 So hi everyone, welcome. Thanks for having me here and thanks for joining today I will talk about how to ensure your business viability that relies on open source by sharing some of the programs I led at VMware. So let me take you through the agenda Firstly, I will talk about why we ensure the long-term viability of open source projects and what we did in our Ospo's strategic project assessment Then I will share how this assessment is different from the usual project health check It's objective what is in scope and out of scope We will look at four focus areas and criteria with examples of real assessment result I'll talk about the process How we run the whole cycle Collaborating across the teams in our station Finally, I will wrap up with a summary of key points and have time for Q&A So quick intro about me. I studied engineering at uni study Started my career as a Windows software developer at a global technology company in Japan Then I worked in the US and the UK Where I led the engineering teams for Windows Embedded CE, Linux and Android based platform After that I changed my career from telecoms to cloud Leading multiple programs including large-scale business and IT transformations data center deployment and information security process building Moving up to date in the last three years I worked in the Ospo open-source community strategy team at VMware Leading alignment between the community contributions and the business strategies Last month on 22nd of November VMware was acquired Broadcom So the company entities are now part of the Broadcom group So why we should ensure the project's long-term viability? When our business relies on open-source, we must provide a real commercial support for our customers i.e. an enterprise-grade software We have a responsibility the same as for our proprietary software Because they're both part of the product If these projects are no longer maintained or if we don't understand the entire project We will be unable to support our customers Therefore we need to guarantee the quality of the open-source in our products It's continuous availability in the same way as today aligned with our portfolio As open-source projects are maintained by the communities and because we are a part of the ecosystem We have to ensure they will continue to be available and successful For a long term for both for our business and for the communities At VMware we maintained thousands of open-source projects and contributed to thousands more And it's nearly impossible and not cost effective to track the viability of all of them For the projects that are critical used in our key products and to which we actively contribute to Ospo as the center of the gravity of companies open-source operations Should take responsibility to make Make sure they will continue to be viable in line with our business goals So that we can support our customers and keep their trust For these business critical projects, Ospo ran the strategic project assessment And this is in addition to the project health check that was performed by our business units for actually working in the project So there are two main objectives of this Ospo-led assessments The primary objective is to manage the business risk In the project if the project is not owned by a company but by a foundation or other company We don't have full visibility nor full project control This means there might be unexpected direction change, license change or a shortage of maintainers If your organization's engagement is insufficient and relies on the contributions of others You may end up fixing all the code defects and vulnerabilities on a project Which you may not completely understand In our Ospo's assessment, we aim to identify and mitigate the project risks in advance In order to avoid these disruptions that may impact our business The secondary objective is to grow our business opportunity Healthy viable projects know that market and the audiences they want to work with They will attract more people and will help broader adoption along with healthy communities And this is expand this will expand the addressable markets for your future business If the project is owned by your organization, it will effectively represent your company in the ecosystem As such, this project must be maintained to the same high-quality standard as your other products and services So what is the difference between the project health check and this Ospo-led project assessment? Both have the same goal. However, there are key differences. For example, who actually performs the assessment? A project health check is often performed by the internal teams who own and maintain the project within the community If the project is owned by your organization, your Ospo may also help and support it This health check tends to be subjective and carried out from the maintenance or project owner's viewpoint For example, criteria can be how often do we release the code or have we created all the documentation Or are we inclusive enough in our community versus the strategic project assessment are objective Performed by Ospo who are often outside of the project or at least not involved in all of them So they carry it out from a third person's independent viewpoint For example, criteria can be does that project share a clear roadmap so that we can ensure it's in line with our portfolio? Or does that project have open discussion channel so that we will be able to influence the future release? With the strategic project assessment, Ospo plays a role in the future release Ospo plays a role to assess the project externally Feedback the results to the team and to the community so that we can work together towards the improvement So what activities are in scope? The Ospo strategic project assessment is performed based on the publicly available data in the project website or github page A good inclusive project is open and transparent And its data is easily discoverable and accessible by all And it focuses on the factors that may impact the business and also the ecosystem Regarding out of scope Basic documentation requirements as open source are not checked as they're usually covered by the project health check In depth Technical analysis is also out of scope Because they will require many internal technical detail data thus only possible by the teams who are actually working in the project So it is important to Remember that the assessment should not create an extra burden to the teams who are actually working busy day-to-day work We must try to avoid increasing their workload By both parties performing similar assessments Typically Ospo doesn't have sufficient resources to perform multiple detailed analysis for all of the strategic projects The assessment should stay simple so as to be achievable yet still useful It should be the trigger of in-depth analysis for the teams in the business units Our objective is to assess project from different angles And give a heads up to the teams to perform their further analysis So what do we care about in this assessment? Our priority is to assess whether the project is viable for the business And also for the entire ecosystem And we must have a strong level of engagement in order to have an influence to the project So checking the organization's level of engagement in the project is really important in this assessment Having a good grip of the organization's critical projects helps you control your technology roadmap for the long term So we know that the good open source projects understand their target audiences And that they want to work with They openly share their plans and resources Demonstrate healthy governance And the community to attract people to achieve their goals together On that basis we have identified four key areas and respective criteria Project maturity impartiality. I'm sorry project maturity planning transparency activity status and documentation adequacy For example, does your project share a clear roadmap and a plan? Does it provide a sufficient documentation set to enable you to develop and build on the project? Project governance impartiality Is the governance spread across a variety of organizations to represent the ecosystem needs? Has the project defined clear roles and had a decision-making process? Project community openness adopters For example, does the project have an open communication channel and hold the regular meetings? Is the project adopted by many organizations in the ecosystem? Organizations engagement For example, does your team engage enough to understand the entire project and what's going on in the project? Does your organization hold any leadership role in order to be able to influence the project direction? So after further breaking down each of these four areas We have predefined a set of color coded criteria to indicate That status so the team can refer back after they receive the assessment results from us So this is a simplified example of our real assessment result For some of our strategic project This project was initiated and open sourced by our organization Then donated to a neutral foundation two years ago We have many internal maintainers and contributors Working in an organization with a good set of shared documentation and making active releases regularly However, currently the project only have internal contributors and doesn't have any external contributors Therefore not getting much benefit of the community power So our recommendation to the team is to promote the project more to expand the project More to explore contributors from outside of the organization So that the project will better represent the ecosystem needs Share the workload and be more robust and adoptable And this is another example This project doesn't belong to a neutral foundation and is currently owned by a single vendor And they they dominate most governance positions The project itself is very active with many companies contributing However, the roadmap is only shared with the limited people in the community And not publicly shared on the project website nor on the github page And the organization's participation in the project is very small And we don't hold any leadership positions This is a risk for business As the project is used in many key parts of our solutions If we don't fully understand the project architecture And we don't have clear visibility of the project direction It is not good So our recommendation to the team is to increase our involvement in the project Recruit external new talent if needed who already contribute into the project In order to increase our understanding and inference in the project This is necessary to be able to pass away the community to make the project be more open and inclusive So so far I've explained the why and what of the assessment Now we will consider that how During the assessment process we identified a number of actions and recommendations to increase The project viability Then we hold reviews with the teams where the findings are discussed In the company's portal, we also published assessment results with actions so the project users can see internally In the community The team will implement the improvements working with the community With our support where needed And every six months a follow-up meeting is held to review the progress And provide further guidance The OSPOS assessment result might be different from teams view So it's important to get their opinions as well before finalizing Perhaps they have never considered the project viability and business viability So it's important that independent person from the teams perform their project assessment and provides an opportunity to improve This regular follow-up is also beneficial for OSPOS As it helps them to build the relationship with the teams And increase OSPOS knowledge of organizations critical projects In addition, OSPOS is able to raise an early warning for this project if there is any risk To our leadership team So when we work with the teams, we have to keep in mind that this is the assessment This assessment should be the conversation and not like an audit The feedback should be provided in a positive manner and not judging their work or criticism We are here to support and guide them And our focus is to help them find a benefit from our assessment Every project has different goals scale and background There's no one-size-fits-all And no single metrics that works for all projects So it is important for us both to understand the background of each project And focus on the right things as per their priorities Viable projects are transparent, active, impartial and diverse They share the goals clearly They are easily accessible and discoverable by anyone in the ecosystem to attract a wider audience In turn, this will make the project even more powerful and viable And to enable all this, your engagement in the project community is vital Assessing an open source project can be challenging as there's no single indicator that shows the entire project status By assessing a project viability from multiple perspectives Both internal and external to the community The business risk can be reduced By working together with the teams and the communities Your OSPO can ensure your business will continue to be viable, sustainable and successful Well, that's all from me. Thank you for listening. And now I'd like to invite questions And I'd love to hear what your OSPO organization do to ensure the business viability with open source. Thank you Any questions? No questions? Thank you. It's a great question. And yes, there are many, not many, a few projects that I put the red because of my criteria It goes to the red category But this is why it's important to make assessment, share the result and discuss with the team because team has very, very different opinion So all the projects are different, different scale and then some projects are entirely okay just having internal contributors and maintainers Not ideal in general, if you think, because what's the point to donate your own project to the Neutral Foundation? You know, it's under the Neutral Foundation. However, you know, we're not benefiting You know, it can be just owned by your company, but you have to think about many different angles For example, if you just own your open source project and then the external people feel like, oh, this is owned by the company Okay, so maybe I don't feel like I'm participating. You know, I'd like to. I'm interested, but I may not So we tend to donate to the Neutral Foundation to get more benefit, to be open and share our technology, our capability But some don't feel, you know, for example, this project don't have no contributions in the organization So this is project B So, okay, so this is not a good example. I wanted to show the one before Yeah, this one. This one is owned by, used to be owned by the company And now it's donated to Neutral So I don't have any red in this example, but you know, it's ideal to have more external contributors from outside So what's the point being in the Neutral Foundation? But they said, oh, it's entirely okay It's because it's really specific for this product and we are already benefiting, having just internal and we are happy to have Not to have outside contributions and then we, you know, organization strategy is very complicated and it's not shared So not everything is suitable to share and having as many as possible contributors from external Because like the first date keynote, it's really difficult to, as a maintainer, it's really hard to correct Which modification we get and then what is going to the next So for this specific project, I remember that I met the team and they said, oh, it's entirely okay in this way And then I discussed and I understand that their project wrote them up and there was their strategies And I'm happy to leave that as is So yeah, discussion, this is why follow up discussion is really important So it's not always, but I actually don't change the status color code It's because it still should show red and then if it's red and people look at them, oh, what's going on here And then they will also understand because I add the column saying this is red, however, it's okay from the organization's perspective So yeah, with that comment, it is okay But it is important to share all this process and discussion process with the teams and also inside of the organization So it's a great question. Thank you No, it's more like, yeah, we, for example, at VMware, we used to have 20 strategy project because it's really, really key of our products and solutions So we have it and it doesn't, and then if shows yellow or red doesn't mean that our priests don't use it This is why I'm sharing the reason of this yellow and red is this, this, this and that And each business unit, you know, across the different business unit, they want to use the same project That's why we are publishing this information in Osprey's portal Then they look at them, read the reason and if needed, reach out to the team because I'm sharing the point of contact people of the project, you know, main lead And then they discuss and conclude, okay, so it's okay to use And then there are some suggestions they really, really address to But if your involvement in that community is not deep enough And then they can't tell the community because you're not contributing So what are you saying, you know, for example, I am looking at the, I can't raise the project name here But there are some third party project which is really dominated and owned by the company And then, but this is not good. Why don't you suggest, but the team doesn't want to because team is not contributing This is why we have to start from small First of all, we have to have one or two strong contributors in our team because we are relying on that project And then expand understanding and inference Then they start to be able to make opinions to the community leaders And suggest, oh, why don't you have more contributors and why don't you have more leadership roles from other organizations Why don't you donate to the Neutral Foundation But if you're not contributing, you can't do that So I think, first of all, you have to have a strong visibility and inference in the project That is a good start to be able to efficiently use that project in your product and services You're welcome. Thank you Any other questions? Thank you for your presentation And the first basic question that in the Github There's a private mail address and a company credit address And so it's very difficult to just grasp which company you're building beyond the Neutral So how do you just grasp your company's contribution because sometimes it's a private address Do you have to issue or annually ask the team for just the same serial address to the hospital? Yeah, great question. Thank you That's one of the problems I had during my assessment Because oh, this is a private address And I have some ways to find out And sometimes using a different matrix and data I can find out, oh, this person is actually in Google Or this person is in a company like that So I would have a good understanding But for most of our strategy project, we have a very good grip And then there are quite a few contributors and running So actually our company shares our company account, mail account in the project So that we would know how many people contribute into the project And also I have another talk talking about the strategy project table And that one has which group in our organization is leading this project And then if you reach out to that person, they will have a good understanding of Oh, actually maybe 30% of our company is contributing and 20% from Amazon and other companies Okay, so I would see the good understanding So it is not straightforward, but there are some ways And especially for a strategy project I had a very good understanding of the proportion of which company people are contributing Thank you very much Some small tips We also tried to just integrate the mail address to the company one Yes Yeah Our company, yeah, I think we have a role I can't remember now But yeah, we tend to use our companies I think most of them we use our company account Like it happened And second question is that How much coverage for all the post-projects that the employees are involved in Is that the post-covered cover? Or is it covered by the activity format? No, no, so yeah, again, I have another talk about the strategic project table creation So what I did is to my mission when I joined VMI My first mission was to find out what are the handful of important projects for the company Because we contribute so many of them And it's really not ideal and realistic to assess all of them So we pick up the 20, I think it's 15 to 20 normally And we talk with the VU all the time and what really is the critical projects Our open source projects for our product And we have a good idea and we regularly meet with them and then shuffle around Remove some of the project If it's not important for us anymore or adding the new one Then we run this assessment just for that strategic projects And my last question is how much, like a personal effort You're also teaming with Hawaii for making that effort And also what kind of tools, like a chaos or just some tools that can survive Yeah, chaos, did you say? Yeah, yeah, yeah, good question, thank you So yeah, chaos has many, many tools and metrics to measure I had a similar question in the past talk And yes, it is useful, super useful And my counterpart program manager was running using Kale's tool It's because it's relevant for our internal company-owned project But I was mainly responsible for the project which is under the third party Like originated by a company but donated to the neutral foundation So it is entirely not belonging to any company or belonging to the company I.e. it's not owned by us So for that project I didn't use those tools The reason is those tools are... I don't know all the tools in Kale's project owns But I thought that I look at them and I look at the result And then some of them are run by our internal project health check But for this specific assessment our objective is to see the business impact To our business impact relying on the open source So I on purpose not using them and have defined and developed Our own criteria and our own assessment theory to run this And the first goal I shared this with my top management And also the BU leadership where they are quite happy So I just carried on this one But yes, to develop that, further develop I think it's a good idea To assess what else we can do so that we can have more accurate assessment result I think it's a good idea Yeah Reporter, yeah, just myself So this is a simplified version I worked really hard to make it simple But the real one is really have more columns and more letters And so not many people want to read it's because it's too many letters But the project owners are happy to read and then see I'm trying not to be too critical but I just factual stating Based on this criteria your project was assessed like this Not personal, just project is like this And I meet with the team and the team is a little bit cautious when we meet I organize a meeting, we meet and they're not very I feel like some project and not so much but some project Why you're scoring a project like this But I start, I explain the background of this assessment What's the purpose and this is the score I have But what do you think? And then they usually come back and give me such a important useful information What's going on in the team and I just think Oh my god, I didn't notice that And yeah, so I change my, you know, the status won't change But I add that comment in the result and share publicly So that everyone in the organization can see And if it's, you know, then before I publish it I will check with the team, can I share like this And then they sometimes say, oh, don't share this one And then say this instead So yeah, I will shape it and once we both happy then I publish So it takes, you know, I run this assessment once in six months Every six months because it takes so long And also they don't want to be assessed soft And once their action is clear and what's next step is clear And I leave them for six months Then we meet again, hi, how are you? By the way, what's going on this and that And then sometimes, not sometimes Actually in the last assessment I got really, really positive feedback Saying, oh look, you know, we got a leadership role in this project You know, we hired these new talents who knows about this project So we are much, we have much better visibility So it is working, so I'm pleased to hear that So yeah, I think it takes a long time But start small, then it starts to become effective That's what I felt Yeah, it's the inside course Because usually what's for is just a general information And it's just only one section of that We're just using this information in a way Or the wider section of Exactly, exactly Yeah, yeah Yeah, you're welcome, thank you for asking No more questions? Okay, thank you very much for listening again And yeah, enjoy for the rest of the conference Thank you