# Module 6: Governance

## Sources
* John Metric. [_Open Source Projects - Beyond Code_](https://learning.oreilly.com/library/view/open-source-projects/9781837636884/). O`Reilly Media, 2023.  Metric is the current director of program management for The Linux Foundation.
* Dave Neary, Josh Berkus, Katrina Novakovic, Bryan Behranshausen.  ["Understanding open source governance models"](https://www.redhat.com/en/blog/understanding-open-source-governance-models), Red Hat Blog, 2020.  Authors are from Red Hat's Open Source Programming Office.
* Ross Gardler and Gabriel Hanganu. ["Governance Models"](http://oss-watch.ac.uk/resources/governancemodels).  OSS Watch, 2013.  Gardler is the former President of the Apache Foundation.

## What is open source governance?

*Governance* describes the decision-making that an open source projects need to function. This is how policies and processes are defined.  Some examples of policies are:

* **Roles and responsibilities**
  - Who gets to do what?
* **Accepting code**
  - What are the policies to ensure code stability and quality?
  - What are the policies to ensure supply-chain security?
* **Releasing code?**
  - What are the criteria for a stable release?
  - What is the release cadence?
* **Getting new contributors involved**
  - Is the contributor qualified?
  - Is the contributor trusted?
* **Communication**
  - How do users report bugs and feature requests?
  - Who can speak on behalf of the project?
  - How are interpersonal disputes resolved?
 
There is no one-size-fits-all solution

## Models of Governance

Models of governance differ primarily on:
* Who gets to make decisions
* How decisions get made

## Cathedral vs. Bazaar

An older model, first described in Linux community around 1999.  Describes both **governance** (who gets to make decisions) and **contribution** (who gets to add new code).

![chapel_and_bazaar](http://oss-watch.ac.uk/img/governancevcontrib.png)

* Two extremes of **governance**:
  - Benevolent Dictator: Single individual or organization makes policy decisions
  - Meritocracy: Ability to make decisions is given to significant contributors
* Two extremes of **contribution**:
  - Bazaar: Project accepts code from many external developers
  - Cathedral: Project has a group of core developers

## Five Recent Models

Many recent OSS advocates describe 5 models:

1. Do-ocracy (a.k.a Meritocracy)
2. Founder-leader (a.k.a, Benevolent Dictator for Life, )
3. Self-appointed technical council
4. Electoral
5. Vendor-backed
6. Foundation-backed

Not mutually-exclusive.  Within one project, different policies may be decided through different models.  

### 1. Do-ocracy

* The people doing the work are the ones making decisions
  - Often no formal governance.  Just implicit governance in group's interactions
  - Usually still have contribution guidelines (peer review of code, etc.)

#### Example

* Apache Web Server: https://httpd.apache.org/ABOUT_APACHE.html
  
#### Pros
* Easy for small teams with few stakeholders

#### Cons
* Decision-making usually does not scale with more contributors and stakeholders
* Can be difficult for newcomers to integrate with the project

### 2. Founder-leader (BDFL)

* One person who started the project is the ultimate decision-maker
* Leader determines projects priorities and vision, settles disputes among other
    contributors, and decides which contributions are merged

#### Examples
* Linux and Linus Torvalds
* Python and Guido van Rossum : a BDFL early-on, and van Rossum is still "honorary" BDFL.
  But now has foundation-backed governance

#### Pros
* Easy for small teams with few stakeholders
* Common for most projects to start this way
* A humble, inclusive, constructive leader can set a positive tone
    for how community can function.
  
#### Cons
* Does not scale with more contributors and stakeholders
  - Problems with patches getting dropped were a frequent complaint in Linux until
    Torvalds distributed responsibilities more [see examples in mailing list archives](https://lwn.net/2002/0131/a/patch-penguin.php3)
  - A BDFL may not-be-so-benevolent.  Contributors who have disputes with founder do not have other
    recourse, and projects can get forked.
  - Founders' personal views may affect public perception of project.

### 3. Self-appointed technical council

- A small group determine's project priorities, decides which
  contributions will be merged, ...
- The council also decides who will be added to the council
- A midpoint between Meritocracy and Founder-leader model
- Many names for group: technical council, steering committee, ...

#### Examples

* The Apache Software Foundation: https://www.apache.org/foundation/governance/
  - Several councils with different roles/responsibilities.  Mostly business, stakeholder relations, etc.
  - Individual software projects are meritocratic
* OpenAPI: https://www.openapis.org/participate/how-to-contribute/governance
  - A open standard, not an actual piece of software
  - Several councils with different roles/responsibilities: Technical Steering Committee,
    Technical Oversight Committee, Business Governance Board
* Councils are quite common with open standards

#### Pros

* Scales better for larger projects with many stakeholders
* Decision-making is efficient

#### Cons

* Member selection process may exclusionary
* May create self-reinforcing leadership structure
* May create disconnect between leadership and community

### 4. Electoral

### 5. Single-vendor Backed

A company may decide to open source a project for a variety of reasons
- Releasing open source code that seems useful to the community
- Providing an early version of a product to gauge user interest and engagement. 
  * E.g., Kubernetes was released by Google and user interest led to the creation of the Cloud Native Computing Foundation
- Creating a "freemium" version of a product

Community contributions are welcomed but the vision for the project is typically controlled by one stakeholder
- Over time, governance may shift to another model as community engagement grows

#### Examples

- Kubernetes: https://kubernetes.io/community/
- Android
- MySQL

Hard to find docs re: governance...

#### Pros
- Similar to Founder-Leader but with a larger amount of resources behind development
- Quality of open source code benefits from professional software engineer support

#### Cons
- Similar to Founder-Leader, a company's vision for a project may differ from that of the community
- Lack of investment from the vendor can cause the project to stagnate and lose community involvement

### 6. Foundation-backed

Open-source projects often hit a glass ceiling, with many of the following attributes:

* It’s not clear how a project is funded or how it operates, or there is a perception that it primarily benefits a single vendor
* There isn’t a neutral owner of assets, such as the project name, logo, domain names, social accounts, and other assets
* The copyright holder of the project is a single entity, giving them unilateral control to change the license and intellectual property policies without the community’s input
* Vendors leveraging the technology don’t feel they have a space to fairly collaborate, especially if they are competitors
* The legal, fiduciary, and financial aspects of the project are managed by one organization without transparency or given processes


#### Examples

* Python Language Foundation:  https://www.python.org/psf/about/
* Rust Foundation:  https://foundation.rust-lang.org/about/
* PHP Foundation:  https://thephp.foundation/foundation/
* Ruby Central:  https://thephp.foundation/foundation/

#### Pros

* Solves the above-mentioned issues

#### Cons
* It's a lot of work to form a legal entity
  - Funding: The bove-mentioned projects are non-profit entities backed by donations and/or corporate sponsorship
  - Staffing: Usually need committed staff to operate
* Solution: Can integrate your project in an umbrella council or foundation
  - Apache Software Foundation
  - Linux Foundation


## Quiz

1. What amongst the following points is governance not trying to answer?
    1. Code security self-assessments
    2. Establishing communication channels
    3. Code release versioning protocols
    4. Programming language that will be used to maintain code

In [None]:
# Input the answer below as a string, such as 'A', 'B', 'C', ...
a1 = None
### BEGIN SOLUTION
a1_sol = 'D'
### END SOLUTION

2. What is the "Do-ocracy" model of governance? What is a potential disadvantage?
   1. Those who are doing the majority of the work are those who are making the decisions. A disadvantage is that it is difficult to organize even amongst small groups.
   2. The person who started the project makes the final decisions. A disadvantage is that people may feel less responsible for their contributions.
   3. Those who are doing the work makes the decisions since no formal governance is set in place. A disadvantage is that while this can be easily managed if the group of contributors is small, it is difficult to scale up as the contributor base grows.
   4. A small group of democratically elected contributors makes the final decisions. A disadvantage is that while this can be easily managed if the group of contributors is small, it is difficult to scale up as the contributor base grows.

In [None]:
# Input the answer below as a string, such as 'A', 'B', 'C', ...
a2 = None
### BEGIN SOLUTION
a2_sol = 'C'
### END SOLUTION

3. Which of the following Open Source Projects started with a "Founder-leader" model of governance?
   1. Apache Web Server
   2. Kubernetes
   3. MySQL
   4. Linux

In [None]:
# Input the answer below as a string, such as 'A', 'B', 'C', ...
a3 = None
### BEGIN SOLUTION
a3_sol = 'D'
### END SOLUTION

4. All projects created by companies are closed source in order to make a profit.

In [None]:
# Input the answer below as a Python boolean.
a4 = None
### BEGIN SOLUTION
a4_sol = False
### END SOLUTION

5. Which of the following questions do you think would an open-source project owner try to answer when they open their project up for further contribution?
   1. Setting up a CI/CD pipeline
   2. Setting up code review procedure
   3. Creating a chain of communication when issues arise.
   4. Frequency of code release.
   5. All of the above

In [None]:
# Input the answer below as a string, such as 'A', 'B', 'C', ...
a5_sol = None
### BEGIN SOLUTION
a5 = 'E'
### END SOLUTION

6. What are the two things that the model of Cathedral vs. Bazaar attempt to describe?
   1. Code security and governance
   2. Governance and contribution
   3. Contribution and coding standards
   4. Code security and coding standards

In [None]:
# Input the answer below as a string, such as 'A', 'B', 'C', ...
a6 = None
### BEGIN SOLUTION
a6_sol = 'B'
### END SOLUTION

7. Open-source projects almost never hit a glass ceiling due to the number of people contributing to the codebase, resulting in non-stop innovation

In [None]:
# Input the answer below as a Python boolean.
a7 = None
### BEGIN SOLUTION
a7_sol = False
### END SOLUTION

8. What may be a reason for a for-profit company to create an open-source project?
   1. They lack sufficient good coders so they open up their project for contribution to the wider community.
   2. They want to gauge user interest and engagement in the project.
   3. They are worried about their software's security and open-source projects are typically more secure due to the larger base of contributors.
   4. They don't really care about the project since it is not the money-maker of the company. 

In [None]:
# Input the answer below as a Python boolean.
a8 = None
### BEGIN SOLUTION
a8_sol = 'B'
### END SOLUTION

In [None]:
### BEGIN HASHED AUTOTEST
assert a1 == a1_sol
assert a2 == a2_sol
assert a3 == a3_sol
assert a4 == a4_sol
assert a5 == a5_sol
assert a6 == a6_sol
assert a7 == a7_sol
assert a8 == a8_sol
### END HASHED AUTOTEST