E2E-OS-Guidance Discussions - what information should we collect, curate and share to help our community with open source

[epijim]

A place to capture ideas for the E2E-OS-Guidance kickoff. Please place any ideas you have for things the guidance could cover, or pain points, current questions, etc that exist and you think we should tackle.

Please put a single idea/pain point in each post, so that it's possible to discuss them within a thread. In terms of what this means in the UI -

1. If you want to comment on an existing post, use the reply button:
   

2. If you have a new idea/painpoint/question, use:
   

For reference, the scope is here: https://phuse-org.github.io/E2E-OS-Guidance/#project-scope

[epijim]

How to approach packages you want to use, but only have 1-2 active maintainers. Or are used by lots of people, but no active maintainers and lots of stale issues?

[epijim]

as a more general extension of this - how to you capture and track the OS Health of packages you depend on?

[rossfarrugia]

i think maintenance in general is a great topic for OSS, as it's very attractive for someone to build a shiny new package but do people knowingly understand the implications and expectations of being a maintainer over the longer term?

[mstackhouse]

As far as the scope of this group and what we've talked about so far, I'm not sure if this is in scope of the white paper itself. It's an important topic, but it opens the door to a whole slew of other conversations relevant to using OS

[epijim]

Are GPL-2 and other copy left licences that bad to use in all scenarios?

[mstackhouse]

To this point, when it comes to permissive licenses I'm interested to evaluate the differences between MIT and Apache and the pros/cons from a legal standpoint.

[rossfarrugia]

Could generalise to look across other legal considerations and how to identify the "post-competitive" space where open source is likely to be suitable, vs any potential more sensitive or competitive areas

[epijim]

When we want to share control of the main/master/production branch between 2 or more companies, what are the risks and what role do contracts have on top of something like an MIT license?

[epijim]

Does it matter where repos sit? e.g. for Github orgs there is RConsortium, pharmaverse, phuse-org, openpharma, company repos, pharmr, ropensci, orgs for a family of connected repos (e.g. tidyverse packages are in tidyverse orgs), etc

And how does it being a brand new project compare to a mature existing project being open sourced when talking about where packages can be placed on github?

[mstackhouse]

The question is great and I think that we could break it down to implications of the repository as specific points. Like git is git, but what do you need from that repository for it to be a sustainable resource in your organization.

[epijim]

There is a great diversity in how R packages are managed - from some where a loose coalition have access to the main branch / repo, with no written rules (e.g. visR), packages with only 1 person having access (e.g. many stats packages), through to packages with legal documents around how they are governed (e.g. admiral). What are these governance model types, and what are the pros and cons of each?

[rossfarrugia]

Would you also cover contribution models here? Some only allow the community to raise issues, others allow the community to get write access to fix the issues, and some may even allow power users from the community into the core team. If you do you could connect into the stuff we're looking at around helping people find and contribute to open source packages where their skills are needed

[rossfarrugia]

Recommendations on when in the development lifecycle to release OSS - with hopefully "release early or from dev start" being the consensus, so as to avoid going too far down a single company-specific route

[mstackhouse]

Earlier you release, sooner you can get feedback :)

[epijim]

From Mike and Keaven - important to define post competitive as that's an important context of why it's beneficial internally, and for the industry to collaborate.

[epijim]

how can we understand the potential commercial potential even of post-competitive projects? e.g. a post-competitive tool, that potentially could be monetised as a standalone application (and is this where permissive vs copy-left changes?)

[epijim]

What are the relevance and risks around Liability, indemnity and warranties when releasing OS code with a permissive license?

[epijim]

Can we signpost tools to help? e.g. scan licences of each package a package depends on

[mstackhouse]

I think a discussion on this is important, but focusing on the fact that dependent licenses aren't as relevant unless you actually insert and distribute that code with your package.

[epijim]

Is there a risk of fracturing packages? e.g. an MIT forked, and taken in a different way to solve the same problem. Is this an education problem? eg understand how to extend rather than diverse, use platforms like the pharmaverse to align companies, etc

[mstackhouse]

I like this topic, but it might be hard to fit concisely. I think this is actually one of the most important discussions that the industry needs to have right now, especially with pharmaverse where it is in development (and I submitted a PHUSE EU talk on this specifically). But I feel like this could have 10 pages to itself.