CHAOSS Risk Metrics Working Group (RISK WG)
Read our Launch Plan
Risk is a new group, focused on metrics for issues pertaining to Risk in open source.
Economic value is expressed in different ways for different types of stakeholders. We will be exploring this space in the coming months.
|1. Business Risk||Understand how active a community exists around/to support a given software package.|
|2. Code Quality||Understand the quality of a given software package.|
|3. Licensing||Understand the potential IP issues associated with a given software package’s use.|
|4. Security||Understand security processes and procedures associated with the software’s development.|
|5. Transparency||Understand how transparent a given software package is with respect to dependencies, licensing (?), security processes, etc.|
Join our Mailing List
This CHAOSS working group is using the general CHAOSS mailing list.
Join our Weekly Calls
The Risk Working Group meets every other Monday from 11-12 Pacific Time. All are welcome. Our next meeting is April 20, at 9am CDT. We will also meet on April 27, at 9am CDT to get back in our cycle. April 13 was cancelled due to the holiday.
The videoconference URL is https://zoom.us/j/4998687533.
We have gotten requests from community members to establish industry-standard metrics for risk in open source. Lack of metrics makes it difficult for business decision makers to compare open-source methods to alternatives. Lack of metrics makes it difficult to allocate resources optimally across projects, slowing decision making and product innovation.
We believe that risk metrics can accelerate the adoption of open source methods within industry, providing more opportunities for developers to make a living wage in open source.
Between March 2019 and September 2019 we will execute a launch plan with limited goals:
Identify Stakeholders and Validate Interest
- Identify market segments and stakeholders
- Understand Who cares about Open Source Risk (and why)
- Specify and prioritize Key Performance Indicators
- Calculate potential aggregate risk
Grow hands-on community
- CHAOSS Members: Consultants, researchers, grant writers
- Project Stakeholders: Sponsors, maintainers, contributors, consumers
Build reusable assets
- Repeatable methodology for discovering value
- MVP Tooling with Development Roadmap
In the long term, we’d like to publish trusted industry-standard Risk Metrics. A kind of S&P for software development, an authoritative source for metrics significance and industry norms.
Work To Date
We're just getting started!
The criteria for becoming a core contributor is to participate at least once per month over a period of 3 months. Participation could include providing feedback in the weekly D&I meetings, providing feedback on docs, or making other contributions on GitHub (commits / issues). People not participating over a 3 month period may be removed as core contributors.
If you'd like to be on our squad, an easy way to start is by going through the
issue list and fixing some.
Ordered by first name
Are you eligible to be on this list? You are if you helped in any capacity, for example: Filed an issue. Created a Pull Request. Gave feedback on our work. The team will try to update this list monthly, but please open an issue or post on the mailing list if we've missed anyone.
If you find yourself missing, please create a pull request or reach out to a maintainer. We started to maintain this list after starting the working group and are likely missing some of you. If you find yourself listed here and want to be removed, please create a pull request or ask a maintainer.