07 Aug 2024 - Open Source Readiness Meeting Agenda

[robmoffat]

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Paid Open Source Support - when is this a good idea?
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• Decision 1
• Decision 2
• ...

Action Items

• Action 1
• Action 2
• ...

Zoom Details

• https://zoom.us/j/93808780892
• Meeting ID: 938 0878 0892
• Passcode: 358724

Join by Phone

• Find your local number: https://zoom.us/u/adl5rhui4P

[robmoffat]

Rob Moffat / FINOS 🌦️

[psmulovics]

Peter Smulovics / Morgan Stanley

[mimiflynn]

Mimi Flynn / Morgan Stanley

[Neetuj]

Neetu Jain/ JPMC

[HelloKay27]

Kay XiongPachay / Goldman Sachs

[jaz4th]

Joseph Zang / Fannie Mae

[robmoffat]

Paid Support Relationships

Examples:

• Accenture at one time offered paid support for Javascript. You could ask them for help and guidance with coding.
• RedHat, Canonical, Suse, MongoDB, MySQL, Redis. (lots of firms offered Linux Distributions and support around those, they were the successful ones).
• Sometimes a third party.
• Sometimes, it's the developers of the project and you are helping fund the project itself.

Reasons For Having This:

• It's like insurance (Operational Risk)
• It can help fund the project's development (but not always), so this helps mitigate Strategic Risk.
• Paying for open source should help incentivise developers to fix security issues, mitigating Security Risk.
• Wanting to contribute more to the project.
• Advantageous to deal with companies which combine the benefits of open source and commercial products.

Considerations:

• Contract / SLA:
  • This would need to exist between the two firms. e.g. time to fix, time to respond, on-site presence
• ROI:
  • Moving to a new, open source alternative when migrating from a piece of commercial software
  • Can be done by comparing to the cost of a commercial alternative
  • Looking at the amount of downtime (or cost of potential downtime) and wanting to minimise this.
• Requirement before use:
  • Sometimes, firms require that support is available before they allow its use. (Often occurs in firms with low open source maturity?)

Alternatives:

• Funding maintainers financially.
• Hiring the maintainers. (Legally tricky: as you want to ensure they can continue to maintain and there might be Anti-Trust concerns around monopolising the open. source project).
• Developing an internal expert.

Business-Source Licence

• Not Open Source, but many open source projects are moving to this license, e.g:
  • Hashicorp Terraform / Open Tofu
  • Elastic (as a response to AWS providing supported/managed ElasticSearch instances)
• You now have to pay to access the source code

Other Configurations:

• Tidelift - Aggregated across the industry. Improving security posture of open source projects, SBOMs, fixing vulnerabilities. Pays for the maintainers to do this.

Actions:

• Ask @caradelia for the RedHat pitch-deck: what arguments do they use to sell support contracts?

[Neetuj]

Had to jump due to conflict early. but wanted to add this note to the discussion.
Grants/scholarships are also a financial path to give a certain f/oss project a boost ( direct or indirect support)
ex:- a corporate could give financial rewards on certain f/oss to uncover security issues which makes the whole project now much safer if those issues are uncovered and addressed.
ex:- a company/project provides support to. hackathon or Google Summer of code kind of programs by participation in the program and providing mentors to the program