Maturity checklist

[robmoffat]

• Maturity Model / Checklist Process #200

[robmoffat]

See:

• https://deploy-preview-223--open-source-readiness.netlify.app/docs/bok/Activities/Level-2/License-Management
• https://deploy-preview-223--open-source-readiness.netlify.app/docs/bok/OSMM/Checklist

[robmoffat]

• Ability to slice by persona
• Smaller, more portable presentation
• PDF version
• Graded scale (0-5 marks 0= not started, 5= perfect)

[robmoffat]

Hi @mimiflynn, just having a call with @psmulovics who says you might be able to help out with some coding on the OSR front-end.

I would love some help with this, especially on this page which could be a lot tidier and also have a download-as-pdf button.

Also, we are discussing changing to a slider-based value for each item on the checklist. i.e.

• 0: Not applicable / not attempting this.
• 1: Just starting / initiating
• 2: Underway
• 3: Operational, with caveats
• 4: Completed

.. or something?

[netlify]

✅ Deploy Preview for reliable-medovik-8e47e9 ready!

Name	Link
🔨 Latest commit	706e775
🔍 Latest deploy log	https://app.netlify.com/sites/reliable-medovik-8e47e9/deploys/65ddfbeba74bad0008f3d097
😎 Deploy Preview	https://deploy-preview-223--reliable-medovik-8e47e9.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[robmoffat]

Updated this:; https://deploy-preview-223--open-source-readiness.netlify.app/docs/bok/osmm/checklist

[robmoffat]

Ok this is ready to use and test. Feedback welcome.

A proper explanation is here

But basically, all the Activities in the body of knowledge now have an associated maturity checklist, asking you to rate your firm on a scale of maturity based on CMMI.

A combined checklist exists here

And a printable/emailable summary is here where you can generate a PDF of the firm's overall state.

[robmoffat]

@mindthegab

[Neetuj]

1. Should there be a maturity level association regarding the data publishing of open source usage, effectiveness, benefits at your company ? ( may be stage 5??)

I see that "The OSPO measures usage according to published metrics" section is there .. but do we think a mature organization should also be publishing some data around it by leading from the front?

2. another level of maturity is to be able to understand the nested dependencies, nest licenses to be able to make a sound and informed decision when needed .. is that implicitly covered in the survey ? did not see any explicit question around it. May be add it in this section "The organisation is aware of the open source software running within it" ? or add a question to Open Source Supply Chain Security section around "organization understands legal and security impact of nested dependencies in open source code "

3. "The organisation fosters and encourages social media for visibility of open source projects" -- should we restrict this to social media? My 2 cents will be to either remove "social" or rename it to "outreach" to be inclusive of other channels of outreach like conferences , workshops , advocacy events/meetups etc

[robmoffat]

Hi Neetuj,

Responding to your points:

1. This seems like it should be something we discuss with the SIG - @caradelia @psmulovics @BrittanyIstenes @coopernetes perhaps a question for a future OSR meeting?

2. I think this is covered in the security article "The organisation scans and audits software automatically and frequently" and License Management has " There is an automated process in place for managing IP compliance" but perhaps that's not enough? Also, we call out to the OpenChain standards in both these areas as I think that's the best practice for security / licensing.

3. Updated - good idea.

[robmoffat]

@AmolMeshram19 do you have anything to add?

[AmolMeshram19]

@AmolMeshram19 do you have anything to add?

Consuming Open Source Software

Checklist: There is a defined process for procuring open source in the organisation.
Reply: This needs rephrase as procurement refers to commercial product.

Managing Open Source Based Projects

Checklist: The organisation has a process to choose between open source alternatives.
Reply: need more clarity on what kind of open source like open source software, library, API, code snippets.

Checklist: Management understands the cost savings of open source.
Reply: Can we rephrase it as Management understands the benefits of using open source.

Checklist: The organisation has a process for obtaining support for open source components.
Reply: need to more clarity on what kind of support.

Compliant Open Source Consumption
Checklist: Enterprise risk management processes include open source risks.
Reply: This will confuse to reader as enterprise risk management is different function than OSPO.

Checklist: Standardized controls are in place around open source consumption.
Reply: can we more specific here as like open source consumption and contribution standard

Title: Open Source Consumption Training.
Reply: Can we change the title to Open Source Software training or Open Source Software Consumption and Contribution Training. Training will cover both contribution and consumption.

Title: License Compliance Management
Reply: This title is very broad. Can we make it Open Source Software License Compliance Management

Checklist: There is an automated process in place for managing IP compliance.
Reply: IP compliance is different than open source license compliance. IP compliance is subset of it.
Majority of the organization offers IP training which is separate from OSS training.

Open Source Supply Chain Security

Checklist: The organisation scans and audits software automatically and frequently
Reply:
Can we write like this
The organisation uses code scanning tool to scans and audits software composition

Title: Engagement & Hosting
Reply: Can we add this Organization host open source repositories at publicly accessible platform

Title: Contributing Your Own Open Source Project
This title is confusing. We need to distinguish between personal open source projects and organization open source project.
Follow up checklist mentions about marketing. In rare case, organization will help with the marketing personal projects of employees.

@robmoffat apologies for writing this much. Please ignore if you feel it's not necessary. Happy to jump over a call to discuss it.

[robmoffat]

Hi @AmolMeshram19,

Just getting round to your comments. Couple of questions from me:

Reply: need more clarity on what kind of open source like open source software, library, API, code snippets.

I think we should add something to the article about this. Do you see a difference in the way these are managed in your firm?

Checklist: Management understands the cost savings of open source.
Reply: Can we rephrase it as Management understands the benefits of using open source.

This was the checklist above. Shall I just remove the cost saving one?

Checklist: The organisation has a process for obtaining support for open source components.
Reply: need to more clarity on what kind of support.

Again, I think this probably needs expanding on in the article. I've had a go at this:

Open Source Support

Paying for a support contract for open source software offers several significant benefits, especially for businesses that rely on these technologies for critical operation:

• They ensures priority access to expert assistance.
• Support contracts often come with assurances of regular updates and security patches,
• Financial contributions through support contracts can fund ongoing development and improvements.

---

Title: Open Source Consumption Training.
Reply: Can we change the title to Open Source Software training or Open Source Software Consumption and Contribution > Training. Training will cover both contribution and consumption.

These are separate activities in the body of knowledge, and we want to capture separately how a firm performs for each of them, so I'd like to keep them separate.

Everything else was great and I've added.

[robmoffat]

@psmulovics would be nice to merge this before the community call this week, WDYT?

[psmulovics]

I wanted to merge it 5 months ago ;)