservancy?

As it stands, the answer would be that you would have to contact all contributors and get them all to agree, or remove their contributions, or not make the change. Some of them may have changed their email address, or not read their email any more, or disagree with your change. Or they may even be deceased: the legal counsel for Software Freedom Conservancy, Karen Sandler, spends a chunk of her time contacting relatives of late software engineers, talking to them about the copyright status of their contributions.

Many commercial and charitable organisations have taken to asking contributors to open source projects to sign [Contributor License Agreements](https://www.finnegan.com/en/insights/what-you-should-know-about-contributor-license-agreements-in-open-source-projects.html) (CLAs), asserting that the contributor allows the "upstream" organisation to manage the project, including their contribution as they see fit (and representing that the contributor has the right to do so).

Implementing CLAs for a project involves some ongoing administration work. You have to make sure that all contributors have signed the CLAs, that their agreements are on file, and then handle the data protection overhead of having their information on file. Whether it makes sense for your project depends on the project goals. Software designed to support a single publication may not need it as external contributions or changes of purpose don't seem likely. A project that's destined to become the core tool in some broader field of endeavour may benefit from centralised governance, and the governors will need the right to govern.

## Stewarding a Project

The Free Software Foundation was created in 1985, so it predates the film _Field of Dreams_ by about four years. This means that the founders didn't have access to the phrase "if you build it, [they] will come" and it's not one that applies to open source projects. Getting contributions, fixes and ideas from "the community" requires that the community exists, and you have to grow and support that.

Research software can, of course, be advertised through the traditional academic channels: publishing in journals, presenting at conferences, running seminars. These are good forums for generating interest in the research community, which may translate into contributions.

A project's README file can tell people where the canonical source repository is maintained, how to get involved, whether there is a code of conduct for participating in the community, and where to find other material. Once you've got documentation, tutorials, a mailing list, news, meetups, and more, you may want to create the project's website. That's easy to do on GitHub, by creating a [GitHub Pages](https://pages.github.com/) site. You'll still want a link in the README, so people who find the source code can discover everything else.

### Bug reports

Don't be disheartened when your first contributions from outside are bug reports and feature requests. These are a good thing! If someone reports a bug, it's because they're interested enough in your software project to try it, use it to a depth where they find its limitations, and _still_ want to help you get it fixed so they can carry on using it.

Plan to set aside some time on a regular cadence (the amount scales with the size of the community, so initially not much time) reviewing incoming requests and triaging them: replying to thank the submitter, asking for more details, prioritising fixes, or asking for external submissions if they don't fit your plans.

In order to submit bug reports, though, people need somewhere to submit them. The popular source code hosts like GitHub, GitLab, and Bitbucket all have issue trackers associated with code repositories, which is a convenient location for people to find them. As a community grows, a more "organic" discussion forum such as a mailing list or chat channel (Slack, or an open source alternative like Mattermost) allows ad hoc discussions and community organisation, letting external contributors take a more active role.

### Code Contributions

The GitHub style pull request seen earlier in the course has been transformative to open source software, and vastly amplified the number of participants contributing code to open source projects. It's easy to understand, the GUI support in GitHub and others makes it simple to use, but it's still not the only game in town. For example, the Linux kernel (for which `git` was originally written) is developed by programmers emailing patches to each other. The LLVM compiler project accepts patches sent to an email list, or through a code review tool called Phabricator.

Whatever route you open up, you will want to review contributions before accepting them: for fitness for purpose (do we want this change in the project?) and code quality (do we want this change _written like this_ in the project?). Code review is an important stage in the _marketing_ of a project as well as its technical lifecycle. If people get hostile reactions to submissions in code review, or no response at all, they will get the impression that the developers aren't seeking external contributions.

### Non-code Contributions

VM Brasseur, in her book "Forge Your Future with Open Source", lists the following ways in which people can contribute to an open source project without writing code.

 - UI design
 - web design
 - documentation writing
 - translation
 - UI testing
 - bug triage
 - project management
 - event organisation and coordination
 - marketing
 - accessibility design
 - UX design
 - graphic design
 - documentation editing
 - code testing
 - accessibility testing
 - release management
 - community management
 - public relations and outreach
 - security review and testing

This is not a complete list, but it's a start! It's easy to adopt that misapprehension that because "open source" is all about the code license, it's only coders who contribute. Plenty of other skills are needed to create popular, successful software projects, and it would be unwise to turn away contributions that apply these skills.
