{doc.title}
+ + {doc.description &&{doc.description}
} +diff --git a/.gitignore b/.gitignore index 0502010d6..f6c443501 100644 --- a/.gitignore +++ b/.gitignore @@ -4,9 +4,12 @@ website/translated_docs/ website/build/ website/i18n/ +website/.docusaurus # Yarn build website/node_modules/ +v2-website/node_modules/ + # Generated docs docs/contributing.md diff --git a/docs/bok/Activities/Developer-Training.md b/docs/bok/Activities/Developer-Training.md new file mode 100644 index 000000000..19a40c6dc --- /dev/null +++ b/docs/bok/Activities/Developer-Training.md @@ -0,0 +1,11 @@ +--- +title: Developer Training +tags: + - Developer (Role) + - Data Leakage (Risk) +--- + + +## Details of Trainings + +tbd diff --git a/docs/bok/Body-Of-Knowledge.md b/docs/bok/Body-Of-Knowledge.md new file mode 100644 index 000000000..5af4fdbd4 --- /dev/null +++ b/docs/bok/Body-Of-Knowledge.md @@ -0,0 +1,7 @@ +--- +title: Introduction +--- + +Introduction to the body of knowledge. + +placeholder for now. \ No newline at end of file diff --git a/docs/bok/Risks/Codebase-Risk.md b/docs/bok/Risks/Codebase-Risk.md new file mode 100644 index 000000000..67a9ba433 --- /dev/null +++ b/docs/bok/Risks/Codebase-Risk.md @@ -0,0 +1,15 @@ +--- +title: Codebase Risk +tags: + - Developer (Role) + - CIO/CTO (Role) +--- + +Codebase Risk is + +## Reducing Code Duplication + + - The [Code Duplication](code-duplication) article already describes the maintainance costs associated with internal forks of projects, and in passing discusses how this also presents a security risk. + - It is hard but perhaps not impossible to get a view of how big a problem this is in your organsisation by looking at the internal repository (e.g. Artifactory) and looking for versions of open source libraries that are _not_ coming from the original external source. + - An argument _for_ internal forks is that actually this mitigates the cyber risk of trojan code from an external environment. However this is specious since 99% of the code running in the organisation is open source anyway: bad actors can exist both inside and outside the bank and this is no substitute for scanning tools. + - For example, consider a _bad actor_ performing a [Solar Winds Trojan](https://www.cisecurity.org/solarwinds)-style attack. This is a consumption risk that _already exists_. Allowing developers to contribute to open source doesn't worsen or improve this situation. \ No newline at end of file diff --git a/docs/bok/Risks/Data-Leakage-Risk.md b/docs/bok/Risks/Data-Leakage-Risk.md new file mode 100644 index 000000000..dcb6b7af1 --- /dev/null +++ b/docs/bok/Risks/Data-Leakage-Risk.md @@ -0,0 +1,20 @@ +--- +title: Data Leakage Risk +tags: + - CIO/CTO (Role) + - Developer (Role) + - Data Leakage Risk +--- + + + - Financial firms are _technology organisations_, and all such organisations need to worry about Intellectual Property Risk. IP Leakage can happen anywhere. + + + - Arguably, risks are _greater_ in finance because of the penalties that regulators may apply. + - Historically, use of social media / sharing sites has been prohibited by many firms to mitigate data leakage. + - But you have to balance the data leakage risk against the benefits (outlined above). Therefore: can employees use a site like GitHub (where uploading data is commonplace) but have controls in place to mitigate the data-leakage aspect? + - Tools such as [GitProxy](http://github.com/finos/Git-Proxy), personal machines, ephemeral desktops etc. help to mitigate this. + - _Training_ of open source developers within the organisation is an important step. Do developers understand the rules? Can you be explicit about what is and isn't included in a commit? For example: _non-code contributions_ such as test data might be outside the policy. It's easier to have a blanket policy that this isn't allowed. Test data needs to be generated by the tests as they run instead. + - A _governance process_ needs to be in place for supervising contributions and observing what leaves the organisation. + - Tools like [GitHub Enterprise](https://github.com/enterprise) also aim to help with Data Leakage Prevention. + - _Evidence_ may need to be provided that data hasn't been leaked (according to regulations). \ No newline at end of file diff --git a/docs/bok/Risks/Dependency-Risk.md b/docs/bok/Risks/Dependency-Risk.md new file mode 100644 index 000000000..f45d3deee --- /dev/null +++ b/docs/bok/Risks/Dependency-Risk.md @@ -0,0 +1,13 @@ +--- +title: Dependency Risk +tags: + - Dependency Risk + - Developer (Role) +--- + + + +## Software Dependency Risks + +- imported libraries. +- \ No newline at end of file diff --git a/docs/bok/Risks/Financial-Risk.md b/docs/bok/Risks/Financial-Risk.md new file mode 100644 index 000000000..af5c054ec --- /dev/null +++ b/docs/bok/Risks/Financial-Risk.md @@ -0,0 +1,14 @@ +--- +title: Financial Risk +tags: + - Financial Risk + - Legal (Role) +--- + + + +## Accountancy Regulations + + - Anything that developers write has a cost associated with it, which is charged to a cost center within an organisation. + - These costs are amortised with respect to the assets they create. + - _Giving away software_ as open source breaks this model and needs to be accounted for correctly. \ No newline at end of file diff --git a/docs/bok/Risks/Legal-Risk.md b/docs/bok/Risks/Legal-Risk.md new file mode 100644 index 000000000..c9b93e7f6 --- /dev/null +++ b/docs/bok/Risks/Legal-Risk.md @@ -0,0 +1,28 @@ +--- +title: Legal Risk +tags: + - Legal Risk + - Legal (Role) +--- + + + + + +## License Compliance + + - What consitutes an acceptable license depends on the software, the license and the context it is used in. + - For this reason, it is difficult to get (say the legal department) to review each license and make a blanket decision on each one. + - Again - look to tooling to help mitigate this risk. Can software project's build be failed because the wrong licenses are included in the codebase? + +## Cross-Border Obligations + + - Many organisations are bound by what is allowed to cross their borders. For example: in Swiss banks, there are strong controls in place to make sure no data leaves Switzerland. + - This is a consideration for code too, as code _contributed to GitHub_ is data leaving the organisation and there may be requirements around these obligations. + - Another example of why preventing contributions with "test data" in them may be good policy. + +## Export Regulations + + - In a similar vein, many countries are prevented from selling into certain territories. US/Iran for example. + - There are rules in the US about exporting "non-standard crypto" (which might include obfuscated code). + - Is open source contribution encompassed in "selling"? diff --git a/docs/bok/Risks/Staff-Risk.md b/docs/bok/Risks/Staff-Risk.md new file mode 100644 index 000000000..2e80a6067 --- /dev/null +++ b/docs/bok/Risks/Staff-Risk.md @@ -0,0 +1,17 @@ +--- +title: Staff Risk +tags: + - HR/Training (Role) + - CIO/CTO (Role) +--- + + + +## Talent Retention + + - Finance organisations are great at _attracting_ talent by simply paying very high wages. The problem is attrition. + - It's important to understand that lots of open source is developed for _non-financial rewards_. + - If you hire a key engineer who is a top contributor to an open source project then you are preventing them from contributing anymore. They will leave. + - Even if you allow them to continue contributing, but the workflow is onerous (e.g. MD-level reviews of their code) they will also get fed up and leave. + - To _retain_ these high-performing staff, you have to give them the right tools to carry on contributing effectively. + - GitHub is _becoming a CV_. \ No newline at end of file diff --git a/docs/bok/Roles/CIO-CTO.md b/docs/bok/Roles/CIO-CTO.md new file mode 100644 index 000000000..340451773 --- /dev/null +++ b/docs/bok/Roles/CIO-CTO.md @@ -0,0 +1,8 @@ +--- +title: CTO/CIO +tags: + - CIO/CTO (Role) +--- +The Chief Technology Officer (CTO) or Chief Information Officer (CIO) is responsible for the overall technology strategy and direction of an organization. They are responsible for ensuring that technology supports the business goals and objectives of the company. This includes managing the technology budget, selecting and implementing new technology, and ensuring the security and integrity of the company's data. + +The CTO/CIO role interacts with open source software by evaluating the potential benefits and drawbacks of using open source technology in the organization. They may also be responsible for creating and implementing policies around the use of open source software, including guidelines for contributing to open source projects, and for managing any legal or compliance risks associated with using open source software. diff --git a/docs/bok/Roles/Developer.md b/docs/bok/Roles/Developer.md new file mode 100644 index 000000000..c5f17c015 --- /dev/null +++ b/docs/bok/Roles/Developer.md @@ -0,0 +1,7 @@ +--- +tags: + - Developer (Role) +--- +Developers are responsible for designing, coding, and testing software applications. They are responsible for writing and maintaining code, troubleshooting and debugging software, and working with other developers to create and implement software solutions. + +A developer interacts with open source software by using open source libraries, frameworks, and tools as building blocks for their software. They also contribute to open-source projects, fixing bugs, adding features, and submitting pull requests. diff --git a/docs/bok/Roles/HR-Training.md b/docs/bok/Roles/HR-Training.md new file mode 100644 index 000000000..f3929337d --- /dev/null +++ b/docs/bok/Roles/HR-Training.md @@ -0,0 +1,9 @@ +--- +title: Human Resources and Training +tags: + - HR/Training (Role) +--- + +Human Resources (HR) and training departments are responsible for the overall management of a company's human resources, including recruiting and hiring employees, managing employee benefits and compensation, and providing training and development opportunities. + +They interact with open source software by ensuring that new employees are trained on the company's open source policies and procedures, and by providing training opportunities for employees to learn more about open source software and how to contribute to open source projects. diff --git a/docs/bok/Roles/Legal.md b/docs/bok/Roles/Legal.md new file mode 100644 index 000000000..06d2af29e --- /dev/null +++ b/docs/bok/Roles/Legal.md @@ -0,0 +1,9 @@ +--- +title: Legal Team +tags: + - Legal (Role) +--- + +The legal team is responsible for providing legal advice and support to the organization. They review and draft contracts, advise on legal compliance, and represent the company in legal matters. + +The legal team interacts with open source software by advising the company on the legal implications of using open source software, including compliance with open source licenses and any potential intellectual property issues. They also review and draft contracts related to open source software, such as contributor agreements and software licenses. diff --git a/docs/bok/Roles/OSPO.md b/docs/bok/Roles/OSPO.md new file mode 100644 index 000000000..1a3235f7d --- /dev/null +++ b/docs/bok/Roles/OSPO.md @@ -0,0 +1,13 @@ +--- +title: OSPO +tags: + - Codebase Risk + - Data Leakage Risk + - Dependency Risk + - Staff Risk + - OSPO (Role) +--- + +The Open Source Program Office (OSPO) is responsible for the overall management and direction of an organization's open source program. This includes managing the open source software inventory, identifying and managing legal and compliance risks, and ensuring that open source software is used in compliance with company policies and procedures. + +The OSPO interacts with open source software by evaluating open source projects and components to determine whether they meet company standards and requirements, and by working with internal teams to ensure that they are aware of and are compliant with open source policies and procedures. They also work with external open source communities to ensure that the company is in compliance with open source licenses and contributing back to open source projects. diff --git a/docs/bok/Roles/Product-Manager.md b/docs/bok/Roles/Product-Manager.md new file mode 100644 index 000000000..fac870921 --- /dev/null +++ b/docs/bok/Roles/Product-Manager.md @@ -0,0 +1,7 @@ +--- +title: Product Manager +tags: + - Product Manager (Role) +--- + +placeholder \ No newline at end of file diff --git a/docs/bok/Roles/Risk-Officer.md b/docs/bok/Roles/Risk-Officer.md new file mode 100644 index 000000000..311712294 --- /dev/null +++ b/docs/bok/Roles/Risk-Officer.md @@ -0,0 +1,11 @@ +--- +title: Risk Officer +tags: + - Codebase Risk + - Data Leakage Risk + - Dependency Risk + - Staff Risk +--- +A risk officer is responsible for identifying, assessing, and mitigating risks to an organization. They assess the potential impact of risks and develop and implement risk management strategies to minimize the potential impact of those risks. + +A risk officer interacts with open source software by identifying and assessing the potential risks associated with using open source software, and by working with the organization to develop and implement policies and procedures to mitigate those risks. diff --git a/docs/bok/Roles/Security-Expert.md b/docs/bok/Roles/Security-Expert.md new file mode 100644 index 000000000..6748e1670 --- /dev/null +++ b/docs/bok/Roles/Security-Expert.md @@ -0,0 +1,8 @@ +--- +title: Security Expert +tag: + - Security Expert (Role) +--- +A security expert is responsible for ensuring the security of an organization's information systems and data. They conduct security assessments, identify vulnerabilities, and implement security controls to protect the company's data and systems. + +A security expert interacts with open source software by evaluating open source software for security vulnerabilities and working with the development team to address any identified issues. They also work to ensure compliance with industry standards and regulations related to open source software security. diff --git a/docs/bok/Training/LFC104-Ethics.md b/docs/bok/Training/LFC104-Ethics.md new file mode 100644 index 000000000..a4e5fcb3a --- /dev/null +++ b/docs/bok/Training/LFC104-Ethics.md @@ -0,0 +1,20 @@ +--- +title: Ethics for Open Source Development +tags: + - Developer (Role) + - OSPO (Role) + - Product Manager (Role) +--- + +## Synopsis + +This course is designed primarily for product managers who want to learn how to effectively incorporate ethics-by-design techniques into their workflows, and developers wanting to apply ethics through critical thinking techniques and proven mental frameworks. + +## Details + +- Publisher: Linux Foundation +- Code: LFC105 +- Length: 2 hours +- Certification: Digital +- Cost: 0 +- Link: https://training.linuxfoundation.org/training/ethics-for-open-source-development-lfc104/ diff --git a/docs/bok/Training/LFC105-Antitrust-Law.md b/docs/bok/Training/LFC105-Antitrust-Law.md new file mode 100644 index 000000000..919d454d3 --- /dev/null +++ b/docs/bok/Training/LFC105-Antitrust-Law.md @@ -0,0 +1,21 @@ +--- +title: Antitrust Laws and Open Source Software Project Management and Participation +tags: + - Developer (Role) + - CIO/CTO (Role) + - OSPO (Role) +--- + + +## Synopsis + +This course is intended for all individuals that participate in open source projects at any level - contributors, maintainers, Steering Committee members and Governing Board members. + +## Details + +- Publisher: Linux Foundation +- Code: LFC105 +- Length: 1 hour +- Certification: Digital +- Cost: 0 +- Link: https://training.linuxfoundation.org/training/antitrust-laws-and-open-source-software-project-management-and-participation-lfc105/ diff --git a/docs/bok/Training/LFC192-SBOM.md b/docs/bok/Training/LFC192-SBOM.md new file mode 100644 index 000000000..358085fd2 --- /dev/null +++ b/docs/bok/Training/LFC192-SBOM.md @@ -0,0 +1,21 @@ +--- +title: Generating A Software Bill-Of-Materials +tags: + - Developer (Role) + - Security Expert (Role) + - Dependency Risk + - Developer Training +--- + +## Synopsis + +This is an introductory course designed for directors, product managers, open source program office staff, security professionals, and developers. + +## Details + +- Publisher: Linux Foundation +- Code: LFC192 +- Length: 2 hours +- Certification: Digital +- Cost: 0 +- Link: https://training.linuxfoundation.org/training/generating-a-software-bill-of-materials-sbom-lfc192/ diff --git a/docs/bok/Training/LFC194-OSS-License-Compliance-Management.md b/docs/bok/Training/LFC194-OSS-License-Compliance-Management.md new file mode 100644 index 000000000..a5413b87c --- /dev/null +++ b/docs/bok/Training/LFC194-OSS-License-Compliance-Management.md @@ -0,0 +1,21 @@ +--- +title: Implementing Open Source License Compliance Management +tags: + - Developer (Role) + - Legal (Role) + - CIO/CTO (Role) + - OSPO (Role) +--- + +## Synopsis + +This course is intended for software developers, project managers, legal associates, and executive decision makers who already know the basics of what open source software is and how copyrights work, and are ready to take the next step towards building a formal compliance program for their organization. + +## Details + +- Publisher: Linux Foundation +- Code: LFC194 +- Length: 1 hours +- Certification: Digital +- Cost: 0 +- Link: https://training.linuxfoundation.org/training/implementing-open-source-license-compliance-management-lfc194/ diff --git a/docs/operations/compliance-checklist.md b/docs/operations/compliance-checklist.md index 3693a963e..1508a39e4 100644 --- a/docs/operations/compliance-checklist.md +++ b/docs/operations/compliance-checklist.md @@ -1,6 +1,6 @@ --- id: compliance-checklist -title: Checklist: establishing an open source compliance program +title: "Checklist: establishing an open source compliance program" sidebar_label: Compliance Checklist --- diff --git a/docs/osr-resources/oslc-licenses.md b/docs/osr-resources/oslc-licenses.md index 975849ccc..0cf91ed43 100644 --- a/docs/osr-resources/oslc-licenses.md +++ b/docs/osr-resources/oslc-licenses.md @@ -18,15 +18,15 @@ This is a blanket license with no conditions.
Description |
---|
This license places no conditions whatsoever on using, copyring, modifying or distributing the software for any purpose. |