Create osrb.md

[BrittanyIstenes]

Open Source Review Board - starting point.

If you have edits or want to make additions, please do so right in the doc to avoid slow downs in publishing and to avoid back and forth

[robmoffat]

pretty good, although I think there should be talk of 'use' as well as 'contribution' in this

[robmoffat]

Suggested change

Creating an Open Source Review Board (sometimes known as "Advisory Councils) for any open source contributions coming outside of a FINTECH enterprise involves establishing a structured group responsible for evaluating and guiding open source contributions made by the company's employees. This board ensures that these contributions align with the company's strategic interests, comply with legal and regulatory standards, risk and security standards as well as foster positive relationships within the open source community.

Creating an Open Source Review Board (sometimes known as "Advisory Councils") for any open source contributions coming outside of a FINTECH enterprise involves establishing a structured group responsible for evaluating and guiding open source contributions made by the company's employees. This board ensures that these contributions align with the company's strategic interests, comply with legal and regulatory standards, risk and security standards as well as foster positive relationships within the open source community.

[robmoffat]

might be best to provide a bullet-list here that people can check off. Does cover the bases though

[BrittanyIstenes]

That was listed at the bottom of the doc - we can move this section to meet it there.

[robmoffat]

Is there a difference between the OSRB and the OSPO? Seems like with this definition they overlap quite a lot.

[robmoffat]

I got this back from ChatGPT when asking what the difference was:

The Open Source Program Office (OSPO) and the Open Source Review Board (OSRB) are both crucial in managing an organization's engagement with open-source software, but they serve distinct functions and have different scopes of responsibility. Understanding the differences between them is key to appreciating how organizations can effectively leverage open-source software while mitigating risks and contributing back to the community.

Open Source Program Office (OSPO)

An OSPO is a dedicated office or team within an organization that is responsible for coordinating and facilitating the organization's open-source activities. Its responsibilities are broad and strategic, encompassing the oversight of all open-source engagements, contributions, and compliance across the entire organization. Key functions of an OSPO include:

Strategy Development: Defining the organization's open-source strategy, including how open-source can be used to achieve business goals, and setting policies for open-source contributions and usage.
Community Engagement: Building and maintaining relationships with the open-source community, including contributing to open-source projects and possibly launching open-source projects under the organization's banner.
Education and Advocacy: Promoting the use of open-source within the organization, educating employees on best practices, and advocating for open-source values.
Compliance and Governance: Ensuring that the organization complies with open-source licenses, managing intellectual property in open-source contributions, and setting up governance structures like the OSRB.
Tooling and Infrastructure: Providing tools and infrastructure to support open-source development, contribution, and compliance within the organization.

Open Source Review Board (OSRB)

The OSRB, on the other hand, is typically a component of the governance structure that an OSPO might establish. It has a more focused role, primarily concerned with reviewing and approving open-source usage and contributions to ensure compliance with policies, licenses, and security standards. Key functions of an OSRB include:

Review and Approval: Evaluating proposed use of open-source components in projects and contributions to open-source projects to ensure they meet internal policies and license obligations.
License Compliance: Ensuring that the organization's use of open-source software complies with the terms of open-source licenses, including obligations to disclose source code or attribute copyrights.
Security Review: Assessing the security implications of using or contributing to open-source software and ensuring that security policies are adhered to.
Policy Enforcement: Enforcing the organization's open-source policies at the project level and ensuring that developers and teams comply with these policies.

Key Differences

Scope and Focus: The OSPO has a broad, strategic focus, aiming to integrate open-source into the organization's overall strategy and operations. The OSRB has a more focused, operational role, concentrating on the review and approval process to ensure compliance and manage risks.
Responsibilities: While the OSPO is responsible for the overarching open-source strategy, community engagement, and policy development, the OSRB is specifically tasked with the governance and oversight of open-source usage and contributions.
Position in the Organization: An OSPO is a centralized office that oversees all open-source activities across the organization. An OSRB, however, is often a component of the governance structure established by the OSPO to handle specific tasks related to open-source compliance and security.
In summary, while the OSPO sets the direction and policies for open-source engagement at a strategic level, the OSRB focuses on the governance and compliance aspects, ensuring that the organization's open-source activities align with internal policies and external license obligations.

[BrittanyIstenes]

I work in an OSPO that runs the OSRB or the OS Community Council, or the OS Advisory Council - which vets all OS contributions leaving the company. The article was written through experiential learnings and can be modified as the group deems fit.

If we want to add in where we think the review board should live, just let me know.

[robmoffat]

In discussion in today's OSR SIG, Amoel talked about how the OSRB provides a layer of governance and arbitration over the OSPO.

His example: should the firm use OpenTOFU? It's a new open source fork of Terraform. Should they contribute? Or avoid? This is something the OSRB would be expected to arbitrate on.

[robmoffat]

Some comments today from the OSR SIG:

NJ talked about the importance of the OSRB for enabling community engagement (which you discuss in the article). The OSRB might be able to influence the incentive structure to allow for sponsorship of products, hiring, speaking, contributing, gamification of desired behaviours... all kinds of things.

KX talked about how the OSPO is often trying to find a happy medium between competing internal forces such as compliance, comms etc. An OSRB brings together these different forces in a structured way to bring clarity to what the OSPO should do.

AM gave a concrete example: Bloomberg's OSRB identified projects that needed funding and then allocated funding (perhaps staff, perhaps financial incentives) to get those OSS projects maintained.